From 6e13afa50400f80d04028e938b0158842c9b15ef Mon Sep 17 00:00:00 2001 From: Jayesh Prajapati Date: Sun, 30 Jul 2023 12:33:33 +0530 Subject: [PATCH 1/4] ASIM Network Session schema parser with its sample and test data for SentinelOne. --- .../CustomTables/SentinelOne_CL.json | 896 ++++++++++++++++++ .../Parsers/ASimNetworkSession.yaml | 2 +- .../ASimNetworkSessionSentinelOne.yaml | 100 ++ .../Parsers/imNetworkSession.yaml | 2 +- .../Parsers/vimNetworkSessionSentinelOne.yaml | 175 ++++ ...entinelOne_ASimNetworkSession_DataTest.csv | 8 + ...tinelOne_ASimNetworkSession_SchemaTest.csv | 114 +++ ...SentinelOne_vimNetworkSession_DataTest.csv | 8 + ...ntinelOne_vimNetworkSession_SchemaTest.csv | 112 +++ ...nelOne_ASimNetworkSession_IngestedLogs.csv | 21 + Sample Data/ASIM/SentinelOne_CL_Schema.csv | 313 ++++++ 11 files changed, 1749 insertions(+), 2 deletions(-) create mode 100644 Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml create mode 100644 Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml create mode 100644 Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv create mode 100644 Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv create mode 100644 Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv create mode 100644 Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv create mode 100644 Sample Data/ASIM/SentinelOne_ASimNetworkSession_IngestedLogs.csv create mode 100644 Sample Data/ASIM/SentinelOne_CL_Schema.csv diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json index c88a505bedd..a240d92d89b 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json @@ -388,6 +388,902 @@ { "Name": "_ResourceId", "Type": "string" + }, + { + "Name": "alertInfo_indicatorDescription_s", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorName_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileOldPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorCategory_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValue_g", + "Type": "string" + }, + { + "Name": "alertInfo_dstIp_s", + "Type": "string" + }, + { + "Name": "alertInfo_dstPort_s", + "Type": "string" + }, + { + "Name": "alertInfo_netEventDirection_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcIp_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcPort_s", + "Type": "string" + }, + { + "Name": "containerInfo_id_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileId_g", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValue_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValueType_s", + "Type": "string" + }, + { + "Name": "alertInfo_dnsRequest_s", + "Type": "string" + }, + { + "Name": "alertInfo_dnsResponse_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryKeyPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryValue_g", + "Type": "string" + }, + { + "Name": "ruleInfo_description_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryValue_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginAccountDomain_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginAccountSid_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginIsAdministratorEquivalent_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginIsSuccessful_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginType_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginsUserName_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcMachineIp_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcCmdLine_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcImagePath_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcName_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcPid_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcSignedStatus_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcStorylineId_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcUid_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_storyline_g", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_uniqueId_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_storyline_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_uniqueId_g", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcStorylineId_g", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcUid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_machineType_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_name_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osFamily_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osRevision_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_uuid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_version_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_id_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_infected_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_isActive_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_isDecommissioned_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_machineType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_name_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_os_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_uuid_g", + "Type": "string" + }, + { + "Name": "alertInfo_alertId_s", + "Type": "string" + }, + { + "Name": "alertInfo_analystVerdict_s", + "Type": "string" + }, + { + "Name": "alertInfo_createdAt_t", + "Type": "datetime" + }, + { + "Name": "alertInfo_dvEventId_s", + "Type": "string" + }, + { + "Name": "alertInfo_eventType_s", + "Type": "string" + }, + { + "Name": "alertInfo_hitType_s", + "Type": "string" + }, + { + "Name": "alertInfo_incidentStatus_s", + "Type": "string" + }, + { + "Name": "alertInfo_isEdr_b", + "Type": "bool" + }, + { + "Name": "alertInfo_reportedAt_t", + "Type": "datetime" + }, + { + "Name": "alertInfo_source_s", + "Type": "string" + }, + { + "Name": "alertInfo_updatedAt_t", + "Type": "datetime" + }, + { + "Name": "ruleInfo_id_s", + "Type": "string" + }, + { + "Name": "ruleInfo_name_s", + "Type": "string" + }, + { + "Name": "ruleInfo_queryLang_s", + "Type": "string" + }, + { + "Name": "ruleInfo_queryType_s", + "Type": "string" + }, + { + "Name": "ruleInfo_s1ql_s", + "Type": "string" + }, + { + "Name": "ruleInfo_scopeLevel_s", + "Type": "string" + }, + { + "Name": "ruleInfo_severity_s", + "Type": "string" + }, + { + "Name": "ruleInfo_treatAsThreat_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_commandline_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashMd5_g", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashSha1_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashSha256_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_filePath_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileSignerIdentity_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_integrityLevel_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_name_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_pid_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_pidStarttime_t", + "Type": "datetime" + }, + { + "Name": "sourceParentProcessInfo_storyline_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_subsystem_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_uniqueId_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_user_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_commandline_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashMd5_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashSha1_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashSha256_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_filePath_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileSignerIdentity_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_integrityLevel_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_name_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_pid_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_pidStarttime_t", + "Type": "datetime" + }, + { + "Name": "sourceProcessInfo_storyline_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_subsystem_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_uniqueId_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_user_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileCreatedAt_t", + "Type": "datetime" + }, + { + "Name": "targetProcessInfo_tgtFileHashSha1_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileHashSha256_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileId_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileIsSigned_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileModifiedAt_t", + "Type": "datetime" + }, + { + "Name": "targetProcessInfo_tgtFilePath_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcIntegrityLevel_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcessStartTime_t", + "Type": "datetime" + }, + { + "Name": "agentUpdatedVersion_s", + "Type": "string" + }, + { + "Name": "agentId_s", + "Type": "string" + }, + { + "Name": "hash_s", + "Type": "string" + }, + { + "Name": "osFamily_s", + "Type": "string" + }, + { + "Name": "threatId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_accountId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_accountName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentDetectionState_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentDomain_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentIpV4_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentIpV6_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentLastLoggedInUserName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentMitigationMode_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentOsName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentOsRevision_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentRegisteredAt_t", + "Type": "datetime" + }, + { + "Name": "agentDetectionInfo_agentUuid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentVersion_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_externalIp_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_groupId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_groupName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_siteId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_siteName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_accountId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_accountName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_activeThreats_d", + "Type": "real" + }, + { + "Name": "agentRealtimeInfo_agentComputerName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentDomain_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentInfected_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentIsActive_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentIsDecommissioned_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentMachineType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentMitigationMode_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentNetworkStatus_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsRevision_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentUuid_g", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentVersion_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_groupId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_groupName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_networkInterfaces_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_operationalState_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_rebootRequired_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_scanFinishedAt_t", + "Type": "datetime" + }, + { + "Name": "agentRealtimeInfo_scanStartedAt_t", + "Type": "datetime" + }, + { + "Name": "agentRealtimeInfo_scanStatus_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_siteId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_siteName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_userActionsNeeded_s", + "Type": "string" + }, + { + "Name": "indicators_s", + "Type": "string" + }, + { + "Name": "mitigationStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_analystVerdict_s", + "Type": "string" + }, + { + "Name": "threatInfo_analystVerdictDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_automaticallyResolved_b", + "Type": "bool" + }, + { + "Name": "threatInfo_certificateId_s", + "Type": "string" + }, + { + "Name": "threatInfo_classification_s", + "Type": "string" + }, + { + "Name": "threatInfo_classificationSource_s", + "Type": "string" + }, + { + "Name": "threatInfo_cloudFilesHashVerdict_s", + "Type": "string" + }, + { + "Name": "threatInfo_collectionId_s", + "Type": "string" + }, + { + "Name": "threatInfo_confidenceLevel_s", + "Type": "string" + }, + { + "Name": "threatInfo_createdAt_t", + "Type": "datetime" + }, + { + "Name": "threatInfo_detectionEngines_s", + "Type": "string" + }, + { + "Name": "threatInfo_detectionType_s", + "Type": "string" + }, + { + "Name": "threatInfo_engines_s", + "Type": "string" + }, + { + "Name": "threatInfo_externalTicketExists_b", + "Type": "bool" + }, + { + "Name": "threatInfo_failedActions_b", + "Type": "bool" + }, + { + "Name": "threatInfo_fileExtension_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileExtensionType_s", + "Type": "string" + }, + { + "Name": "threatInfo_filePath_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileSize_d", + "Type": "real" + }, + { + "Name": "threatInfo_fileVerificationType_s", + "Type": "string" + }, + { + "Name": "threatInfo_identifiedAt_t", + "Type": "datetime" + }, + { + "Name": "threatInfo_incidentStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_incidentStatusDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_initiatedBy_s", + "Type": "string" + }, + { + "Name": "threatInfo_initiatedByDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_isFileless_b", + "Type": "bool" + }, + { + "Name": "threatInfo_isValidCertificate_b", + "Type": "bool" + }, + { + "Name": "threatInfo_mitigatedPreemptively_b", + "Type": "bool" + }, + { + "Name": "threatInfo_mitigationStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_mitigationStatusDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_originatorProcess_s", + "Type": "string" + }, + { + "Name": "threatInfo_pendingActions_b", + "Type": "bool" + }, + { + "Name": "threatInfo_processUser_s", + "Type": "string" + }, + { + "Name": "threatInfo_publisherName_s", + "Type": "string" + }, + { + "Name": "threatInfo_reachedEventsLimit_b", + "Type": "bool" + }, + { + "Name": "threatInfo_rebootRequired_b", + "Type": "bool" + }, + { + "Name": "threatInfo_sha1_s", + "Type": "string" + }, + { + "Name": "threatInfo_storyline_s", + "Type": "string" + }, + { + "Name": "threatInfo_threatId_s", + "Type": "string" + }, + { + "Name": "threatInfo_threatName_s", + "Type": "string" + }, + { + "Name": "threatInfo_updatedAt_t", + "Type": "datetime" + }, + { + "Name": "whiteningOptions_s", + "Type": "string" + }, + { + "Name": "threatInfo_maliciousProcessArguments_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileExtension_g", + "Type": "string" + }, + { + "Name": "threatInfo_threatName_g", + "Type": "string" + }, + { + "Name": "threatInfo_storyline_g", + "Type": "string" + }, + { + "Name": "activityUuid_g", + "Type": "string" + }, + { + "Name": "secondaryDescription_s", + "Type": "string" + }, + { + "Name": "DataFields_s", + "Type": "string" + }, + { + "Name": "description_s", + "Type": "string" + }, + { + "Name": "comments_s", + "Type": "string" + }, + { + "Name": "detectionState_s", + "Type": "string" + }, + { + "Name": "firstFullModeTime_t", + "Type": "datetime" + }, + { + "Name": "fullDiskScanLastUpdatedAt_t", + "Type": "datetime" + }, + { + "Name": "serialNumber_s", + "Type": "string" + }, + { + "Name": "showAlertIcon_b", + "Type": "bool" + }, + { + "Name": "tags_sentinelone_s", + "Type": "string" + }, + { + "Name": "osUsername_s", + "Type": "string" + }, + { + "Name": "scanAbortedAt_t", + "Type": "datetime" } ] } \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml index 23f0ff8dc39..1de3c05059e 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml @@ -75,6 +75,6 @@ ParserQuery: | , ASimNetworkSessionMicrosoftSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmon' in (DisabledParsers) )) , ASimNetworkSessionForcePointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionForcePointFirewall' in (DisabledParsers) )) , ASimNetworkSessionNative (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionNative' in (DisabledParsers) )) - , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) )) + , ASimNetworkSessionSentinelOne (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSentinelOne' in (DisabledParsers) )) }; NetworkSessionsGeneric (pack=pack) diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml new file mode 100644 index 00000000000..150be2a66da --- /dev/null +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml @@ -0,0 +1,100 @@ +Parser: + Title: Network Session ASIM filtering parser for SentinelOne + Version: '0.1.1' + LastUpdated: Jul 27 2023 +Product: + Name: SentinelOne +Normalization: + Schema: NetworkSession + Version: '0.2.6' +References: +- Title: ASIM Network Session Schema + Link: https://aka.ms/ASimNetworkSessionDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +- Title: SentinelOne Documentation +- Link: https://.sentinelone.net/api-doc/overview +Description: | + This ASIM parser supports normalizing SentinelOne logs to the ASIM Network Session normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. +ParserName: ASimNetworkSessionSentinelOne +EquivalentBuiltInParser: _Im_NetworkSession_SentinelOne +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let NetworkDirectionLookup = datatable ( + alertInfo_netEventDirection_s: string, + NetworkDirection: string + )[ + "OUTGOING", "Outbound", + "INCOMING", "Inbound", + ]; + let parser = (disabled: bool=false) { + SentinelOne_CL + | where not(disabled) + and event_name_s == "Alerts." + and alertInfo_eventType_s == "TCPV4" + | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s + | extend + DstPortNumber = toint(alertInfo_dstPort_s), + SrcPortNumber = toint(alertInfo_srcPort_s), + AdditionalFields = bag_pack( + "MachineType", + agentDetectionInfo_machineType_s, + "OsRevision", + agentDetectionInfo_osRevision_s + ) + | project-rename + EventStartTime = sourceProcessInfo_pidStarttime_t, + DstIpAddr = alertInfo_dstIp_s, + DvcHostname = agentDetectionInfo_name_s, + EventUid = _ResourceId, + SrcIpAddr = alertInfo_srcIp_s, + DvcId = agentDetectionInfo_uuid_g, + DvcOs = agentDetectionInfo_osName_s, + DvcOsVersion = agentDetectionInfo_version_s, + EventOriginalSeverity = ruleInfo_severity_s, + EventOriginalUid = alertInfo_dvEventId_s, + SrcProcessName = sourceProcessInfo_name_s, + SrcProcessId = sourceProcessInfo_pid_s, + SrcUsername = sourceProcessInfo_user_s + | extend + EventEndTime = EventStartTime, + Dst = DstIpAddr, + DvcIpAddr = SrcIpAddr, + Src = SrcIpAddr, + SrcHostname = DvcHostname, + SrcDvcId = DvcId, + IpAddr = SrcIpAddr, + EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity), + SrcDvcIdType = iff(isnotempty(DvcId), "Other", ""), + DvcIdType = iff(isnotempty(DvcId), "Other", ""), + SrcUsernameType = _ASIM_GetUsernameType(SrcUsername) + | extend + Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr) + | extend + EventCount = int(1), + EventProduct = "SentinelOne", + EventResult = "Success", + EventSchema = "NetworkSession", + EventSchemaVersion = "0.2.6", + EventResultDetails = "Unknown", + EventType = "EndpointNetworkSession", + EventVendor = "SentinelOne", + NetworkProtocol = "TCP", + NetworkProtocolVersion = "IPv4" + | project-away + *_d, + *_s, + *_g, + *_t, + *_b, + TenantId, + RawData, + Computer, + MG, + ManagementGroupName, + SourceSystem + }; + parser(disabled = disabled) \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml b/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml index 4c89ff580e3..8cf0a13d5a9 100644 --- a/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml +++ b/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml @@ -108,6 +108,6 @@ ParserQuery: | , vimNetworkSessionCiscoASA (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoASA' in (DisabledParsers) )) , vimNetworkSessionForcePointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionForcePointFirewall' in (DisabledParsers) )) , vimNetworkSessionNative (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionNative' in (DisabledParsers) )) - , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) )) + , vimNetworkSessionSentinelOne (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSentinelOne' in (DisabledParsers) )) }; NetworkSessionsGeneric(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack) diff --git a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml new file mode 100644 index 00000000000..4d91207b245 --- /dev/null +++ b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml @@ -0,0 +1,175 @@ +Parser: + Title: Network Session ASIM filtering parser for SentinelOne + Version: '0.1.1' + LastUpdated: Jul 27 2023 +Product: + Name: SentinelOne +Normalization: + Schema: NetworkSession + Version: '0.2.6' +References: +- Title: ASIM Network Session Schema + Link: https://aka.ms/ASimNetworkSessionDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +- Title: SentinelOne Documentation +- Link: https://.sentinelone.net/api-doc/overview +Description: | + This ASIM parser supports normalizing SentinelOne logs to the ASIM Network Session normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. +ParserName: vimNetworkSessionSentinelOne +EquivalentBuiltInParser: _Im_NetworkSession_SentinelOne +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: srcipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: dstipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: ipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: dstportnumber + Type: int + Default: int(null) + - Name: dvcaction + Type: dynamic + Default: dynamic([]) + - Name: hostname_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventresult + Type: string + Default: '*' + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let NetworkDirectionLookup = datatable ( + alertInfo_netEventDirection_s: string, + NetworkDirection: string + )[ + "OUTGOING", "Outbound", + "INCOMING", "Inbound", + ]; + let parser=( + disabled: bool=false, + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + eventresult: string='*', + srcipaddr_has_any_prefix: dynamic=dynamic([]), + dstipaddr_has_any_prefix: dynamic=dynamic([]), + ipaddr_has_any_prefix: dynamic=dynamic([]), + hostname_has_any: dynamic=dynamic([]), + dstportnumber: int=int(null), + dvcaction: dynamic=dynamic([]) + ) { + let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); + let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); + SentinelOne_CL + | where not(disabled) + and (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and event_name_s == "Alerts." + and alertInfo_eventType_s == "TCPV4" + and (eventresult == "*" or eventresult == "Success") + and (isnull(dstportnumber) or toint(alertInfo_dstPort_s) == dstportnumber) + and (array_length(hostname_has_any) == 0 or agentDetectionInfo_name_s has_any (hostname_has_any)) + and array_length(dvcaction) == 0 + | extend + temp_SrcMatch = has_any_ipv4_prefix(alertInfo_srcIp_s, src_or_any), + temp_DstMatch = has_any_ipv4_prefix(alertInfo_dstIp_s, dst_or_any) + | extend + ASimMatchingIpAddr=case( + array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, + "-", + temp_SrcMatch and temp_DstMatch, + "Both", + temp_SrcMatch, + "SrcIpAddr", + temp_DstMatch, + "DstIpAddr", + "No match" + ), + ASimMatchingHostname = "SrcHostname" + | where ASimMatchingIpAddr != "No match" + | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s + | extend + DstPortNumber = toint(alertInfo_dstPort_s), + SrcPortNumber = toint(alertInfo_srcPort_s), + AdditionalFields = bag_pack( + "MachineType", + agentDetectionInfo_machineType_s, + "OsRevision", + agentDetectionInfo_osRevision_s + ) + | project-rename + EventStartTime = sourceProcessInfo_pidStarttime_t, + DstIpAddr = alertInfo_dstIp_s, + DvcHostname = agentDetectionInfo_name_s, + EventUid = _ResourceId, + SrcIpAddr = alertInfo_srcIp_s, + DvcId = agentDetectionInfo_uuid_g, + DvcOs = agentDetectionInfo_osName_s, + DvcOsVersion = agentDetectionInfo_version_s, + EventOriginalSeverity = ruleInfo_severity_s, + EventOriginalUid = alertInfo_dvEventId_s, + SrcProcessName = sourceProcessInfo_name_s, + SrcProcessId = sourceProcessInfo_pid_s, + SrcUsername = sourceProcessInfo_user_s + | extend + EventEndTime = EventStartTime, + Dst = DstIpAddr, + DvcIpAddr = SrcIpAddr, + Src = SrcIpAddr, + SrcHostname = DvcHostname, + SrcDvcId = DvcId, + IpAddr = SrcIpAddr, + EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity), + SrcDvcIdType = iff(isnotempty(DvcId), "Other", ""), + DvcIdType = iff(isnotempty(DvcId), "Other", ""), + SrcUsernameType = _ASIM_GetUsernameType(SrcUsername) + | extend + Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr) + | extend + EventCount = int(1), + EventProduct = "SentinelOne", + EventResult = "Success", + EventSchema = "NetworkSession", + EventSchemaVersion = "0.2.6", + EventResultDetails = "Unknown", + EventType = "EndpointNetworkSession", + EventVendor = "SentinelOne", + NetworkProtocol = "TCP", + NetworkProtocolVersion = "IPv4" + | project-away + *_d, + *_s, + *_g, + *_t, + *_b, + temp*, + TenantId, + RawData, + Computer, + MG, + ManagementGroupName, + SourceSystem + }; + parser( + disabled=disabled, + starttime=starttime, + endtime=endtime, + eventresult=eventresult, + srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, + dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, + ipaddr_has_any_prefix=ipaddr_has_any_prefix, + hostname_has_any=hostname_has_any, + dstportnumber=dstportnumber, + dvcaction=dvcaction + ) \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv new file mode 100644 index 00000000000..10ca146e0a8 --- /dev/null +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv @@ -0,0 +1,8 @@ +Result +"(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [DvcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [SrcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)" +"(2) Info: Empty value in 10986 records (96.52%) in optional field [SrcUsername] (Schema:NetworkSession)" +"(2) Info: Empty value in 11382 records (100.0%) in recommended field [EventUid] (Schema:NetworkSession)" +"(2) Info: Empty value in 2 records (0.02%) in optional field [SrcProcessName] (Schema:NetworkSession)" diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv new file mode 100644 index 00000000000..193b198240e --- /dev/null +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv @@ -0,0 +1,114 @@ +Result +"(1) Warning: Missing recommended field [ASimMatchingHostname]" +"(1) Warning: Missing recommended field [ASimMatchingIpAddr]" +"(1) Warning: Missing recommended field [DstDomain]" +"(1) Warning: Missing recommended field [DstHostname]" +"(1) Warning: Missing recommended field [DvcDomain]" +"(1) Warning: Missing recommended field [SrcDomain]" +"(2) Info: Missing optional alias [Duration] aliasing non-existent column [NetworkDuration]" +"(2) Info: Missing optional alias [InnerVlanId] aliasing non-existent column [SrcVlanId]" +"(2) Info: Missing optional alias [OuterVlanId] aliasing non-existent column [DstVlanId]" +"(2) Info: Missing optional alias [SessionId] aliasing non-existent column [NetworkSessionId]" +"(2) Info: Missing optional alias [User] aliasing non-existent column [DstUsername]" +"(2) Info: Missing optional field [DstAppId]" +"(2) Info: Missing optional field [DstAppName]" +"(2) Info: Missing optional field [DstAppType]" +"(2) Info: Missing optional field [DstBytes]" +"(2) Info: Missing optional field [DstDescription]" +"(2) Info: Missing optional field [DstDeviceType]" +"(2) Info: Missing optional field [DstDvcId]" +"(2) Info: Missing optional field [DstFQDN]" +"(2) Info: Missing optional field [DstGeoCity]" +"(2) Info: Missing optional field [DstGeoCountry]" +"(2) Info: Missing optional field [DstGeoLatitude]" +"(2) Info: Missing optional field [DstGeoLongitude]" +"(2) Info: Missing optional field [DstGeoRegion]" +"(2) Info: Missing optional field [DstInterfaceGuid]" +"(2) Info: Missing optional field [DstInterfaceName]" +"(2) Info: Missing optional field [DstMacAddr]" +"(2) Info: Missing optional field [DstNatIpAddr]" +"(2) Info: Missing optional field [DstNatPortNumber]" +"(2) Info: Missing optional field [DstOriginalUserType]" +"(2) Info: Missing optional field [DstPackets]" +"(2) Info: Missing optional field [DstProcessGuid]" +"(2) Info: Missing optional field [DstProcessId]" +"(2) Info: Missing optional field [DstProcessName]" +"(2) Info: Missing optional field [DstScopeId]" +"(2) Info: Missing optional field [DstUserId]" +"(2) Info: Missing optional field [DstUserType]" +"(2) Info: Missing optional field [DstUsername]" +"(2) Info: Missing optional field [DstVlanId]" +"(2) Info: Missing optional field [DstZone]" +"(2) Info: Missing optional field [DvcAction]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcFQDN]" +"(2) Info: Missing optional field [DvcInboundInterface]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcOutboundInterface]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventMessage]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOriginalType]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventProductVersion]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [EventSubType]" +"(2) Info: Missing optional field [NetworkApplicationProtocol]" +"(2) Info: Missing optional field [NetworkBytes]" +"(2) Info: Missing optional field [NetworkConnectionHistory]" +"(2) Info: Missing optional field [NetworkDuration]" +"(2) Info: Missing optional field [NetworkIcmpCode]" +"(2) Info: Missing optional field [NetworkIcmpType]" +"(2) Info: Missing optional field [NetworkPackets]" +"(2) Info: Missing optional field [NetworkRuleName]" +"(2) Info: Missing optional field [NetworkRuleNumber]" +"(2) Info: Missing optional field [NetworkSessionId]" +"(2) Info: Missing optional field [Rule]" +"(2) Info: Missing optional field [SrcAppId]" +"(2) Info: Missing optional field [SrcAppName]" +"(2) Info: Missing optional field [SrcAppType]" +"(2) Info: Missing optional field [SrcBytes]" +"(2) Info: Missing optional field [SrcDescription]" +"(2) Info: Missing optional field [SrcDeviceType]" +"(2) Info: Missing optional field [SrcFQDN]" +"(2) Info: Missing optional field [SrcGeoCity]" +"(2) Info: Missing optional field [SrcGeoCountry]" +"(2) Info: Missing optional field [SrcGeoLatitude]" +"(2) Info: Missing optional field [SrcGeoLongitude]" +"(2) Info: Missing optional field [SrcGeoRegion]" +"(2) Info: Missing optional field [SrcInterfaceGuid]" +"(2) Info: Missing optional field [SrcInterfaceName]" +"(2) Info: Missing optional field [SrcMacAddr]" +"(2) Info: Missing optional field [SrcNatIpAddr]" +"(2) Info: Missing optional field [SrcNatPortNumber]" +"(2) Info: Missing optional field [SrcOriginalUserType]" +"(2) Info: Missing optional field [SrcPackets]" +"(2) Info: Missing optional field [SrcProcessGuid]" +"(2) Info: Missing optional field [SrcScopeId]" +"(2) Info: Missing optional field [SrcUserId]" +"(2) Info: Missing optional field [SrcUserType]" +"(2) Info: Missing optional field [SrcVlanId]" +"(2) Info: Missing optional field [SrcZone]" +"(2) Info: Missing optional field [TcpFlagsAck]" +"(2) Info: Missing optional field [TcpFlagsFin]" +"(2) Info: Missing optional field [TcpFlagsPsh]" +"(2) Info: Missing optional field [TcpFlagsRst]" +"(2) Info: Missing optional field [TcpFlagsSyn]" +"(2) Info: Missing optional field [TcpFlagsUrg]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatConfidence]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIpAddr]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalConfidence]" +"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" +"(2) Info: Missing optional field [ThreatRiskLevel]" +"(2) Info: Missing recommended alias [Hostname] aliasing non-existent column [DstHostname]" diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv new file mode 100644 index 00000000000..10ca146e0a8 --- /dev/null +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv @@ -0,0 +1,8 @@ +Result +"(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [DvcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [SrcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)" +"(2) Info: Empty value in 10986 records (96.52%) in optional field [SrcUsername] (Schema:NetworkSession)" +"(2) Info: Empty value in 11382 records (100.0%) in recommended field [EventUid] (Schema:NetworkSession)" +"(2) Info: Empty value in 2 records (0.02%) in optional field [SrcProcessName] (Schema:NetworkSession)" diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv new file mode 100644 index 00000000000..f2db7436c48 --- /dev/null +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv @@ -0,0 +1,112 @@ +Result +"(1) Warning: Missing recommended field [DstDomain]" +"(1) Warning: Missing recommended field [DstHostname]" +"(1) Warning: Missing recommended field [DvcDomain]" +"(1) Warning: Missing recommended field [SrcDomain]" +"(2) Info: Missing optional alias [Duration] aliasing non-existent column [NetworkDuration]" +"(2) Info: Missing optional alias [InnerVlanId] aliasing non-existent column [SrcVlanId]" +"(2) Info: Missing optional alias [OuterVlanId] aliasing non-existent column [DstVlanId]" +"(2) Info: Missing optional alias [SessionId] aliasing non-existent column [NetworkSessionId]" +"(2) Info: Missing optional alias [User] aliasing non-existent column [DstUsername]" +"(2) Info: Missing optional field [DstAppId]" +"(2) Info: Missing optional field [DstAppName]" +"(2) Info: Missing optional field [DstAppType]" +"(2) Info: Missing optional field [DstBytes]" +"(2) Info: Missing optional field [DstDescription]" +"(2) Info: Missing optional field [DstDeviceType]" +"(2) Info: Missing optional field [DstDvcId]" +"(2) Info: Missing optional field [DstFQDN]" +"(2) Info: Missing optional field [DstGeoCity]" +"(2) Info: Missing optional field [DstGeoCountry]" +"(2) Info: Missing optional field [DstGeoLatitude]" +"(2) Info: Missing optional field [DstGeoLongitude]" +"(2) Info: Missing optional field [DstGeoRegion]" +"(2) Info: Missing optional field [DstInterfaceGuid]" +"(2) Info: Missing optional field [DstInterfaceName]" +"(2) Info: Missing optional field [DstMacAddr]" +"(2) Info: Missing optional field [DstNatIpAddr]" +"(2) Info: Missing optional field [DstNatPortNumber]" +"(2) Info: Missing optional field [DstOriginalUserType]" +"(2) Info: Missing optional field [DstPackets]" +"(2) Info: Missing optional field [DstProcessGuid]" +"(2) Info: Missing optional field [DstProcessId]" +"(2) Info: Missing optional field [DstProcessName]" +"(2) Info: Missing optional field [DstScopeId]" +"(2) Info: Missing optional field [DstUserId]" +"(2) Info: Missing optional field [DstUserType]" +"(2) Info: Missing optional field [DstUsername]" +"(2) Info: Missing optional field [DstVlanId]" +"(2) Info: Missing optional field [DstZone]" +"(2) Info: Missing optional field [DvcAction]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcFQDN]" +"(2) Info: Missing optional field [DvcInboundInterface]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcOutboundInterface]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventMessage]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOriginalType]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventProductVersion]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [EventSubType]" +"(2) Info: Missing optional field [NetworkApplicationProtocol]" +"(2) Info: Missing optional field [NetworkBytes]" +"(2) Info: Missing optional field [NetworkConnectionHistory]" +"(2) Info: Missing optional field [NetworkDuration]" +"(2) Info: Missing optional field [NetworkIcmpCode]" +"(2) Info: Missing optional field [NetworkIcmpType]" +"(2) Info: Missing optional field [NetworkPackets]" +"(2) Info: Missing optional field [NetworkRuleName]" +"(2) Info: Missing optional field [NetworkRuleNumber]" +"(2) Info: Missing optional field [NetworkSessionId]" +"(2) Info: Missing optional field [Rule]" +"(2) Info: Missing optional field [SrcAppId]" +"(2) Info: Missing optional field [SrcAppName]" +"(2) Info: Missing optional field [SrcAppType]" +"(2) Info: Missing optional field [SrcBytes]" +"(2) Info: Missing optional field [SrcDescription]" +"(2) Info: Missing optional field [SrcDeviceType]" +"(2) Info: Missing optional field [SrcFQDN]" +"(2) Info: Missing optional field [SrcGeoCity]" +"(2) Info: Missing optional field [SrcGeoCountry]" +"(2) Info: Missing optional field [SrcGeoLatitude]" +"(2) Info: Missing optional field [SrcGeoLongitude]" +"(2) Info: Missing optional field [SrcGeoRegion]" +"(2) Info: Missing optional field [SrcInterfaceGuid]" +"(2) Info: Missing optional field [SrcInterfaceName]" +"(2) Info: Missing optional field [SrcMacAddr]" +"(2) Info: Missing optional field [SrcNatIpAddr]" +"(2) Info: Missing optional field [SrcNatPortNumber]" +"(2) Info: Missing optional field [SrcOriginalUserType]" +"(2) Info: Missing optional field [SrcPackets]" +"(2) Info: Missing optional field [SrcProcessGuid]" +"(2) Info: Missing optional field [SrcScopeId]" +"(2) Info: Missing optional field [SrcUserId]" +"(2) Info: Missing optional field [SrcUserType]" +"(2) Info: Missing optional field [SrcVlanId]" +"(2) Info: Missing optional field [SrcZone]" +"(2) Info: Missing optional field [TcpFlagsAck]" +"(2) Info: Missing optional field [TcpFlagsFin]" +"(2) Info: Missing optional field [TcpFlagsPsh]" +"(2) Info: Missing optional field [TcpFlagsRst]" +"(2) Info: Missing optional field [TcpFlagsSyn]" +"(2) Info: Missing optional field [TcpFlagsUrg]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatConfidence]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIpAddr]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalConfidence]" +"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" +"(2) Info: Missing optional field [ThreatRiskLevel]" +"(2) Info: Missing recommended alias [Hostname] aliasing non-existent column [DstHostname]" diff --git a/Sample Data/ASIM/SentinelOne_ASimNetworkSession_IngestedLogs.csv b/Sample Data/ASIM/SentinelOne_ASimNetworkSession_IngestedLogs.csv new file mode 100644 index 00000000000..b78c519ba01 --- /dev/null +++ b/Sample Data/ASIM/SentinelOne_ASimNetworkSession_IngestedLogs.csv @@ -0,0 +1,21 @@ +TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,alertInfo_indicatorDescription_s,alertInfo_indicatorName_s,targetProcessInfo_tgtFileOldPath_s,alertInfo_indicatorCategory_s,alertInfo_registryOldValue_g,alertInfo_dstIp_s,alertInfo_dstPort_s,alertInfo_netEventDirection_s,alertInfo_srcIp_s,alertInfo_srcPort_s,containerInfo_id_s,targetProcessInfo_tgtFileId_g,alertInfo_registryOldValue_s,alertInfo_registryOldValueType_s,alertInfo_dnsRequest_s,alertInfo_dnsResponse_s,alertInfo_registryKeyPath_s,alertInfo_registryPath_s,alertInfo_registryValue_g,ruleInfo_description_s,alertInfo_registryValue_s,alertInfo_loginAccountDomain_s,alertInfo_loginAccountSid_s,alertInfo_loginIsAdministratorEquivalent_s,alertInfo_loginIsSuccessful_s,alertInfo_loginType_s,alertInfo_loginsUserName_s,alertInfo_srcMachineIp_s,targetProcessInfo_tgtProcCmdLine_s,targetProcessInfo_tgtProcImagePath_s,targetProcessInfo_tgtProcName_s,targetProcessInfo_tgtProcPid_s,targetProcessInfo_tgtProcSignedStatus_s,targetProcessInfo_tgtProcStorylineId_s,targetProcessInfo_tgtProcUid_s,sourceParentProcessInfo_storyline_g,sourceParentProcessInfo_uniqueId_g,sourceProcessInfo_storyline_g,sourceProcessInfo_uniqueId_g,targetProcessInfo_tgtProcStorylineId_g,targetProcessInfo_tgtProcUid_g,agentDetectionInfo_machineType_s,agentDetectionInfo_name_s,agentDetectionInfo_osFamily_s,agentDetectionInfo_osName_s,agentDetectionInfo_osRevision_s,agentDetectionInfo_uuid_g,agentDetectionInfo_version_s,agentRealtimeInfo_id_s,agentRealtimeInfo_infected_b,agentRealtimeInfo_isActive_b,agentRealtimeInfo_isDecommissioned_b,agentRealtimeInfo_machineType_s,agentRealtimeInfo_name_s,agentRealtimeInfo_os_s,agentRealtimeInfo_uuid_g,alertInfo_alertId_s,alertInfo_analystVerdict_s,alertInfo_createdAt_t [UTC],alertInfo_dvEventId_s,alertInfo_eventType_s,alertInfo_hitType_s,alertInfo_incidentStatus_s,alertInfo_isEdr_b,alertInfo_reportedAt_t [UTC],alertInfo_source_s,alertInfo_updatedAt_t [UTC],ruleInfo_id_s,ruleInfo_name_s,ruleInfo_queryLang_s,ruleInfo_queryType_s,ruleInfo_s1ql_s,ruleInfo_scopeLevel_s,ruleInfo_severity_s,ruleInfo_treatAsThreat_s,sourceParentProcessInfo_commandline_s,sourceParentProcessInfo_fileHashMd5_g,sourceParentProcessInfo_fileHashSha1_s,sourceParentProcessInfo_fileHashSha256_s,sourceParentProcessInfo_filePath_s,sourceParentProcessInfo_fileSignerIdentity_s,sourceParentProcessInfo_integrityLevel_s,sourceParentProcessInfo_name_s,sourceParentProcessInfo_pid_s,sourceParentProcessInfo_pidStarttime_t [UTC],sourceParentProcessInfo_storyline_s,sourceParentProcessInfo_subsystem_s,sourceParentProcessInfo_uniqueId_s,sourceParentProcessInfo_user_s,sourceProcessInfo_commandline_s,sourceProcessInfo_fileHashMd5_g,sourceProcessInfo_fileHashSha1_s,sourceProcessInfo_fileHashSha256_s,sourceProcessInfo_filePath_s,sourceProcessInfo_fileSignerIdentity_s,sourceProcessInfo_integrityLevel_s,sourceProcessInfo_name_s,sourceProcessInfo_pid_s,sourceProcessInfo_pidStarttime_t [UTC],sourceProcessInfo_storyline_s,sourceProcessInfo_subsystem_s,sourceProcessInfo_uniqueId_s,sourceProcessInfo_user_s,targetProcessInfo_tgtFileCreatedAt_t [UTC],targetProcessInfo_tgtFileHashSha1_s,targetProcessInfo_tgtFileHashSha256_s,targetProcessInfo_tgtFileId_s,targetProcessInfo_tgtFileIsSigned_s,targetProcessInfo_tgtFileModifiedAt_t [UTC],targetProcessInfo_tgtFilePath_s,targetProcessInfo_tgtProcIntegrityLevel_s,targetProcessInfo_tgtProcessStartTime_t [UTC],agentUpdatedVersion_s,agentId_s,hash_s,osFamily_s,threatId_s,creator_s,creatorId_s,inherits_b,isDefault_b,name_s,registrationToken_s,totalAgents_d,type_s,agentDetectionInfo_accountId_s,agentDetectionInfo_accountName_s,agentDetectionInfo_agentDetectionState_s,agentDetectionInfo_agentDomain_s,agentDetectionInfo_agentIpV4_s,agentDetectionInfo_agentIpV6_s,agentDetectionInfo_agentLastLoggedInUserName_s,agentDetectionInfo_agentMitigationMode_s,agentDetectionInfo_agentOsName_s,agentDetectionInfo_agentOsRevision_s,agentDetectionInfo_agentRegisteredAt_t [UTC],agentDetectionInfo_agentUuid_g,agentDetectionInfo_agentVersion_s,agentDetectionInfo_externalIp_s,agentDetectionInfo_groupId_s,agentDetectionInfo_groupName_s,agentDetectionInfo_siteId_s,agentDetectionInfo_siteName_s,agentRealtimeInfo_accountId_s,agentRealtimeInfo_accountName_s,agentRealtimeInfo_activeThreats_d,agentRealtimeInfo_agentComputerName_s,agentRealtimeInfo_agentDomain_s,agentRealtimeInfo_agentId_s,agentRealtimeInfo_agentInfected_b,agentRealtimeInfo_agentIsActive_b,agentRealtimeInfo_agentIsDecommissioned_b,agentRealtimeInfo_agentMachineType_s,agentRealtimeInfo_agentMitigationMode_s,agentRealtimeInfo_agentNetworkStatus_s,agentRealtimeInfo_agentOsName_s,agentRealtimeInfo_agentOsRevision_s,agentRealtimeInfo_agentOsType_s,agentRealtimeInfo_agentUuid_g,agentRealtimeInfo_agentVersion_s,agentRealtimeInfo_groupId_s,agentRealtimeInfo_groupName_s,agentRealtimeInfo_networkInterfaces_s,agentRealtimeInfo_operationalState_s,agentRealtimeInfo_rebootRequired_b,agentRealtimeInfo_scanFinishedAt_t [UTC],agentRealtimeInfo_scanStartedAt_t [UTC],agentRealtimeInfo_scanStatus_s,agentRealtimeInfo_siteId_s,agentRealtimeInfo_siteName_s,agentRealtimeInfo_userActionsNeeded_s,indicators_s,mitigationStatus_s,threatInfo_analystVerdict_s,threatInfo_analystVerdictDescription_s,threatInfo_automaticallyResolved_b,threatInfo_certificateId_s,threatInfo_classification_s,threatInfo_classificationSource_s,threatInfo_cloudFilesHashVerdict_s,threatInfo_collectionId_s,threatInfo_confidenceLevel_s,threatInfo_createdAt_t [UTC],threatInfo_detectionEngines_s,threatInfo_detectionType_s,threatInfo_engines_s,threatInfo_externalTicketExists_b,threatInfo_failedActions_b,threatInfo_fileExtension_s,threatInfo_fileExtensionType_s,threatInfo_filePath_s,threatInfo_fileSize_d,threatInfo_fileVerificationType_s,threatInfo_identifiedAt_t [UTC],threatInfo_incidentStatus_s,threatInfo_incidentStatusDescription_s,threatInfo_initiatedBy_s,threatInfo_initiatedByDescription_s,threatInfo_isFileless_b,threatInfo_isValidCertificate_b,threatInfo_mitigatedPreemptively_b,threatInfo_mitigationStatus_s,threatInfo_mitigationStatusDescription_s,threatInfo_originatorProcess_s,threatInfo_pendingActions_b,threatInfo_processUser_s,threatInfo_publisherName_s,threatInfo_reachedEventsLimit_b,threatInfo_rebootRequired_b,threatInfo_sha1_s,threatInfo_storyline_s,threatInfo_threatId_s,threatInfo_threatName_s,threatInfo_updatedAt_t [UTC],whiteningOptions_s,threatInfo_maliciousProcessArguments_s,threatInfo_fileExtension_g,threatInfo_threatName_g,threatInfo_storyline_g,accountId_s,accountName_s,activityType_d,activityUuid_g,createdAt_t [UTC],id_s,primaryDescription_s,secondaryDescription_s,siteId_s,siteName_s,updatedAt_t [UTC],userId_s,event_name_s,DataFields_s,description_s,comments_s,activeDirectory_computerMemberOf_s,activeDirectory_lastUserMemberOf_s,activeThreats_d,agentVersion_s,allowRemoteShell_b,appsVulnerabilityStatus_s,computerName_s,consoleMigrationStatus_s,coreCount_d,cpuCount_d,cpuId_s,detectionState_s,domain_s,encryptedApplications_b,externalId_s,externalIp_s,firewallEnabled_b,firstFullModeTime_t [UTC],fullDiskScanLastUpdatedAt_t [UTC],groupId_s,groupIp_s,groupName_s,inRemoteShellSession_b,infected_b,installerType_s,isActive_b,isDecommissioned_b,isPendingUninstall_b,isUninstalled_b,isUpToDate_b,lastActiveDate_t [UTC],lastIpToMgmt_s,lastLoggedInUserName_s,licenseKey_s,locationEnabled_b,locationType_s,locations_s,machineType_s,mitigationMode_s,mitigationModeSuspicious_s,modelName_s,networkInterfaces_s,networkQuarantineEnabled_b,networkStatus_s,operationalState_s,osArch_s,osName_s,osRevision_s,osStartTime_t [UTC],osType_s,rangerStatus_s,rangerVersion_s,registeredAt_t [UTC],remoteProfilingState_s,scanFinishedAt_t [UTC],scanStartedAt_t [UTC],scanStatus_s,serialNumber_s,showAlertIcon_b,tags_sentinelone_s,threatRebootRequired_b,totalMemory_d,userActionsNeeded_s,uuid_g,osUsername_s,scanAbortedAt_t [UTC],activeDirectory_computerDistinguishedName_s,activeDirectory_lastUserDistinguishedName_s,Type,_ResourceId +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 5:10:03 AM",,,,,,,,1.1.1.1,21,OUTGOING,2.2.2.1,11,,,,,,,,,,,,,,,,,,,,,,,,,,747ffc62-5417-49b6-b4ea-5109c4ec9e4f,747ffc61-1824-0304-10ba-8cc565a15646,7487986b-0982-122d-e993-6113156f70ed,7488937b-7a34-81e9-e4c7-434a2e49cf39,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1736709934432915550,Undefined,"7/25/2023, 4:52:24 AM",01H65P81VTDWS403SH4ZN0JS9T_0,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 4:52:37 AM",STAR,"7/25/2023, 4:52:37 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED, /usr/lib/systemd/systemd --switched-root --system --deserialize 22,,d00e622d514a3351de5cede74496dd50c65fbabb,,/usr/lib/systemd/systemd,,unknown,systemd,1,"7/24/2023, 4:49:44 AM",,unknown,,, /usr/local/demisto/d1_Test2/d1,,27141d28091ab8527a01da1f02a2e8cf5a2bc95a,,/usr/local/demisto/d1_Test2/d1,,unknown,d1,1279,"7/24/2023, 4:50:27 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.2,22,OUTGOING,2.2.2.2,12,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738442842154293,Undefined,"7/25/2023, 5:49:10 AM",01H65SG50RP78BRBAJ4ZGDQGGF_10,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:16 AM",STAR,"7/25/2023, 5:49:16 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,2084,"7/17/2023, 10:22:47 AM",D83C0EF580778F51,sys_win32,D73C0EF580778F51,NT AUTHORITY\NETWORK SERVICE,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.3,23,OUTGOING,2.2.2.3,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738444335326608,Undefined,"7/25/2023, 5:49:14 AM",01H65SGAGCE4JDGCGC1GCKNT9S_22,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:16 AM",STAR,"7/25/2023, 5:49:16 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\System32\svchost.exe -k utcsvc -p,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,4604,"7/17/2023, 10:22:49 AM",553D0EF580778F51,sys_win32,543D0EF580778F51,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.4,23,OUTGOING,2.2.2.4,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738445736224238,Undefined,"7/25/2023, 5:49:09 AM",01H65SG2PQ023350V5K0TTCRKP_16,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:16 AM",STAR,"7/25/2023, 5:49:16 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,sihost.exe,e5a23407-157b-23f3-c244-1d412163e4ee,e8d9750e757e5b580c56521a81ed0cc41d327d82,51eb6455bdca85d3102a00b1ce89969016efc3ed8b08b24a2aa10e03ba1e2b13,C:\Windows\System32\sihost.exe,MICROSOFT WINDOWS,medium,sihost.exe,3160,"7/21/2023, 4:49:44 AM",9C8612F580778F51,sys_win32,9B8612F580778F51,CLO007\Crest,"""C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca",0d7ce0d4-741a-a223-0f5a-618a796f4739,f456a426618804abec06fd5883219c4c6eace180,8b5b969143e22d8f27d919948e30aff8594c15c3c69b42bbafa23551e1dc0c68,C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe,MICROSOFT WINDOWS,low,SearchHost.exe,1160,"7/21/2023, 4:49:46 AM",CD8712F580778F51,sys_win32,CC8712F580778F51,CLO007\Crest,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.5,23,OUTGOING,2.2.2.5,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738460617615382,Undefined,"7/25/2023, 5:49:14 AM",01H65SGAGCE4JDGCGC1GCKNT9S_32,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:18 AM",STAR,"7/25/2023, 5:49:18 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\system32\svchost.exe -k NetworkService -p,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,1576,"7/17/2023, 10:22:47 AM",B83C0EF580778F51,sys_win32,B73C0EF580778F51,NT AUTHORITY\NETWORK SERVICE,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.6,23,OUTGOING,2.2.2.6,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738491395419873,Undefined,"7/25/2023, 5:49:11 AM",01H65SG9CAMBQHFPH0TJD6EYXN_425,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:22 AM",STAR,"7/25/2023, 5:49:22 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,"""C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.82\msedgewebview2.exe"" --embedded-browser-webview=1 --webview-exe-name=msteams.exe --webview-exe-version=23119.303.2080.2726 --user-data-dir=""C:\Users\Crest\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView"" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --edge-webview-custom-scheme --disable-features=MojoIpcz,msWebOOUI --edge-webview-is-background --enable-features=msSingleSignOnOSForPrimaryAccountIsShared,msEdgeFluentOverlayScrollbar,msWebView2CodeCache,msWebView2EnableDraggableRegions --mojo-named-platform-channel-pipe=9452.304.14872043078598792820 /pfhostedapp:e7e952ed836442a682dca713cb7c4d91d21a087a",0f259745-8e7a-c81b-049d-45ef5b291246,bbd88a2a41c94d4140ccaef71bfb771e0ccc5c32,0ce0ef234aba4bf60f1c48a058ce764d52e91078e95312de4db4b0911f4cc7d4,C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.82\msedgewebview2.exe,MICROSOFT CORPORATION,medium,msedgewebview2.exe,7280,"7/25/2023, 5:36:56 AM",C9B312F580778F51,sys_win32,CFB512F580778F51,CLO007\Crest,"""C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.82\msedgewebview2.exe"" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir=""C:\Users\Crest\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView"" --webview-exe-name=msteams.exe --webview-exe-version=23119.303.2080.2726 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --edge-webview-custom-scheme --mojo-platform-channel-handle=2072 --field-trial-handle=1892,i,4999416576109179693,17961817705433260896,262144 --enable-features=msEdgeFluentOverlayScrollbar,msSingleSignOnOSForPrimaryAccountIsShared,msWebView2CodeCache,msWebView2EnableDraggableRegions --disable-features=MojoIpcz,msWebOOUI /prefetch:3 /pfhostedapp:e7e952ed836442a682dca713cb7c4d91d21a087a",0f259745-8e7a-c81b-049d-45ef5b291246,bbd88a2a41c94d4140ccaef71bfb771e0ccc5c32,0ce0ef234aba4bf60f1c48a058ce764d52e91078e95312de4db4b0911f4cc7d4,C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.82\msedgewebview2.exe,MICROSOFT CORPORATION,medium,msedgewebview2.exe,4144,"7/25/2023, 5:36:56 AM",C9B312F580778F51,sys_win32,EAB512F580778F51,CLO007\Crest,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.7,23,OUTGOING,2.2.2.7,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738492846649072,Undefined,"7/25/2023, 5:49:10 AM",01H65SG50RP78BRBAJ4ZGDQGGF_8,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:22 AM",STAR,"7/25/2023, 5:49:22 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\system32\svchost.exe -k NetworkService -p,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,2692,"7/17/2023, 10:22:48 AM",FC3C0EF580778F51,sys_win32,FB3C0EF580778F51,NT AUTHORITY\NETWORK SERVICE,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.8,23,OUTGOING,2.2.2.8,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738499473649861,Undefined,"7/25/2023, 5:49:14 AM",01H65SGAGCE4JDGCGC1GCKNT9S_3,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:23 AM",STAR,"7/25/2023, 5:49:23 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\System32\svchost.exe -k NetworkService -p,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,8620,"7/17/2023, 10:33:11 AM",4E4B0EF580778F51,sys_win32,4D4B0EF580778F51,NT AUTHORITY\NETWORK SERVICE,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.9,23,OUTGOING,2.2.2.9,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738500874547448,Undefined,"7/25/2023, 5:49:11 AM",01H65SG9CAMBQHFPH0TJD6EYXN_432,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:23 AM",STAR,"7/25/2023, 5:49:23 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,sihost.exe,e5a23407-157b-23f3-c244-1d412163e4ee,e8d9750e757e5b580c56521a81ed0cc41d327d82,51eb6455bdca85d3102a00b1ce89969016efc3ed8b08b24a2aa10e03ba1e2b13,C:\Windows\System32\sihost.exe,MICROSOFT WINDOWS,medium,sihost.exe,13788,"7/25/2023, 5:36:13 AM",B2B112F580778F51,sys_win32,B1B112F580778F51,CLO007\Crest,"""C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca",4bd84472-eca2-b69a-0391-f61fa50d0f31,0ca4bcd60601ec0d8602d4f5994cb0393edb892b,c1fc7f6cb2228ee6386d91f27f1a61ae60a63deefb21d78bb810b7f027f1a489,C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe,MICROSOFT WINDOWS,low,StartMenuExperienceHost.exe,4524,"7/25/2023, 5:36:15 AM",B5B212F580778F51,sys_win32,B4B212F580778F51,CLO007\Crest,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.10,23,OUTGOING,2.2.2.10,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738502325776707,Undefined,"7/25/2023, 5:49:14 AM",01H65SGAGCE4JDGCGC1GCKNT9S_29,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:23 AM",STAR,"7/25/2023, 5:49:23 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,10972,"7/25/2023, 5:28:16 AM",09AB12F580778F51,sys_win32,08AB12F580778F51,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.11,23,OUTGOING,2.2.2.11,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738511318364930,Undefined,"7/25/2023, 5:49:11 AM",01H65SG9CAMBQHFPH0TJD6EYXN_434,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:24 AM",STAR,"7/25/2023, 5:49:24 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,1752,"7/17/2023, 10:22:47 AM",C43C0EF580778F51,sys_win32,C33C0EF580778F51,NT AUTHORITY\SYSTEM,"""C:\Windows\system32\wermgr.exe"" -upload",b2eb37f1-bd88-302c-2f15-0217722a8c9f,d8e0c1e1ad99a38f3a84414d5af7b761bf0eb924,a4c41c6c4e1d0fadc9bd3313a3d0e329517f400bd8908dd8c70ac69758e60875,C:\Windows\System32\wermgr.exe,MICROSOFT WINDOWS,system,wermgr.exe,5488,"7/25/2023, 5:37:03 AM",34B612F580778F51,sys_win32,33B612F580778F51,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.12,23,OUTGOING,2.2.2.12,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738514782860324,Undefined,"7/25/2023, 5:49:14 AM",01H65SGAGCE4JDGCGC1GCKNT9S_9,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:24 AM",STAR,"7/25/2023, 5:49:24 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,11436,"7/25/2023, 5:34:08 AM",FEAE12F580778F51,sys_win32,FDAE12F580778F51,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:40:04 AM",,,,,,,,1.1.1.13,23,OUTGOING,2.2.2.13,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736756505571408611,Undefined,"7/25/2023, 6:24:58 AM",01H65VHMRC71Y2GK2M458J2WMW_15,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 6:25:09 AM",STAR,"7/25/2023, 6:25:09 AM",1736743171400115521,CWL547,1,events,"EndpointName = ""CLO007""",account,Medium,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,2084,"7/17/2023, 10:22:47 AM",D83C0EF580778F51,sys_win32,D73C0EF580778F51,NT AUTHORITY\NETWORK SERVICE,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:40:04 AM",,,,,,,,1.1.1.14,23,OUTGOING,2.2.2.14,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736757508513437640,Undefined,"7/25/2023, 6:27:00 AM",01H65VN9YVSBR9FGDK3RJX7NKK_10,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 6:27:09 AM",STAR,"7/25/2023, 6:27:09 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,1752,"7/17/2023, 10:22:47 AM",C43C0EF580778F51,sys_win32,C33C0EF580778F51,NT AUTHORITY\SYSTEM,taskhostw.exe,4887a65f-d4f6-598a-f498-6cbc1c0e5488,0882f3f9947405bb80c2e830adf69af85c9b51c7,82472a84bcbb4009add338200f8e853fe4c5eafe2e2c3a2d711b85bf29b72d54,C:\Windows\System32\taskhostw.exe,MICROSOFT WINDOWS,system,taskhostw.exe,8648,"7/25/2023, 6:26:34 AM",24DB12F580778F51,sys_win32,23DB12F580778F51,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 10:30:03 AM",,,,,,,,1.1.1.15,23,OUTGOING,2.2.2.15,14,,,,,,,,,,,,,,,,,,,,,,,,,,75bf528b-1526-ba0d-f9b8-1974a96d2487,75cd7ac1-1fda-d623-2eeb-83dc0120218e,75bf528b-1526-ba0d-f9b8-1974a96d2487,75cd7ad0-4345-18d1-a5b9-d71c6f5dbfd4,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1736872444737646416,Undefined,"7/25/2023, 10:15:22 AM",01H668QFMWS1BRZA6EAHDVWFN0_55,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 10:15:30 AM",STAR,"7/25/2023, 10:15:30 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED," mount -t nfs -o vers=3,nolock 10.50.3.251: /root/nfsdir",,f6d5066df72ae947089cb3762679c54f61d7c97f,,/usr/bin/mount,,unknown,mount,32168,"7/25/2023, 10:15:07 AM",,unknown,,, /sbin/mount.nfs 10.50.3.251: /root/nfsdir,,2894ddd5adc4c4f89d6171feb966ee8db03e3d48,,/sbin/mount.nfs,,unknown,mount.nfs,32169,"7/25/2023, 10:15:07 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 10:30:03 AM",,,,,,,,1.1.1.16,23,OUTGOING,2.2.2.16,14,,,,,,,,,,,,,,,,,,,,,,,,,,75bf528b-1526-ba0d-f9b8-1974a96d2487,75c81424-5cc1-1e7f-759b-b468bd0aba1c,75bf528b-1526-ba0d-f9b8-1974a96d2487,75c81438-dfdb-a964-e1c3-995f5d9d27d1,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1736872477948148980,Undefined,"7/25/2023, 10:15:22 AM",01H668QFMWS1BRZA6EAHDVWFN0_7,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 10:15:34 AM",STAR,"7/25/2023, 10:15:34 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED," mount -t nfs -o vers=3,nolock 10.50.3.251:/ns2/bucket4/ /root/nfsdir",,f6d5066df72ae947089cb3762679c54f61d7c97f,,/usr/bin/mount,,unknown,mount,32151,"7/25/2023, 10:14:44 AM",,unknown,,, /sbin/mount.nfs 10.50.3.251:/ns2/bucket4/ /root/nfsdir,,2894ddd5adc4c4f89d6171feb966ee8db03e3d48,,/sbin/mount.nfs,,unknown,mount.nfs,32152,"7/25/2023, 10:14:44 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 10:30:03 AM",,,,,,,,1.1.1.17,23,OUTGOING,2.2.2.17,14,,,,,,,,,,,,,,,,,,,,,,,,,,75bf528b-1526-ba0d-f9b8-1974a96d2487,75cb6e81-9423-24c7-acca-7e20e111bbad,75bf528b-1526-ba0d-f9b8-1974a96d2487,75cb6e91-9565-7ee1-8767-b8a1f763de24,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1736872503055255672,Undefined,"7/25/2023, 10:15:22 AM",01H668QFMWS1BRZA6EAHDVWFN0_15,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 10:15:37 AM",STAR,"7/25/2023, 10:15:37 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED," mount -t nfs -o vers=3,nolock 10.50.3.251:/ns2/bucket4 /root/nfsdir",,f6d5066df72ae947089cb3762679c54f61d7c97f,,/usr/bin/mount,,unknown,mount,32157,"7/25/2023, 10:14:59 AM",,unknown,,, /sbin/mount.nfs 10.50.3.251:/ns2/bucket4 /root/nfsdir,,2894ddd5adc4c4f89d6171feb966ee8db03e3d48,,/sbin/mount.nfs,,unknown,mount.nfs,32158,"7/25/2023, 10:14:59 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 10:30:03 AM",,,,,,,,1.1.1.18,23,OUTGOING,2.2.2.18,14,,,,,,,,,,,,,,,,,,,,,,,,,,75bf528b-1526-ba0d-f9b8-1974a96d2487,75cc5c9d-5f8f-28b3-b1fa-4ffaff168531,75bf528b-1526-ba0d-f9b8-1974a96d2487,75cc5cb4-12a0-4cb0-cb0c-5678f97e3718,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1736872508449131071,Undefined,"7/25/2023, 10:15:22 AM",01H668QFMWS1BRZA6EAHDVWFN0_51,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 10:15:38 AM",STAR,"7/25/2023, 10:15:38 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED," mount -t nfs -o vers=3,nolock 10.50.3.251:/ns2/ /root/nfsdir",,f6d5066df72ae947089cb3762679c54f61d7c97f,,/usr/bin/mount,,unknown,mount,32166,"7/25/2023, 10:15:03 AM",,unknown,,, /sbin/mount.nfs 10.50.3.251:/ns2/ /root/nfsdir,,2894ddd5adc4c4f89d6171feb966ee8db03e3d48,,/sbin/mount.nfs,,unknown,mount.nfs,32167,"7/25/2023, 10:15:03 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 2:00:04 PM",,,,,,,,1.1.1.19,23,OUTGOING,2.2.2.19,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736978424395258117,Undefined,"7/25/2023, 1:45:59 PM",01H66MS4AHVPK6ZSZA1W047SMR_278,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 1:46:04 PM",STAR,"7/25/2023, 1:46:04 PM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\Explorer.EXE,357b678c-68d3-d5ee-86e1-b706fbfd994b,a4e4e2bc502e4ab249b219da357d1aad163ab175,8375581b32e510a1ddf90b1ff8ffb8a756d71e1d5572b1c7c027e9b7393ccd3b,C:\Windows\explorer.exe,MICROSOFT WINDOWS,medium,explorer.exe,14472,"7/25/2023, 5:42:20 AM",FEBB12F580778F51,sys_win32,FDBB12F580778F51,CLO007\Crest,C:\Windows\System32\smartscreen.exe -Embedding,8b71524d-b619-2b9a-1967-1156e27b1826,4549fabd13aaf136087a4501682eb2559eaafdbb,83c9bd1ff0dd424a841cd1b22993e09e16d1339501070613236b0d1f8bff92bc,C:\Windows\System32\smartscreen.exe,MICROSOFT WINDOWS,medium,smartscreen.exe,14528,"7/25/2023, 1:45:28 PM",E0E912F580778F51,sys_win32,DFE912F580778F51,CLO007\Crest,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 2:00:04 PM",,,,,,,,1.1.1.20,23,OUTGOING,2.2.2.20,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736978447346490503,Undefined,"7/25/2023, 1:45:59 PM",01H66MS4AHVPK6ZSZA1W047SMR_22,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 1:46:07 PM",STAR,"7/25/2023, 1:46:07 PM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Users\Crest\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode /installWebView2 /SetPerProcessSystemDPIForceOffKey /EnableNucleusAutoStartFix,8d5ca829-19d6-6439-685d-dd97dca650c6,81c0122bc0adc75ce71912504b8d72825aecad35,7dfe00a315c1e6956eb32c9d12fc809998590d15de1820b34b6d9ca7aa109b88,C:\Users\Crest\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe,MICROSOFT CORPORATION,medium,OneDriveSetup.exe,5412,"7/25/2023, 5:46:58 AM",70BC12F580778F51,sys_win32,19BF12F580778F51,CLO007\Crest, /updateInstalled /background,174826c7-8c0a-a36d-a145-7e711e4c9e80,56ee9857c7a0643d6f6d5e56c3f4689bb1499829,159e208d7211b71b5dad89771bf1fc047de839bcb8e68475f248a051d2ebaa02,C:\Users\Crest\AppData\Local\Microsoft\OneDrive\OneDrive.exe,MICROSOFT CORPORATION,medium,OneDrive.exe,2204,"7/25/2023, 5:47:11 AM",70BC12F580778F51,sys_win32,42CD12F580778F51,CLO007\Crest,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, \ No newline at end of file diff --git a/Sample Data/ASIM/SentinelOne_CL_Schema.csv b/Sample Data/ASIM/SentinelOne_CL_Schema.csv new file mode 100644 index 00000000000..7432410acb8 --- /dev/null +++ b/Sample Data/ASIM/SentinelOne_CL_Schema.csv @@ -0,0 +1,313 @@ +ColumnName,ColumnOrdinal,DataType,ColumnType +TenantId,0,"System.String",string +SourceSystem,1,"System.String",string +MG,2,"System.String",string +ManagementGroupName,3,"System.String",string +TimeGenerated,4,"System.DateTime",datetime +Computer,5,"System.String",string +RawData,6,"System.String",string +"alertInfo_indicatorDescription_s",7,"System.String",string +"alertInfo_indicatorName_s",8,"System.String",string +"targetProcessInfo_tgtFileOldPath_s",9,"System.String",string +"alertInfo_indicatorCategory_s",10,"System.String",string +"alertInfo_registryOldValue_g",11,"System.String",string +"alertInfo_dstIp_s",12,"System.String",string +"alertInfo_dstPort_s",13,"System.String",string +"alertInfo_netEventDirection_s",14,"System.String",string +"alertInfo_srcIp_s",15,"System.String",string +"alertInfo_srcPort_s",16,"System.String",string +"containerInfo_id_s",17,"System.String",string +"targetProcessInfo_tgtFileId_g",18,"System.String",string +"alertInfo_registryOldValue_s",19,"System.String",string +"alertInfo_registryOldValueType_s",20,"System.String",string +"alertInfo_dnsRequest_s",21,"System.String",string +"alertInfo_dnsResponse_s",22,"System.String",string +"alertInfo_registryKeyPath_s",23,"System.String",string +"alertInfo_registryPath_s",24,"System.String",string +"alertInfo_registryValue_g",25,"System.String",string +"ruleInfo_description_s",26,"System.String",string +"alertInfo_registryValue_s",27,"System.String",string +"alertInfo_loginAccountDomain_s",28,"System.String",string +"alertInfo_loginAccountSid_s",29,"System.String",string +"alertInfo_loginIsAdministratorEquivalent_s",30,"System.String",string +"alertInfo_loginIsSuccessful_s",31,"System.String",string +"alertInfo_loginType_s",32,"System.String",string +"alertInfo_loginsUserName_s",33,"System.String",string +"alertInfo_srcMachineIp_s",34,"System.String",string +"targetProcessInfo_tgtProcCmdLine_s",35,"System.String",string +"targetProcessInfo_tgtProcImagePath_s",36,"System.String",string +"targetProcessInfo_tgtProcName_s",37,"System.String",string +"targetProcessInfo_tgtProcPid_s",38,"System.String",string +"targetProcessInfo_tgtProcSignedStatus_s",39,"System.String",string +"targetProcessInfo_tgtProcStorylineId_s",40,"System.String",string +"targetProcessInfo_tgtProcUid_s",41,"System.String",string +"sourceParentProcessInfo_storyline_g",42,"System.String",string +"sourceParentProcessInfo_uniqueId_g",43,"System.String",string +"sourceProcessInfo_storyline_g",44,"System.String",string +"sourceProcessInfo_uniqueId_g",45,"System.String",string +"targetProcessInfo_tgtProcStorylineId_g",46,"System.String",string +"targetProcessInfo_tgtProcUid_g",47,"System.String",string +"agentDetectionInfo_machineType_s",48,"System.String",string +"agentDetectionInfo_name_s",49,"System.String",string +"agentDetectionInfo_osFamily_s",50,"System.String",string +"agentDetectionInfo_osName_s",51,"System.String",string +"agentDetectionInfo_osRevision_s",52,"System.String",string +"agentDetectionInfo_uuid_g",53,"System.String",string +"agentDetectionInfo_version_s",54,"System.String",string +"agentRealtimeInfo_id_s",55,"System.String",string +"agentRealtimeInfo_infected_b",56,"System.SByte",bool +"agentRealtimeInfo_isActive_b",57,"System.SByte",bool +"agentRealtimeInfo_isDecommissioned_b",58,"System.SByte",bool +"agentRealtimeInfo_machineType_s",59,"System.String",string +"agentRealtimeInfo_name_s",60,"System.String",string +"agentRealtimeInfo_os_s",61,"System.String",string +"agentRealtimeInfo_uuid_g",62,"System.String",string +"alertInfo_alertId_s",63,"System.String",string +"alertInfo_analystVerdict_s",64,"System.String",string +"alertInfo_createdAt_t",65,"System.DateTime",datetime +"alertInfo_dvEventId_s",66,"System.String",string +"alertInfo_eventType_s",67,"System.String",string +"alertInfo_hitType_s",68,"System.String",string +"alertInfo_incidentStatus_s",69,"System.String",string +"alertInfo_isEdr_b",70,"System.SByte",bool +"alertInfo_reportedAt_t",71,"System.DateTime",datetime +"alertInfo_source_s",72,"System.String",string +"alertInfo_updatedAt_t",73,"System.DateTime",datetime +"ruleInfo_id_s",74,"System.String",string +"ruleInfo_name_s",75,"System.String",string +"ruleInfo_queryLang_s",76,"System.String",string +"ruleInfo_queryType_s",77,"System.String",string +"ruleInfo_s1ql_s",78,"System.String",string +"ruleInfo_scopeLevel_s",79,"System.String",string +"ruleInfo_severity_s",80,"System.String",string +"ruleInfo_treatAsThreat_s",81,"System.String",string +"sourceParentProcessInfo_commandline_s",82,"System.String",string +"sourceParentProcessInfo_fileHashMd5_g",83,"System.String",string +"sourceParentProcessInfo_fileHashSha1_s",84,"System.String",string +"sourceParentProcessInfo_fileHashSha256_s",85,"System.String",string +"sourceParentProcessInfo_filePath_s",86,"System.String",string +"sourceParentProcessInfo_fileSignerIdentity_s",87,"System.String",string +"sourceParentProcessInfo_integrityLevel_s",88,"System.String",string +"sourceParentProcessInfo_name_s",89,"System.String",string +"sourceParentProcessInfo_pid_s",90,"System.String",string +"sourceParentProcessInfo_pidStarttime_t",91,"System.DateTime",datetime +"sourceParentProcessInfo_storyline_s",92,"System.String",string +"sourceParentProcessInfo_subsystem_s",93,"System.String",string +"sourceParentProcessInfo_uniqueId_s",94,"System.String",string +"sourceParentProcessInfo_user_s",95,"System.String",string +"sourceProcessInfo_commandline_s",96,"System.String",string +"sourceProcessInfo_fileHashMd5_g",97,"System.String",string +"sourceProcessInfo_fileHashSha1_s",98,"System.String",string +"sourceProcessInfo_fileHashSha256_s",99,"System.String",string +"sourceProcessInfo_filePath_s",100,"System.String",string +"sourceProcessInfo_fileSignerIdentity_s",101,"System.String",string +"sourceProcessInfo_integrityLevel_s",102,"System.String",string +"sourceProcessInfo_name_s",103,"System.String",string +"sourceProcessInfo_pid_s",104,"System.String",string +"sourceProcessInfo_pidStarttime_t",105,"System.DateTime",datetime +"sourceProcessInfo_storyline_s",106,"System.String",string +"sourceProcessInfo_subsystem_s",107,"System.String",string +"sourceProcessInfo_uniqueId_s",108,"System.String",string +"sourceProcessInfo_user_s",109,"System.String",string +"targetProcessInfo_tgtFileCreatedAt_t",110,"System.DateTime",datetime +"targetProcessInfo_tgtFileHashSha1_s",111,"System.String",string +"targetProcessInfo_tgtFileHashSha256_s",112,"System.String",string +"targetProcessInfo_tgtFileId_s",113,"System.String",string +"targetProcessInfo_tgtFileIsSigned_s",114,"System.String",string +"targetProcessInfo_tgtFileModifiedAt_t",115,"System.DateTime",datetime +"targetProcessInfo_tgtFilePath_s",116,"System.String",string +"targetProcessInfo_tgtProcIntegrityLevel_s",117,"System.String",string +"targetProcessInfo_tgtProcessStartTime_t",118,"System.DateTime",datetime +"agentUpdatedVersion_s",119,"System.String",string +"agentId_s",120,"System.String",string +"hash_s",121,"System.String",string +"osFamily_s",122,"System.String",string +"threatId_s",123,"System.String",string +"creator_s",124,"System.String",string +"creatorId_s",125,"System.String",string +"inherits_b",126,"System.SByte",bool +"isDefault_b",127,"System.SByte",bool +"name_s",128,"System.String",string +"registrationToken_s",129,"System.String",string +"totalAgents_d",130,"System.Double",real +"type_s",131,"System.String",string +"agentDetectionInfo_accountId_s",132,"System.String",string +"agentDetectionInfo_accountName_s",133,"System.String",string +"agentDetectionInfo_agentDetectionState_s",134,"System.String",string +"agentDetectionInfo_agentDomain_s",135,"System.String",string +"agentDetectionInfo_agentIpV4_s",136,"System.String",string +"agentDetectionInfo_agentIpV6_s",137,"System.String",string +"agentDetectionInfo_agentLastLoggedInUserName_s",138,"System.String",string +"agentDetectionInfo_agentMitigationMode_s",139,"System.String",string +"agentDetectionInfo_agentOsName_s",140,"System.String",string +"agentDetectionInfo_agentOsRevision_s",141,"System.String",string +"agentDetectionInfo_agentRegisteredAt_t",142,"System.DateTime",datetime +"agentDetectionInfo_agentUuid_g",143,"System.String",string +"agentDetectionInfo_agentVersion_s",144,"System.String",string +"agentDetectionInfo_externalIp_s",145,"System.String",string +"agentDetectionInfo_groupId_s",146,"System.String",string +"agentDetectionInfo_groupName_s",147,"System.String",string +"agentDetectionInfo_siteId_s",148,"System.String",string +"agentDetectionInfo_siteName_s",149,"System.String",string +"agentRealtimeInfo_accountId_s",150,"System.String",string +"agentRealtimeInfo_accountName_s",151,"System.String",string +"agentRealtimeInfo_activeThreats_d",152,"System.Double",real +"agentRealtimeInfo_agentComputerName_s",153,"System.String",string +"agentRealtimeInfo_agentDomain_s",154,"System.String",string +"agentRealtimeInfo_agentId_s",155,"System.String",string +"agentRealtimeInfo_agentInfected_b",156,"System.SByte",bool +"agentRealtimeInfo_agentIsActive_b",157,"System.SByte",bool +"agentRealtimeInfo_agentIsDecommissioned_b",158,"System.SByte",bool +"agentRealtimeInfo_agentMachineType_s",159,"System.String",string +"agentRealtimeInfo_agentMitigationMode_s",160,"System.String",string +"agentRealtimeInfo_agentNetworkStatus_s",161,"System.String",string +"agentRealtimeInfo_agentOsName_s",162,"System.String",string +"agentRealtimeInfo_agentOsRevision_s",163,"System.String",string +"agentRealtimeInfo_agentOsType_s",164,"System.String",string +"agentRealtimeInfo_agentUuid_g",165,"System.String",string +"agentRealtimeInfo_agentVersion_s",166,"System.String",string +"agentRealtimeInfo_groupId_s",167,"System.String",string +"agentRealtimeInfo_groupName_s",168,"System.String",string +"agentRealtimeInfo_networkInterfaces_s",169,"System.String",string +"agentRealtimeInfo_operationalState_s",170,"System.String",string +"agentRealtimeInfo_rebootRequired_b",171,"System.SByte",bool +"agentRealtimeInfo_scanFinishedAt_t",172,"System.DateTime",datetime +"agentRealtimeInfo_scanStartedAt_t",173,"System.DateTime",datetime +"agentRealtimeInfo_scanStatus_s",174,"System.String",string +"agentRealtimeInfo_siteId_s",175,"System.String",string +"agentRealtimeInfo_siteName_s",176,"System.String",string +"agentRealtimeInfo_userActionsNeeded_s",177,"System.String",string +"indicators_s",178,"System.String",string +"mitigationStatus_s",179,"System.String",string +"threatInfo_analystVerdict_s",180,"System.String",string +"threatInfo_analystVerdictDescription_s",181,"System.String",string +"threatInfo_automaticallyResolved_b",182,"System.SByte",bool +"threatInfo_certificateId_s",183,"System.String",string +"threatInfo_classification_s",184,"System.String",string +"threatInfo_classificationSource_s",185,"System.String",string +"threatInfo_cloudFilesHashVerdict_s",186,"System.String",string +"threatInfo_collectionId_s",187,"System.String",string +"threatInfo_confidenceLevel_s",188,"System.String",string +"threatInfo_createdAt_t",189,"System.DateTime",datetime +"threatInfo_detectionEngines_s",190,"System.String",string +"threatInfo_detectionType_s",191,"System.String",string +"threatInfo_engines_s",192,"System.String",string +"threatInfo_externalTicketExists_b",193,"System.SByte",bool +"threatInfo_failedActions_b",194,"System.SByte",bool +"threatInfo_fileExtension_s",195,"System.String",string +"threatInfo_fileExtensionType_s",196,"System.String",string +"threatInfo_filePath_s",197,"System.String",string +"threatInfo_fileSize_d",198,"System.Double",real +"threatInfo_fileVerificationType_s",199,"System.String",string +"threatInfo_identifiedAt_t",200,"System.DateTime",datetime +"threatInfo_incidentStatus_s",201,"System.String",string +"threatInfo_incidentStatusDescription_s",202,"System.String",string +"threatInfo_initiatedBy_s",203,"System.String",string +"threatInfo_initiatedByDescription_s",204,"System.String",string +"threatInfo_isFileless_b",205,"System.SByte",bool +"threatInfo_isValidCertificate_b",206,"System.SByte",bool +"threatInfo_mitigatedPreemptively_b",207,"System.SByte",bool +"threatInfo_mitigationStatus_s",208,"System.String",string +"threatInfo_mitigationStatusDescription_s",209,"System.String",string +"threatInfo_originatorProcess_s",210,"System.String",string +"threatInfo_pendingActions_b",211,"System.SByte",bool +"threatInfo_processUser_s",212,"System.String",string +"threatInfo_publisherName_s",213,"System.String",string +"threatInfo_reachedEventsLimit_b",214,"System.SByte",bool +"threatInfo_rebootRequired_b",215,"System.SByte",bool +"threatInfo_sha1_s",216,"System.String",string +"threatInfo_storyline_s",217,"System.String",string +"threatInfo_threatId_s",218,"System.String",string +"threatInfo_threatName_s",219,"System.String",string +"threatInfo_updatedAt_t",220,"System.DateTime",datetime +"whiteningOptions_s",221,"System.String",string +"threatInfo_maliciousProcessArguments_s",222,"System.String",string +"threatInfo_fileExtension_g",223,"System.String",string +"threatInfo_threatName_g",224,"System.String",string +"threatInfo_storyline_g",225,"System.String",string +"accountId_s",226,"System.String",string +"accountName_s",227,"System.String",string +"activityType_d",228,"System.Double",real +"activityUuid_g",229,"System.String",string +"createdAt_t",230,"System.DateTime",datetime +"id_s",231,"System.String",string +"primaryDescription_s",232,"System.String",string +"secondaryDescription_s",233,"System.String",string +"siteId_s",234,"System.String",string +"siteName_s",235,"System.String",string +"updatedAt_t",236,"System.DateTime",datetime +"userId_s",237,"System.String",string +"event_name_s",238,"System.String",string +"DataFields_s",239,"System.String",string +"description_s",240,"System.String",string +"comments_s",241,"System.String",string +"activeDirectory_computerMemberOf_s",242,"System.String",string +"activeDirectory_lastUserMemberOf_s",243,"System.String",string +"activeThreats_d",244,"System.Double",real +"agentVersion_s",245,"System.String",string +"allowRemoteShell_b",246,"System.SByte",bool +"appsVulnerabilityStatus_s",247,"System.String",string +"computerName_s",248,"System.String",string +"consoleMigrationStatus_s",249,"System.String",string +"coreCount_d",250,"System.Double",real +"cpuCount_d",251,"System.Double",real +"cpuId_s",252,"System.String",string +"detectionState_s",253,"System.String",string +"domain_s",254,"System.String",string +"encryptedApplications_b",255,"System.SByte",bool +"externalId_s",256,"System.String",string +"externalIp_s",257,"System.String",string +"firewallEnabled_b",258,"System.SByte",bool +"firstFullModeTime_t",259,"System.DateTime",datetime +"fullDiskScanLastUpdatedAt_t",260,"System.DateTime",datetime +"groupId_s",261,"System.String",string +"groupIp_s",262,"System.String",string +"groupName_s",263,"System.String",string +"inRemoteShellSession_b",264,"System.SByte",bool +"infected_b",265,"System.SByte",bool +"installerType_s",266,"System.String",string +"isActive_b",267,"System.SByte",bool +"isDecommissioned_b",268,"System.SByte",bool +"isPendingUninstall_b",269,"System.SByte",bool +"isUninstalled_b",270,"System.SByte",bool +"isUpToDate_b",271,"System.SByte",bool +"lastActiveDate_t",272,"System.DateTime",datetime +"lastIpToMgmt_s",273,"System.String",string +"lastLoggedInUserName_s",274,"System.String",string +"licenseKey_s",275,"System.String",string +"locationEnabled_b",276,"System.SByte",bool +"locationType_s",277,"System.String",string +"locations_s",278,"System.String",string +"machineType_s",279,"System.String",string +"mitigationMode_s",280,"System.String",string +"mitigationModeSuspicious_s",281,"System.String",string +"modelName_s",282,"System.String",string +"networkInterfaces_s",283,"System.String",string +"networkQuarantineEnabled_b",284,"System.SByte",bool +"networkStatus_s",285,"System.String",string +"operationalState_s",286,"System.String",string +"osArch_s",287,"System.String",string +"osName_s",288,"System.String",string +"osRevision_s",289,"System.String",string +"osStartTime_t",290,"System.DateTime",datetime +"osType_s",291,"System.String",string +"rangerStatus_s",292,"System.String",string +"rangerVersion_s",293,"System.String",string +"registeredAt_t",294,"System.DateTime",datetime +"remoteProfilingState_s",295,"System.String",string +"scanFinishedAt_t",296,"System.DateTime",datetime +"scanStartedAt_t",297,"System.DateTime",datetime +"scanStatus_s",298,"System.String",string +"serialNumber_s",299,"System.String",string +"showAlertIcon_b",300,"System.SByte",bool +"tags_sentinelone_s",301,"System.String",string +"threatRebootRequired_b",302,"System.SByte",bool +"totalMemory_d",303,"System.Double",real +"userActionsNeeded_s",304,"System.String",string +"uuid_g",305,"System.String",string +"osUsername_s",306,"System.String",string +"scanAbortedAt_t",307,"System.DateTime",datetime +"activeDirectory_computerDistinguishedName_s",308,"System.String",string +"activeDirectory_lastUserDistinguishedName_s",309,"System.String",string +Type,310,"System.String",string +"_ResourceId",311,"System.String",string From 0edb54707db11781399cf816e25372709d86dc1e Mon Sep 17 00:00:00 2001 From: Jayesh Prajapati Date: Thu, 24 Aug 2023 22:42:45 +0530 Subject: [PATCH 2/4] Fixed the suggested review1 changes and added RAW log files for sentinel one. --- .../CustomTables/SentinelOne_CL.json | 4 + .../ASimNetworkSessionSentinelOne.yaml | 34 +- .../Parsers/vimNetworkSessionSentinelOne.yaml | 34 +- ...entinelOne_ASimNetworkSession_DataTest.csv | 5 +- ...tinelOne_ASimNetworkSession_SchemaTest.csv | 6 +- ...SentinelOne_vimNetworkSession_DataTest.csv | 5 +- ...ntinelOne_vimNetworkSession_SchemaTest.csv | 6 +- ...entinelOne_ASimNetworkSession_RawLogs.json | 6042 +++++++++++++++++ Sample Data/ASIM/SentinelOne_CL_Schema.csv | 1 + 9 files changed, 6093 insertions(+), 44 deletions(-) create mode 100644 Sample Data/ASIM/SentinelOne_ASimNetworkSession_RawLogs.json diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json index a240d92d89b..52fd5c3a423 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json @@ -1284,6 +1284,10 @@ { "Name": "scanAbortedAt_t", "Type": "datetime" + }, + { + "Name": "_ItemId", + "Type": "string" } ] } \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml index 150be2a66da..6623d0d68de 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml @@ -1,6 +1,6 @@ Parser: Title: Network Session ASIM filtering parser for SentinelOne - Version: '0.1.1' + Version: '0.1.0' LastUpdated: Jul 27 2023 Product: Name: SentinelOne @@ -17,7 +17,7 @@ References: Description: | This ASIM parser supports normalizing SentinelOne logs to the ASIM Network Session normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. ParserName: ASimNetworkSessionSentinelOne -EquivalentBuiltInParser: _Im_NetworkSession_SentinelOne +EquivalentBuiltInParser: _ASim_NetworkSession_SentinelOne ParserParams: - Name: disabled Type: bool @@ -30,30 +30,33 @@ ParserQuery: | "OUTGOING", "Outbound", "INCOMING", "Inbound", ]; + let DeviceTypeLookup = datatable (agentDetectionInfo_machineType_s: string, SrcDeviceType: string) + [ + "desktop", "Computer", + "server", "Computer", + "laptop", "Computer", + "kubernetes node", "Other", + "unknown", "Other" + ]; let parser = (disabled: bool=false) { SentinelOne_CL | where not(disabled) and event_name_s == "Alerts." and alertInfo_eventType_s == "TCPV4" | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s + | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s + | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s') | extend DstPortNumber = toint(alertInfo_dstPort_s), - SrcPortNumber = toint(alertInfo_srcPort_s), - AdditionalFields = bag_pack( - "MachineType", - agentDetectionInfo_machineType_s, - "OsRevision", - agentDetectionInfo_osRevision_s - ) + SrcPortNumber = toint(alertInfo_srcPort_s) | project-rename EventStartTime = sourceProcessInfo_pidStarttime_t, DstIpAddr = alertInfo_dstIp_s, - DvcHostname = agentDetectionInfo_name_s, - EventUid = _ResourceId, + EventUid = _ItemId, SrcIpAddr = alertInfo_srcIp_s, DvcId = agentDetectionInfo_uuid_g, DvcOs = agentDetectionInfo_osName_s, - DvcOsVersion = agentDetectionInfo_version_s, + DvcOsVersion = agentDetectionInfo_osRevision_s, EventOriginalSeverity = ruleInfo_severity_s, EventOriginalUid = alertInfo_dvEventId_s, SrcProcessName = sourceProcessInfo_name_s, @@ -72,14 +75,16 @@ ParserQuery: | DvcIdType = iff(isnotempty(DvcId), "Other", ""), SrcUsernameType = _ASIM_GetUsernameType(SrcUsername) | extend - Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr) + Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr), + Hostname = SrcHostname | extend EventCount = int(1), EventProduct = "SentinelOne", EventResult = "Success", + DvcAction = "Allow", EventSchema = "NetworkSession", EventSchemaVersion = "0.2.6", - EventResultDetails = "Unknown", + EventResultDetails = "NA", EventType = "EndpointNetworkSession", EventVendor = "SentinelOne", NetworkProtocol = "TCP", @@ -90,6 +95,7 @@ ParserQuery: | *_g, *_t, *_b, + _ResourceId, TenantId, RawData, Computer, diff --git a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml index 4d91207b245..ca8ecb5852c 100644 --- a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml +++ b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml @@ -1,6 +1,6 @@ Parser: Title: Network Session ASIM filtering parser for SentinelOne - Version: '0.1.1' + Version: '0.1.0' LastUpdated: Jul 27 2023 Product: Name: SentinelOne @@ -57,6 +57,14 @@ ParserQuery: | "OUTGOING", "Outbound", "INCOMING", "Inbound", ]; + let DeviceTypeLookup = datatable (agentDetectionInfo_machineType_s: string, SrcDeviceType: string) + [ + "desktop", "Computer", + "server", "Computer", + "laptop", "Computer", + "kubernetes node", "Other", + "unknown", "Other" + ]; let parser=( disabled: bool=false, starttime: datetime=datetime(null), @@ -80,7 +88,7 @@ ParserQuery: | and (eventresult == "*" or eventresult == "Success") and (isnull(dstportnumber) or toint(alertInfo_dstPort_s) == dstportnumber) and (array_length(hostname_has_any) == 0 or agentDetectionInfo_name_s has_any (hostname_has_any)) - and array_length(dvcaction) == 0 + and (array_length(dvcaction) == 0 or dvcaction has_any ("Allow")) | extend temp_SrcMatch = has_any_ipv4_prefix(alertInfo_srcIp_s, src_or_any), temp_DstMatch = has_any_ipv4_prefix(alertInfo_dstIp_s, dst_or_any) @@ -99,24 +107,19 @@ ParserQuery: | ASimMatchingHostname = "SrcHostname" | where ASimMatchingIpAddr != "No match" | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s + | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s + | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s') | extend DstPortNumber = toint(alertInfo_dstPort_s), - SrcPortNumber = toint(alertInfo_srcPort_s), - AdditionalFields = bag_pack( - "MachineType", - agentDetectionInfo_machineType_s, - "OsRevision", - agentDetectionInfo_osRevision_s - ) + SrcPortNumber = toint(alertInfo_srcPort_s) | project-rename EventStartTime = sourceProcessInfo_pidStarttime_t, DstIpAddr = alertInfo_dstIp_s, - DvcHostname = agentDetectionInfo_name_s, - EventUid = _ResourceId, + EventUid = _ItemId, SrcIpAddr = alertInfo_srcIp_s, DvcId = agentDetectionInfo_uuid_g, DvcOs = agentDetectionInfo_osName_s, - DvcOsVersion = agentDetectionInfo_version_s, + DvcOsVersion = agentDetectionInfo_osRevision_s, EventOriginalSeverity = ruleInfo_severity_s, EventOriginalUid = alertInfo_dvEventId_s, SrcProcessName = sourceProcessInfo_name_s, @@ -135,14 +138,16 @@ ParserQuery: | DvcIdType = iff(isnotempty(DvcId), "Other", ""), SrcUsernameType = _ASIM_GetUsernameType(SrcUsername) | extend - Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr) + Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr), + Hostname = SrcHostname | extend EventCount = int(1), EventProduct = "SentinelOne", EventResult = "Success", + DvcAction = "Allow", EventSchema = "NetworkSession", EventSchemaVersion = "0.2.6", - EventResultDetails = "Unknown", + EventResultDetails = "NA", EventType = "EndpointNetworkSession", EventVendor = "SentinelOne", NetworkProtocol = "TCP", @@ -153,6 +158,7 @@ ParserQuery: | *_g, *_t, *_b, + _ResourceId, temp*, TenantId, RawData, diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv index 10ca146e0a8..21dc08043a4 100644 --- a/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv @@ -1,8 +1,7 @@ Result "(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" "(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" -"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [DvcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)" -"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [SrcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)" "(2) Info: Empty value in 10986 records (96.52%) in optional field [SrcUsername] (Schema:NetworkSession)" -"(2) Info: Empty value in 11382 records (100.0%) in recommended field [EventUid] (Schema:NetworkSession)" +"(2) Info: Empty value in 1718 records (15.09%) in optional field [DvcFQDN] (Schema:NetworkSession)" +"(2) Info: Empty value in 1718 records (15.09%) in recommended field [DvcDomain] (Schema:NetworkSession)" "(2) Info: Empty value in 2 records (0.02%) in optional field [SrcProcessName] (Schema:NetworkSession)" diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv index 193b198240e..a4589594eac 100644 --- a/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv @@ -3,13 +3,13 @@ "(1) Warning: Missing recommended field [ASimMatchingIpAddr]" "(1) Warning: Missing recommended field [DstDomain]" "(1) Warning: Missing recommended field [DstHostname]" -"(1) Warning: Missing recommended field [DvcDomain]" "(1) Warning: Missing recommended field [SrcDomain]" "(2) Info: Missing optional alias [Duration] aliasing non-existent column [NetworkDuration]" "(2) Info: Missing optional alias [InnerVlanId] aliasing non-existent column [SrcVlanId]" "(2) Info: Missing optional alias [OuterVlanId] aliasing non-existent column [DstVlanId]" "(2) Info: Missing optional alias [SessionId] aliasing non-existent column [NetworkSessionId]" "(2) Info: Missing optional alias [User] aliasing non-existent column [DstUsername]" +"(2) Info: Missing optional field [AdditionalFields]" "(2) Info: Missing optional field [DstAppId]" "(2) Info: Missing optional field [DstAppName]" "(2) Info: Missing optional field [DstAppType]" @@ -39,9 +39,7 @@ "(2) Info: Missing optional field [DstUsername]" "(2) Info: Missing optional field [DstVlanId]" "(2) Info: Missing optional field [DstZone]" -"(2) Info: Missing optional field [DvcAction]" "(2) Info: Missing optional field [DvcDescription]" -"(2) Info: Missing optional field [DvcFQDN]" "(2) Info: Missing optional field [DvcInboundInterface]" "(2) Info: Missing optional field [DvcInterface]" "(2) Info: Missing optional field [DvcMacAddr]" @@ -74,7 +72,6 @@ "(2) Info: Missing optional field [SrcAppType]" "(2) Info: Missing optional field [SrcBytes]" "(2) Info: Missing optional field [SrcDescription]" -"(2) Info: Missing optional field [SrcDeviceType]" "(2) Info: Missing optional field [SrcFQDN]" "(2) Info: Missing optional field [SrcGeoCity]" "(2) Info: Missing optional field [SrcGeoCountry]" @@ -111,4 +108,3 @@ "(2) Info: Missing optional field [ThreatOriginalConfidence]" "(2) Info: Missing optional field [ThreatOriginalRiskLevel]" "(2) Info: Missing optional field [ThreatRiskLevel]" -"(2) Info: Missing recommended alias [Hostname] aliasing non-existent column [DstHostname]" diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv index 10ca146e0a8..21dc08043a4 100644 --- a/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv @@ -1,8 +1,7 @@ Result "(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" "(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" -"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [DvcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)" -"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [SrcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)" "(2) Info: Empty value in 10986 records (96.52%) in optional field [SrcUsername] (Schema:NetworkSession)" -"(2) Info: Empty value in 11382 records (100.0%) in recommended field [EventUid] (Schema:NetworkSession)" +"(2) Info: Empty value in 1718 records (15.09%) in optional field [DvcFQDN] (Schema:NetworkSession)" +"(2) Info: Empty value in 1718 records (15.09%) in recommended field [DvcDomain] (Schema:NetworkSession)" "(2) Info: Empty value in 2 records (0.02%) in optional field [SrcProcessName] (Schema:NetworkSession)" diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv index f2db7436c48..a8589c94648 100644 --- a/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv @@ -1,13 +1,13 @@ Result "(1) Warning: Missing recommended field [DstDomain]" "(1) Warning: Missing recommended field [DstHostname]" -"(1) Warning: Missing recommended field [DvcDomain]" "(1) Warning: Missing recommended field [SrcDomain]" "(2) Info: Missing optional alias [Duration] aliasing non-existent column [NetworkDuration]" "(2) Info: Missing optional alias [InnerVlanId] aliasing non-existent column [SrcVlanId]" "(2) Info: Missing optional alias [OuterVlanId] aliasing non-existent column [DstVlanId]" "(2) Info: Missing optional alias [SessionId] aliasing non-existent column [NetworkSessionId]" "(2) Info: Missing optional alias [User] aliasing non-existent column [DstUsername]" +"(2) Info: Missing optional field [AdditionalFields]" "(2) Info: Missing optional field [DstAppId]" "(2) Info: Missing optional field [DstAppName]" "(2) Info: Missing optional field [DstAppType]" @@ -37,9 +37,7 @@ "(2) Info: Missing optional field [DstUsername]" "(2) Info: Missing optional field [DstVlanId]" "(2) Info: Missing optional field [DstZone]" -"(2) Info: Missing optional field [DvcAction]" "(2) Info: Missing optional field [DvcDescription]" -"(2) Info: Missing optional field [DvcFQDN]" "(2) Info: Missing optional field [DvcInboundInterface]" "(2) Info: Missing optional field [DvcInterface]" "(2) Info: Missing optional field [DvcMacAddr]" @@ -72,7 +70,6 @@ "(2) Info: Missing optional field [SrcAppType]" "(2) Info: Missing optional field [SrcBytes]" "(2) Info: Missing optional field [SrcDescription]" -"(2) Info: Missing optional field [SrcDeviceType]" "(2) Info: Missing optional field [SrcFQDN]" "(2) Info: Missing optional field [SrcGeoCity]" "(2) Info: Missing optional field [SrcGeoCountry]" @@ -109,4 +106,3 @@ "(2) Info: Missing optional field [ThreatOriginalConfidence]" "(2) Info: Missing optional field [ThreatOriginalRiskLevel]" "(2) Info: Missing optional field [ThreatRiskLevel]" -"(2) Info: Missing recommended alias [Hostname] aliasing non-existent column [DstHostname]" diff --git a/Sample Data/ASIM/SentinelOne_ASimNetworkSession_RawLogs.json b/Sample Data/ASIM/SentinelOne_ASimNetworkSession_RawLogs.json new file mode 100644 index 00000000000..7155625710d --- /dev/null +++ b/Sample Data/ASIM/SentinelOne_ASimNetworkSession_RawLogs.json @@ -0,0 +1,6042 @@ +[ + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 5:10:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "0f81ec00-9e52-48e6-b899-eb3bbeede741", + "alertInfo_dstIp": "1.1.1.1", + "alertInfo_dstPort": 21, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.1", + "alertInfo_srcPort": 11, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "73ffd9f9-7430-51bf-89fd-275f31272868", + "targetProcessInfo_tgtProcUid": "73ffdf8e-0a44-5079-fd74-243fc15cbe7e", + "sourceParentProcessInfo_storyline": "73ffdf8e-0a44-5079-fd74-243fc15cbe7c", + "sourceParentProcessInfo_uniqueId": "73ffdf8e-0a44-5079-fd74-243fc15cbe7d", + "sourceProcessInfo_storyline": "73ffdf8e-0a33-5079-fd74-243fc15cbe7c", + "sourceProcessInfo_uniqueId": "73ffdf8e-0a22-5079-fd74-243fc15cbe7c", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1736709934432915500, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 4:52:24 AM", + "alertInfo_dvEventId": "01H65P81VTDWS403SH4ZN0JS9T_0", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 4:52:37 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 4:52:37 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/lib/systemd/systemd --switched-root --system --deserialize 22", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "d00e622d514a3351de5cede74496dd50c65fbabb", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/lib/systemd/systemd", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "systemd", + "sourceParentProcessInfo_pid": 1, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/24/2023, 4:49:44 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/local/demisto/d1_Test2/d1", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "27141d28091ab8527a01da1f02a2e8cf5a2bc95a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/local/demisto/d1_Test2/d1", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "d1", + "sourceProcessInfo_pid": 1279, + "sourceProcessInfo_pidStarttime [UTC]": "7/24/2023, 4:50:27 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "AC644457DCBAD901", + "alertInfo_dstIp": "1.1.1.2", + "alertInfo_dstPort": 22, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.2", + "alertInfo_srcPort": 12, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "FB4511F580778F51", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "433C0EF580778F52", + "targetProcessInfo_tgtProcUid": "433C0EF580778F53", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "D83C0EF580778F51", + "sourceProcessInfo_uniqueId": "D73C0EF580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738442842154200, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:10 AM", + "alertInfo_dvEventId": "01H65SG50RP78BRBAJ4ZGDQGGF_10", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:16 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:16 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\System32\\svchost.exe -k netprofm -p -s netprofm", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 2084, + "sourceProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\NETWORK SERVICE", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.3", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.3", + "alertInfo_srcPort": 13, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "73ffdfe3-1bbd-6667-6750-684c8ca1c402", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "78d7744d-2837-40d2-aff4-bede5877836e", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "553D0EF580778F51", + "sourceProcessInfo_uniqueId": "543D0EF580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738444335326700, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:14 AM", + "alertInfo_dvEventId": "01H65SGAGCE4JDGCGC1GCKNT9S_22", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:16 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:16 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\System32\\svchost.exe -k utcsvc -p", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 4604, + "sourceProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:49 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.4", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.4", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "svchost.exe,FrameServer", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "9C8612F580778F51", + "sourceParentProcessInfo_uniqueId": "9B8612F580778F51", + "sourceProcessInfo_storyline": "CD8712F580778F51", + "sourceProcessInfo_uniqueId": "CC8712F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738445736224300, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:09 AM", + "alertInfo_dvEventId": "01H65SG2PQ023350V5K0TTCRKP_16", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:16 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:16 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "sihost.exe", + "sourceParentProcessInfo_fileHashMd5": "e5a23407-157b-23f3-c244-1d412163e4ee", + "sourceParentProcessInfo_fileHashSha1": "e8d9750e757e5b580c56521a81ed0cc41d327d82", + "sourceParentProcessInfo_fileHashSha256": "51eb6455bdca85d3102a00b1ce89969016efc3ed8b08b24a2aa10e03ba1e2b13", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\sihost.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceParentProcessInfo_integrityLevel": "medium", + "sourceParentProcessInfo_name": "sihost.exe", + "sourceParentProcessInfo_pid": 3160, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/21/2023, 4:49:44 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "CLO007\\Crest", + "sourceProcessInfo_commandline": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\SearchHost.exe\" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca", + "sourceProcessInfo_fileHashMd5": "0d7ce0d4-741a-a223-0f5a-618a796f4739", + "sourceProcessInfo_fileHashSha1": "f456a426618804abec06fd5883219c4c6eace180", + "sourceProcessInfo_fileHashSha256": "8b5b969143e22d8f27d919948e30aff8594c15c3c69b42bbafa23551e1dc0c68", + "sourceProcessInfo_filePath": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\SearchHost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "low", + "sourceProcessInfo_name": "SearchHost.exe", + "sourceProcessInfo_pid": 1160, + "sourceProcessInfo_pidStarttime [UTC]": "7/21/2023, 4:49:46 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "CLO007\\Crest", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.5", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.5", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "B83C0EF580778F51", + "sourceProcessInfo_uniqueId": "B73C0EF580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738460617615400, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:14 AM", + "alertInfo_dvEventId": "01H65SGAGCE4JDGCGC1GCKNT9S_32", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:18 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:18 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\system32\\svchost.exe -k NetworkService -p", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 1576, + "sourceProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\NETWORK SERVICE", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.6", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.6", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "C9B312F580778F51", + "sourceParentProcessInfo_uniqueId": "CFB512F580778F51", + "sourceProcessInfo_storyline": "C9B312F580778F51", + "sourceProcessInfo_uniqueId": "EAB512F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738491395420000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:11 AM", + "alertInfo_dvEventId": "01H65SG9CAMBQHFPH0TJD6EYXN_425", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:22 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:22 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\114.0.1823.82\\msedgewebview2.exe\" --embedded-browser-webview=1 --webview-exe-name=msteams.exe --webview-exe-version=23119.303.2080.2726 --user-data-dir=\"C:\\Users\\Crest\\AppData\\Local\\Packages\\MicrosoftTeams_8wekyb3d8bbwe\\LocalCache\\Microsoft\\MSTeams\\EBWebView\" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --edge-webview-custom-scheme --disable-features=MojoIpcz,msWebOOUI --edge-webview-is-background --enable-features=msSingleSignOnOSForPrimaryAccountIsShared,msEdgeFluentOverlayScrollbar,msWebView2CodeCache,msWebView2EnableDraggableRegions --mojo-named-platform-channel-pipe=9452.304.14872043078598792820 /pfhostedapp:e7e952ed836442a682dca713cb7c4d91d21a087a", + "sourceParentProcessInfo_fileHashMd5": "0f259745-8e7a-c81b-049d-45ef5b291246", + "sourceParentProcessInfo_fileHashSha1": "bbd88a2a41c94d4140ccaef71bfb771e0ccc5c32", + "sourceParentProcessInfo_fileHashSha256": "0ce0ef234aba4bf60f1c48a058ce764d52e91078e95312de4db4b0911f4cc7d4", + "sourceParentProcessInfo_filePath": "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\114.0.1823.82\\msedgewebview2.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT CORPORATION", + "sourceParentProcessInfo_integrityLevel": "medium", + "sourceParentProcessInfo_name": "msedgewebview2.exe", + "sourceParentProcessInfo_pid": 7280, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:36:56 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "CLO007\\Crest", + "sourceProcessInfo_commandline": "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\114.0.1823.82\\msedgewebview2.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir=\"C:\\Users\\Crest\\AppData\\Local\\Packages\\MicrosoftTeams_8wekyb3d8bbwe\\LocalCache\\Microsoft\\MSTeams\\EBWebView\" --webview-exe-name=msteams.exe --webview-exe-version=23119.303.2080.2726 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --edge-webview-custom-scheme --mojo-platform-channel-handle=2072 --field-trial-handle=1892,i,4999416576109179693,17961817705433260896,262144 --enable-features=msEdgeFluentOverlayScrollbar,msSingleSignOnOSForPrimaryAccountIsShared,msWebView2CodeCache,msWebView2EnableDraggableRegions --disable-features=MojoIpcz,msWebOOUI /prefetch:3 /pfhostedapp:e7e952ed836442a682dca713cb7c4d91d21a087a", + "sourceProcessInfo_fileHashMd5": "0f259745-8e7a-c81b-049d-45ef5b291246", + "sourceProcessInfo_fileHashSha1": "bbd88a2a41c94d4140ccaef71bfb771e0ccc5c32", + "sourceProcessInfo_fileHashSha256": "0ce0ef234aba4bf60f1c48a058ce764d52e91078e95312de4db4b0911f4cc7d4", + "sourceProcessInfo_filePath": "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\114.0.1823.82\\msedgewebview2.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT CORPORATION", + "sourceProcessInfo_integrityLevel": "medium", + "sourceProcessInfo_name": "msedgewebview2.exe", + "sourceProcessInfo_pid": 4144, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:36:56 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "CLO007\\Crest", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.7", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.7", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "FC3C0EF580778F51", + "sourceProcessInfo_uniqueId": "FB3C0EF580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738492846649000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:10 AM", + "alertInfo_dvEventId": "01H65SG50RP78BRBAJ4ZGDQGGF_8", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:22 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:22 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\system32\\svchost.exe -k NetworkService -p", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 2692, + "sourceProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:48 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\NETWORK SERVICE", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.8", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.8", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "4E4B0EF580778F51", + "sourceProcessInfo_uniqueId": "4D4B0EF580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738499473650000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:14 AM", + "alertInfo_dvEventId": "01H65SGAGCE4JDGCGC1GCKNT9S_3", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:23 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:23 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\System32\\svchost.exe -k NetworkService -p", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 8620, + "sourceProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:33:11 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\NETWORK SERVICE", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.9", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.9", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "B2B112F580778F51", + "sourceParentProcessInfo_uniqueId": "B1B112F580778F51", + "sourceProcessInfo_storyline": "B5B212F580778F51", + "sourceProcessInfo_uniqueId": "B4B212F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738500874547500, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:11 AM", + "alertInfo_dvEventId": "01H65SG9CAMBQHFPH0TJD6EYXN_432", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:23 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:23 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "sihost.exe", + "sourceParentProcessInfo_fileHashMd5": "e5a23407-157b-23f3-c244-1d412163e4ee", + "sourceParentProcessInfo_fileHashSha1": "e8d9750e757e5b580c56521a81ed0cc41d327d82", + "sourceParentProcessInfo_fileHashSha256": "51eb6455bdca85d3102a00b1ce89969016efc3ed8b08b24a2aa10e03ba1e2b13", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\sihost.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceParentProcessInfo_integrityLevel": "medium", + "sourceParentProcessInfo_name": "sihost.exe", + "sourceParentProcessInfo_pid": 13788, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:36:13 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "CLO007\\Crest", + "sourceProcessInfo_commandline": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost.exe\" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca", + "sourceProcessInfo_fileHashMd5": "4bd84472-eca2-b69a-0391-f61fa50d0f31", + "sourceProcessInfo_fileHashSha1": "0ca4bcd60601ec0d8602d4f5994cb0393edb892b", + "sourceProcessInfo_fileHashSha256": "c1fc7f6cb2228ee6386d91f27f1a61ae60a63deefb21d78bb810b7f027f1a489", + "sourceProcessInfo_filePath": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "low", + "sourceProcessInfo_name": "StartMenuExperienceHost.exe", + "sourceProcessInfo_pid": 4524, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:36:15 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "CLO007\\Crest", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.10", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.10", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "09AB12F580778F51", + "sourceProcessInfo_uniqueId": "08AB12F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738502325776600, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:14 AM", + "alertInfo_dvEventId": "01H65SGAGCE4JDGCGC1GCKNT9S_29", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:23 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:23 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\System32\\svchost.exe -k netsvcs -p -s BITS", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 10972, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:28:16 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.11", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.11", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "C43C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "C33C0EF580778F51", + "sourceProcessInfo_storyline": "34B612F580778F51", + "sourceProcessInfo_uniqueId": "33B612F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738511318365000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:11 AM", + "alertInfo_dvEventId": "01H65SG9CAMBQHFPH0TJD6EYXN_434", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:24 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:24 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "sourceParentProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceParentProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceParentProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "svchost.exe", + "sourceParentProcessInfo_pid": 1752, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\system32\\wermgr.exe\" -upload", + "sourceProcessInfo_fileHashMd5": "b2eb37f1-bd88-302c-2f15-0217722a8c9f", + "sourceProcessInfo_fileHashSha1": "d8e0c1e1ad99a38f3a84414d5af7b761bf0eb924", + "sourceProcessInfo_fileHashSha256": "a4c41c6c4e1d0fadc9bd3313a3d0e329517f400bd8908dd8c70ac69758e60875", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\wermgr.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "wermgr.exe", + "sourceProcessInfo_pid": 5488, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:37:03 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.12", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.12", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "FEAE12F580778F51", + "sourceProcessInfo_uniqueId": "FDAE12F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738514782860300, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:14 AM", + "alertInfo_dvEventId": "01H65SGAGCE4JDGCGC1GCKNT9S_9", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:24 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:24 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wlidsvc", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 11436, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:34:08 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:40:04 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.13", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.13", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "D83C0EF580778F51", + "sourceProcessInfo_uniqueId": "D73C0EF580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736756505571408600, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 6:24:58 AM", + "alertInfo_dvEventId": "01H65VHMRC71Y2GK2M458J2WMW_15", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 6:25:09 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 6:25:09 AM", + "ruleInfo_id": 1736743171400115500, + "ruleInfo_name": "CWL547", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EndpointName = \"CLO007", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Medium", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\System32\\svchost.exe -k netprofm -p -s netprofm", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 2084, + "sourceProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\NETWORK SERVICE", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:40:04 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.14", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.14", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "C43C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "C33C0EF580778F51", + "sourceProcessInfo_storyline": "24DB12F580778F51", + "sourceProcessInfo_uniqueId": "23DB12F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736757508513437700, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 6:27:00 AM", + "alertInfo_dvEventId": "01H65VN9YVSBR9FGDK3RJX7NKK_10", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 6:27:09 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 6:27:09 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "sourceParentProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceParentProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceParentProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "svchost.exe", + "sourceParentProcessInfo_pid": 1752, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "taskhostw.exe", + "sourceProcessInfo_fileHashMd5": "4887a65f-d4f6-598a-f498-6cbc1c0e5488", + "sourceProcessInfo_fileHashSha1": "0882f3f9947405bb80c2e830adf69af85c9b51c7", + "sourceProcessInfo_fileHashSha256": "82472a84bcbb4009add338200f8e853fe4c5eafe2e2c3a2d711b85bf29b72d54", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\taskhostw.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "taskhostw.exe", + "sourceProcessInfo_pid": 8648, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 6:26:34 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 10:30:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.15", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.15", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1736872444737646300, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 10:15:22 AM", + "alertInfo_dvEventId": "01H668QFMWS1BRZA6EAHDVWFN0_55", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 10:15:30 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 10:15:30 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "mount -t nfs -o vers=3,nolock 10.50.3.251: /root/nfsdir", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "f6d5066df72ae947089cb3762679c54f61d7c97f", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/bin/mount", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "mount", + "sourceParentProcessInfo_pid": 32168, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:15:07 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/sbin/mount.nfs 10.50.3.251: /root/nfsdir", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "2894ddd5adc4c4f89d6171feb966ee8db03e3d48", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/sbin/mount.nfs", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "mount.nfs", + "sourceProcessInfo_pid": 32169, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:15:07 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 10:30:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.16", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.16", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1736872477948149000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 10:15:22 AM", + "alertInfo_dvEventId": "01H668QFMWS1BRZA6EAHDVWFN0_7", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 10:15:34 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 10:15:34 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "mount -t nfs -o vers=3,nolock 10.50.3.251:/ns2/bucket4/ /root/nfsdir", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "f6d5066df72ae947089cb3762679c54f61d7c97f", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/bin/mount", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "mount", + "sourceParentProcessInfo_pid": 32151, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:14:44 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/sbin/mount.nfs 10.50.3.251:/ns2/bucket4/ /root/nfsdir", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "2894ddd5adc4c4f89d6171feb966ee8db03e3d48", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/sbin/mount.nfs", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "mount.nfs", + "sourceProcessInfo_pid": 32152, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:14:44 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 10:30:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.17", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.17", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1736872503055255600, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 10:15:22 AM", + "alertInfo_dvEventId": "01H668QFMWS1BRZA6EAHDVWFN0_15", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 10:15:37 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 10:15:37 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "mount -t nfs -o vers=3,nolock 10.50.3.251:/ns2/bucket4 /root/nfsdir", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "f6d5066df72ae947089cb3762679c54f61d7c97f", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/bin/mount", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "mount", + "sourceParentProcessInfo_pid": 32157, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:14:59 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/sbin/mount.nfs 10.50.3.251:/ns2/bucket4 /root/nfsdir", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "2894ddd5adc4c4f89d6171feb966ee8db03e3d48", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/sbin/mount.nfs", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "mount.nfs", + "sourceProcessInfo_pid": 32158, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:14:59 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 10:30:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.18", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.18", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1736872508449131000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 10:15:22 AM", + "alertInfo_dvEventId": "01H668QFMWS1BRZA6EAHDVWFN0_51", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 10:15:38 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 10:15:38 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "mount -t nfs -o vers=3,nolock 10.50.3.251:/ns2/ /root/nfsdir", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "f6d5066df72ae947089cb3762679c54f61d7c97f", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/bin/mount", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "mount", + "sourceParentProcessInfo_pid": 32166, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:15:03 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/sbin/mount.nfs 10.50.3.251:/ns2/ /root/nfsdir", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "2894ddd5adc4c4f89d6171feb966ee8db03e3d48", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/sbin/mount.nfs", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "mount.nfs", + "sourceProcessInfo_pid": 32167, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:15:03 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 2:00:04 PM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.19", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.19", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "FEBB12F580778F51", + "sourceParentProcessInfo_uniqueId": "FDBB12F580778F51", + "sourceProcessInfo_storyline": "E0E912F580778F51", + "sourceProcessInfo_uniqueId": "DFE912F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736978424395258000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 1:45:59 PM", + "alertInfo_dvEventId": "01H66MS4AHVPK6ZSZA1W047SMR_278", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 1:46:04 PM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 1:46:04 PM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\Explorer.EXE", + "sourceParentProcessInfo_fileHashMd5": "357b678c-68d3-d5ee-86e1-b706fbfd994b", + "sourceParentProcessInfo_fileHashSha1": "a4e4e2bc502e4ab249b219da357d1aad163ab175", + "sourceParentProcessInfo_fileHashSha256": "8375581b32e510a1ddf90b1ff8ffb8a756d71e1d5572b1c7c027e9b7393ccd3b", + "sourceParentProcessInfo_filePath": "C:\\Windows\\explorer.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceParentProcessInfo_integrityLevel": "medium", + "sourceParentProcessInfo_name": "explorer.exe", + "sourceParentProcessInfo_pid": 14472, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:42:20 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "CLO007\\Crest", + "sourceProcessInfo_commandline": "C:\\Windows\\System32\\smartscreen.exe -Embedding", + "sourceProcessInfo_fileHashMd5": "8b71524d-b619-2b9a-1967-1156e27b1826", + "sourceProcessInfo_fileHashSha1": "4549fabd13aaf136087a4501682eb2559eaafdbb", + "sourceProcessInfo_fileHashSha256": "83c9bd1ff0dd424a841cd1b22993e09e16d1339501070613236b0d1f8bff92bc", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\smartscreen.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "medium", + "sourceProcessInfo_name": "smartscreen.exe", + "sourceProcessInfo_pid": 14528, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 1:45:28 PM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "CLO007\\Crest", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 2:00:04 PM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.20", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.20", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "70BC12F580778F51", + "sourceParentProcessInfo_uniqueId": "19BF12F580778F51", + "sourceProcessInfo_storyline": "70BC12F580778F51", + "sourceProcessInfo_uniqueId": "42CD12F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736978447346490600, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 1:45:59 PM", + "alertInfo_dvEventId": "01H66MS4AHVPK6ZSZA1W047SMR_22", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 1:46:07 PM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 1:46:07 PM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Users\\Crest\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode /installWebView2 /SetPerProcessSystemDPIForceOffKey /EnableNucleusAutoStartFix", + "sourceParentProcessInfo_fileHashMd5": "8d5ca829-19d6-6439-685d-dd97dca650c6", + "sourceParentProcessInfo_fileHashSha1": "81c0122bc0adc75ce71912504b8d72825aecad35", + "sourceParentProcessInfo_fileHashSha256": "7dfe00a315c1e6956eb32c9d12fc809998590d15de1820b34b6d9ca7aa109b88", + "sourceParentProcessInfo_filePath": "C:\\Users\\Crest\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT CORPORATION", + "sourceParentProcessInfo_integrityLevel": "medium", + "sourceParentProcessInfo_name": "OneDriveSetup.exe", + "sourceParentProcessInfo_pid": 5412, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:46:58 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "CLO007\\Crest", + "sourceProcessInfo_commandline": "/updateInstalled /background", + "sourceProcessInfo_fileHashMd5": "174826c7-8c0a-a36d-a145-7e711e4c9e80", + "sourceProcessInfo_fileHashSha1": "56ee9857c7a0643d6f6d5e56c3f4689bb1499829", + "sourceProcessInfo_fileHashSha256": "159e208d7211b71b5dad89771bf1fc047de839bcb8e68475f248a051d2ebaa02", + "sourceProcessInfo_filePath": "C:\\Users\\Crest\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT CORPORATION", + "sourceProcessInfo_integrityLevel": "medium", + "sourceProcessInfo_name": "OneDrive.exe", + "sourceProcessInfo_pid": 2204, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:47:11 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "CLO007\\Crest", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + } + ] \ No newline at end of file diff --git a/Sample Data/ASIM/SentinelOne_CL_Schema.csv b/Sample Data/ASIM/SentinelOne_CL_Schema.csv index 7432410acb8..ff16136c833 100644 --- a/Sample Data/ASIM/SentinelOne_CL_Schema.csv +++ b/Sample Data/ASIM/SentinelOne_CL_Schema.csv @@ -311,3 +311,4 @@ RawData,6,"System.String",string "activeDirectory_lastUserDistinguishedName_s",309,"System.String",string Type,310,"System.String",string "_ResourceId",311,"System.String",string +"_ItemId",312,"System.String",string From 530de47f278f43b37414944369f7c4b44bce21cf Mon Sep 17 00:00:00 2001 From: Jayesh Prajapati Date: Mon, 18 Sep 2023 19:25:21 +0530 Subject: [PATCH 3/4] Updated parser by adding inspection fields, added EventProduct and Event Vender in tester file. --- ASIM/dev/ASimTester/ASimTester.csv | 4 +- .../ASimNetworkSessionSentinelOne.yaml | 73 +++++++++++++++---- .../Parsers/vimNetworkSessionSentinelOne.yaml | 15 ++-- ...entinelOne_ASimNetworkSession_DataTest.csv | 1 + ...tinelOne_ASimNetworkSession_SchemaTest.csv | 3 - ...SentinelOne_vimNetworkSession_DataTest.csv | 1 + ...ntinelOne_vimNetworkSession_SchemaTest.csv | 2 - 7 files changed, 74 insertions(+), 25 deletions(-) diff --git a/ASIM/dev/ASimTester/ASimTester.csv b/ASIM/dev/ASimTester/ASimTester.csv index 115bbb0ae92..36c6b21764e 100644 --- a/ASIM/dev/ASimTester/ASimTester.csv +++ b/ASIM/dev/ASimTester/ASimTester.csv @@ -540,7 +540,7 @@ EventProduct,string,Mandatory,Common,,, EventProduct,string,Mandatory,Dhcp,,, EventProduct,string,Mandatory,Dns,Enumerated,Umbrella|Azure Firewall|DNS Server|Sysmon|Sysmon for Linux|ZIA DNS|NIOS|Cloud DNS|Zeek|Vectra Stream, EventProduct,string,Mandatory,FileEvent,Enumerated,Sysmon for Linux|Sysmon|M365 Defender for Endpoint|Azure File Storage|SharePoint|OneDrive, -EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki MX|Zeek|Firewall|ASA|Cynerio, +EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki MX|Zeek|Firewall|ASA|Cynerio|SentinelOne, EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events, EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event, EventProduct,string,Mandatory,UserManagement,,, @@ -668,7 +668,7 @@ EventVendor,string,Mandatory,Common,,, EventVendor,string,Mandatory,Dhcp,,, EventVendor,string,Mandatory,Dns,Enumerated,Cisco|Corelight|GCP|Infoblox|Microsoft|Zscaler|Vectra AI, EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft, -EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio, +EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio|SentinelOne, EventVendor,string,Mandatory,ProcessEvent,Enumerated,Microsoft, EventVendor,string,Mandatory,UserManagement,,, EventVendor,string,Mandatory,WebSession,Enumerated,Microsoft|Squid|Zscaler|Vectra AI|Palo Alto|WatchGuard|Cisco|Forcepoint|Corelight|Dataminr, diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml index 6623d0d68de..c9f29c5e133 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml @@ -1,7 +1,7 @@ Parser: Title: Network Session ASIM filtering parser for SentinelOne Version: '0.1.0' - LastUpdated: Jul 27 2023 + LastUpdated: Sep 18 2023 Product: Name: SentinelOne Normalization: @@ -30,25 +30,69 @@ ParserQuery: | "OUTGOING", "Outbound", "INCOMING", "Inbound", ]; - let DeviceTypeLookup = datatable (agentDetectionInfo_machineType_s: string, SrcDeviceType: string) - [ + let DeviceTypeLookup = datatable ( + agentDetectionInfo_machineType_s: string, + SrcDeviceType: string + ) + [ "desktop", "Computer", "server", "Computer", "laptop", "Computer", "kubernetes node", "Other", "unknown", "Other" ]; + let ThreatConfidenceLookup_undefined = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_undefined: int + ) + [ + "FALSE_POSITIVE", 5, + "Undefined", 15, + "SUSPICIOUS", 25, + "TRUE_POSITIVE", 33 + ]; + let ThreatConfidenceLookup_suspicious = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_suspicious: int + ) + [ + "FALSE_POSITIVE", 40, + "Undefined", 50, + "SUSPICIOUS", 60, + "TRUE_POSITIVE", 67 + ]; + let ThreatConfidenceLookup_malicious = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_malicious: int + ) + [ + "FALSE_POSITIVE", 75, + "Undefined", 80, + "SUSPICIOUS", 90, + "TRUE_POSITIVE", 100 + ]; let parser = (disabled: bool=false) { - SentinelOne_CL - | where not(disabled) - and event_name_s == "Alerts." - and alertInfo_eventType_s == "TCPV4" - | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s - | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s + let alldata = SentinelOne_CL + | where not(disabled) + and event_name_s == "Alerts." + and alertInfo_eventType_s == "TCPV4" + | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s + | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s; + let undefineddata = alldata + | where ruleInfo_treatAsThreat_s == "UNDEFINED" + | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s; + let suspiciousdata = alldata + | where ruleInfo_treatAsThreat_s == "Suspicious" + | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s; + let maliciousdata = alldata + | where ruleInfo_treatAsThreat_s == "Malicious" + | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s; + union undefineddata, suspiciousdata, maliciousdata | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s') | extend DstPortNumber = toint(alertInfo_dstPort_s), - SrcPortNumber = toint(alertInfo_srcPort_s) + SrcPortNumber = toint(alertInfo_srcPort_s), + ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious) | project-rename EventStartTime = sourceProcessInfo_pidStarttime_t, DstIpAddr = alertInfo_dstIp_s, @@ -61,7 +105,8 @@ ParserQuery: | EventOriginalUid = alertInfo_dvEventId_s, SrcProcessName = sourceProcessInfo_name_s, SrcProcessId = sourceProcessInfo_pid_s, - SrcUsername = sourceProcessInfo_user_s + SrcUsername = sourceProcessInfo_user_s, + ThreatOriginalConfidence = ruleInfo_treatAsThreat_s | extend EventEndTime = EventStartTime, Dst = DstIpAddr, @@ -73,7 +118,8 @@ ParserQuery: | EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity), SrcDvcIdType = iff(isnotempty(DvcId), "Other", ""), DvcIdType = iff(isnotempty(DvcId), "Other", ""), - SrcUsernameType = _ASIM_GetUsernameType(SrcUsername) + SrcUsernameType = _ASIM_GetUsernameType(SrcUsername), + SrcUserType = _ASIM_GetUserType(SrcUsername, "") | extend Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr), Hostname = SrcHostname @@ -101,6 +147,7 @@ ParserQuery: | Computer, MG, ManagementGroupName, - SourceSystem + SourceSystem, + ThreatConfidence_* }; parser(disabled = disabled) \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml index ca8ecb5852c..95a10ad389a 100644 --- a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml +++ b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml @@ -1,7 +1,7 @@ Parser: Title: Network Session ASIM filtering parser for SentinelOne Version: '0.1.0' - LastUpdated: Jul 27 2023 + LastUpdated: Sep 18 2023 Product: Name: SentinelOne Normalization: @@ -57,8 +57,11 @@ ParserQuery: | "OUTGOING", "Outbound", "INCOMING", "Inbound", ]; - let DeviceTypeLookup = datatable (agentDetectionInfo_machineType_s: string, SrcDeviceType: string) - [ + let DeviceTypeLookup = datatable ( + agentDetectionInfo_machineType_s: string, + SrcDeviceType: string + ) + [ "desktop", "Computer", "server", "Computer", "laptop", "Computer", @@ -136,7 +139,8 @@ ParserQuery: | EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity), SrcDvcIdType = iff(isnotempty(DvcId), "Other", ""), DvcIdType = iff(isnotempty(DvcId), "Other", ""), - SrcUsernameType = _ASIM_GetUsernameType(SrcUsername) + SrcUsernameType = _ASIM_GetUsernameType(SrcUsername), + SrcUserType = _ASIM_GetUserType(SrcUsername, "") | extend Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr), Hostname = SrcHostname @@ -165,7 +169,8 @@ ParserQuery: | Computer, MG, ManagementGroupName, - SourceSystem + SourceSystem, + ThreatConfidence_* }; parser( disabled=disabled, diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv index 21dc08043a4..5a9ed0ce555 100644 --- a/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv @@ -1,6 +1,7 @@ Result "(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" "(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" +"(2) Info: Empty value in 10986 records (96.52%) in optional field [SrcUserType] (Schema:NetworkSession)" "(2) Info: Empty value in 10986 records (96.52%) in optional field [SrcUsername] (Schema:NetworkSession)" "(2) Info: Empty value in 1718 records (15.09%) in optional field [DvcFQDN] (Schema:NetworkSession)" "(2) Info: Empty value in 1718 records (15.09%) in recommended field [DvcDomain] (Schema:NetworkSession)" diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv index a4589594eac..50af1297f20 100644 --- a/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv @@ -88,7 +88,6 @@ "(2) Info: Missing optional field [SrcProcessGuid]" "(2) Info: Missing optional field [SrcScopeId]" "(2) Info: Missing optional field [SrcUserId]" -"(2) Info: Missing optional field [SrcUserType]" "(2) Info: Missing optional field [SrcVlanId]" "(2) Info: Missing optional field [SrcZone]" "(2) Info: Missing optional field [TcpFlagsAck]" @@ -98,13 +97,11 @@ "(2) Info: Missing optional field [TcpFlagsSyn]" "(2) Info: Missing optional field [TcpFlagsUrg]" "(2) Info: Missing optional field [ThreatCategory]" -"(2) Info: Missing optional field [ThreatConfidence]" "(2) Info: Missing optional field [ThreatFirstReportedTime]" "(2) Info: Missing optional field [ThreatId]" "(2) Info: Missing optional field [ThreatIpAddr]" "(2) Info: Missing optional field [ThreatIsActive]" "(2) Info: Missing optional field [ThreatLastReportedTime]" "(2) Info: Missing optional field [ThreatName]" -"(2) Info: Missing optional field [ThreatOriginalConfidence]" "(2) Info: Missing optional field [ThreatOriginalRiskLevel]" "(2) Info: Missing optional field [ThreatRiskLevel]" diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv index 21dc08043a4..5a9ed0ce555 100644 --- a/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv @@ -1,6 +1,7 @@ Result "(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" "(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" +"(2) Info: Empty value in 10986 records (96.52%) in optional field [SrcUserType] (Schema:NetworkSession)" "(2) Info: Empty value in 10986 records (96.52%) in optional field [SrcUsername] (Schema:NetworkSession)" "(2) Info: Empty value in 1718 records (15.09%) in optional field [DvcFQDN] (Schema:NetworkSession)" "(2) Info: Empty value in 1718 records (15.09%) in recommended field [DvcDomain] (Schema:NetworkSession)" diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv index a8589c94648..96e3c645f5c 100644 --- a/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv @@ -86,7 +86,6 @@ "(2) Info: Missing optional field [SrcProcessGuid]" "(2) Info: Missing optional field [SrcScopeId]" "(2) Info: Missing optional field [SrcUserId]" -"(2) Info: Missing optional field [SrcUserType]" "(2) Info: Missing optional field [SrcVlanId]" "(2) Info: Missing optional field [SrcZone]" "(2) Info: Missing optional field [TcpFlagsAck]" @@ -103,6 +102,5 @@ "(2) Info: Missing optional field [ThreatIsActive]" "(2) Info: Missing optional field [ThreatLastReportedTime]" "(2) Info: Missing optional field [ThreatName]" -"(2) Info: Missing optional field [ThreatOriginalConfidence]" "(2) Info: Missing optional field [ThreatOriginalRiskLevel]" "(2) Info: Missing optional field [ThreatRiskLevel]" From f3348acd208640131c40b3385b3ee27075253fec Mon Sep 17 00:00:00 2001 From: Jayesh Prajapati Date: Mon, 18 Sep 2023 20:02:21 +0530 Subject: [PATCH 4/4] Added inspection field in vim file. --- .../Parsers/vimNetworkSessionSentinelOne.yaml | 50 +++++++++++++++++-- ...ntinelOne_vimNetworkSession_SchemaTest.csv | 1 - 2 files changed, 46 insertions(+), 5 deletions(-) diff --git a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml index 95a10ad389a..7a6594d524c 100644 --- a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml +++ b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml @@ -68,6 +68,36 @@ ParserQuery: | "kubernetes node", "Other", "unknown", "Other" ]; + let ThreatConfidenceLookup_undefined = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_undefined: int + ) + [ + "FALSE_POSITIVE", 5, + "Undefined", 15, + "SUSPICIOUS", 25, + "TRUE_POSITIVE", 33 + ]; + let ThreatConfidenceLookup_suspicious = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_suspicious: int + ) + [ + "FALSE_POSITIVE", 40, + "Undefined", 50, + "SUSPICIOUS", 60, + "TRUE_POSITIVE", 67 + ]; + let ThreatConfidenceLookup_malicious = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_malicious: int + ) + [ + "FALSE_POSITIVE", 75, + "Undefined", 80, + "SUSPICIOUS", 90, + "TRUE_POSITIVE", 100 + ]; let parser=( disabled: bool=false, starttime: datetime=datetime(null), @@ -82,7 +112,7 @@ ParserQuery: | ) { let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); - SentinelOne_CL + let alldata = SentinelOne_CL | where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) @@ -108,13 +138,24 @@ ParserQuery: | "No match" ), ASimMatchingHostname = "SrcHostname" - | where ASimMatchingIpAddr != "No match" + | where ASimMatchingIpAddr != "No match"; + let undefineddata = alldata + | where ruleInfo_treatAsThreat_s == "UNDEFINED" + | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s; + let suspiciousdata = alldata + | where ruleInfo_treatAsThreat_s == "Suspicious" + | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s; + let maliciousdata = alldata + | where ruleInfo_treatAsThreat_s == "Malicious" + | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s; + union undefineddata, suspiciousdata, maliciousdata | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s') | extend DstPortNumber = toint(alertInfo_dstPort_s), - SrcPortNumber = toint(alertInfo_srcPort_s) + SrcPortNumber = toint(alertInfo_srcPort_s), + ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious) | project-rename EventStartTime = sourceProcessInfo_pidStarttime_t, DstIpAddr = alertInfo_dstIp_s, @@ -127,7 +168,8 @@ ParserQuery: | EventOriginalUid = alertInfo_dvEventId_s, SrcProcessName = sourceProcessInfo_name_s, SrcProcessId = sourceProcessInfo_pid_s, - SrcUsername = sourceProcessInfo_user_s + SrcUsername = sourceProcessInfo_user_s, + ThreatOriginalConfidence = ruleInfo_treatAsThreat_s | extend EventEndTime = EventStartTime, Dst = DstIpAddr, diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv index 96e3c645f5c..77b1fa0c1f6 100644 --- a/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv @@ -95,7 +95,6 @@ "(2) Info: Missing optional field [TcpFlagsSyn]" "(2) Info: Missing optional field [TcpFlagsUrg]" "(2) Info: Missing optional field [ThreatCategory]" -"(2) Info: Missing optional field [ThreatConfidence]" "(2) Info: Missing optional field [ThreatFirstReportedTime]" "(2) Info: Missing optional field [ThreatId]" "(2) Info: Missing optional field [ThreatIpAddr]"