Azure · v-atulyadav · Sep 22, 2023 · Jul 30, 2023 · Aug 24, 2023 · Aug 28, 2023
@@ -75,6 +75,6 @@ ParserQuery: |
     , ASimNetworkSessionMicrosoftSysmon               (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmon'      in (DisabledParsers) ))
     , ASimNetworkSessionForcePointFirewall            (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionForcePointFirewall'      in (DisabledParsers) ))
     , ASimNetworkSessionNative                        (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionNative'      in (DisabledParsers) ))
-    , ASimNetworkSessionCiscoMeraki                   (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki'      in (DisabledParsers) ))
+    , ASimNetworkSessionSentinelOne                   (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSentinelOne'      in (DisabledParsers) ))
   };
   NetworkSessionsGeneric (pack=pack)
@@ -0,0 +1,100 @@
+Parser:
+  Title: Network Session ASIM filtering parser for SentinelOne
+  Version: '0.1.1'
+  LastUpdated: Jul 27 2023
+Product:
+  Name: SentinelOne
+Normalization:
+  Schema: NetworkSession
+  Version: '0.2.6'
+References:
+- Title: ASIM Network Session Schema
+  Link: https://aka.ms/ASimNetworkSessionDoc
+- Title: ASIM
+  Link: https:/aka.ms/AboutASIM
+- Title: SentinelOne Documentation
+- Link: https://<SOneInstanceDomain>.sentinelone.net/api-doc/overview
+Description: |
+  This ASIM parser supports normalizing SentinelOne logs to the ASIM Network Session normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API.
+ParserName: ASimNetworkSessionSentinelOne
+EquivalentBuiltInParser: _Im_NetworkSession_SentinelOne
+ParserParams:
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let NetworkDirectionLookup = datatable (
+      alertInfo_netEventDirection_s: string, 
+      NetworkDirection: string
+  )[
+      "OUTGOING", "Outbound",
+      "INCOMING", "Inbound",
+  ];
+  let parser = (disabled: bool=false) {
+      SentinelOne_CL
+      | where not(disabled) 
+          and event_name_s == "Alerts." 
+          and alertInfo_eventType_s == "TCPV4"
+      | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s
+      | extend 
+          DstPortNumber = toint(alertInfo_dstPort_s),
+          SrcPortNumber = toint(alertInfo_srcPort_s),
+          AdditionalFields = bag_pack(
+                        "MachineType",
+                        agentDetectionInfo_machineType_s,
+                        "OsRevision",
+                        agentDetectionInfo_osRevision_s
+                    )
+      | project-rename
+          EventStartTime = sourceProcessInfo_pidStarttime_t,
+          DstIpAddr = alertInfo_dstIp_s,
+          DvcHostname = agentDetectionInfo_name_s,
+          EventUid = _ResourceId,
+          SrcIpAddr = alertInfo_srcIp_s,
+          DvcId = agentDetectionInfo_uuid_g,
+          DvcOs = agentDetectionInfo_osName_s,
+          DvcOsVersion = agentDetectionInfo_version_s,
+          EventOriginalSeverity = ruleInfo_severity_s,
+          EventOriginalUid = alertInfo_dvEventId_s,
+          SrcProcessName = sourceProcessInfo_name_s,
+          SrcProcessId = sourceProcessInfo_pid_s,
+          SrcUsername = sourceProcessInfo_user_s
+      | extend
+          EventEndTime = EventStartTime,
+          Dst = DstIpAddr,
+          DvcIpAddr = SrcIpAddr,
+          Src = SrcIpAddr,
+          SrcHostname = DvcHostname,
+          SrcDvcId = DvcId,
+          IpAddr = SrcIpAddr,
+          EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity),
+          SrcDvcIdType = iff(isnotempty(DvcId), "Other", ""),
+          DvcIdType = iff(isnotempty(DvcId), "Other", ""),
+          SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)
+      | extend
+          Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr)
+      | extend
+          EventCount = int(1),
+          EventProduct = "SentinelOne",
+          EventResult = "Success",
+          EventSchema = "NetworkSession",
+          EventSchemaVersion = "0.2.6",
+          EventResultDetails = "Unknown",
+          EventType = "EndpointNetworkSession",
+          EventVendor = "SentinelOne",
+          NetworkProtocol = "TCP",
+          NetworkProtocolVersion = "IPv4"
+      | project-away
+          *_d,
+          *_s,
+          *_g,
+          *_t,
+          *_b,
+          TenantId,
+          RawData,
+          Computer,
+          MG,
+          ManagementGroupName,
+          SourceSystem
+  };
+  parser(disabled = disabled)
@@ -108,6 +108,6 @@ ParserQuery: |
     , vimNetworkSessionCiscoASA                        (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoASA'      in (DisabledParsers) ))
     , vimNetworkSessionForcePointFirewall              (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionForcePointFirewall'      in (DisabledParsers) ))
     , vimNetworkSessionNative                          (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionNative'      in (DisabledParsers) ))
-    , vimNetworkSessionCiscoMeraki                     (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki'      in (DisabledParsers) ))
+    , vimNetworkSessionSentinelOne                     (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSentinelOne'      in (DisabledParsers) ))
   };
   NetworkSessionsGeneric(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack)
@@ -0,0 +1,175 @@
+Parser:
+  Title: Network Session ASIM filtering parser for SentinelOne
+  Version: '0.1.1'
+  LastUpdated: Jul 27 2023
+Product:
+  Name: SentinelOne
+Normalization:
+  Schema: NetworkSession
+  Version: '0.2.6'
+References:
+- Title: ASIM Network Session Schema
+  Link: https://aka.ms/ASimNetworkSessionDoc
+- Title: ASIM
+  Link: https:/aka.ms/AboutASIM
+- Title: SentinelOne Documentation
+- Link: https://<SOneInstanceDomain>.sentinelone.net/api-doc/overview
+Description: |
+  This ASIM parser supports normalizing SentinelOne logs to the ASIM Network Session normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API.
+ParserName: vimNetworkSessionSentinelOne
+EquivalentBuiltInParser: _Im_NetworkSession_SentinelOne
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: srcipaddr_has_any_prefix
+    Type: dynamic
+    Default: dynamic([])
+  - Name: dstipaddr_has_any_prefix
+    Type: dynamic
+    Default: dynamic([])
+  - Name: ipaddr_has_any_prefix
+    Type: dynamic
+    Default: dynamic([])
+  - Name: dstportnumber
+    Type: int
+    Default: int(null)
+  - Name: dvcaction
+    Type: dynamic
+    Default: dynamic([])
+  - Name: hostname_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: eventresult
+    Type: string
+    Default: '*'
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let NetworkDirectionLookup = datatable (
+      alertInfo_netEventDirection_s: string, 
+      NetworkDirection: string
+  )[
+      "OUTGOING", "Outbound",
+      "INCOMING", "Inbound",
+  ];
+  let parser=(
+      disabled: bool=false, 
+      starttime: datetime=datetime(null), 
+      endtime: datetime=datetime(null), 
+      eventresult: string='*', 
+      srcipaddr_has_any_prefix: dynamic=dynamic([]),
+      dstipaddr_has_any_prefix: dynamic=dynamic([]),
+      ipaddr_has_any_prefix: dynamic=dynamic([]), 
+      hostname_has_any: dynamic=dynamic([]),
+      dstportnumber: int=int(null),
+      dvcaction: dynamic=dynamic([])
+      ) {
+      let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); 
+      let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);
+      SentinelOne_CL
+      | where not(disabled) 
+          and (isnull(starttime) or TimeGenerated >= starttime)
+          and (isnull(endtime) or TimeGenerated <= endtime)
+          and event_name_s == "Alerts."
+          and alertInfo_eventType_s == "TCPV4"
+          and (eventresult == "*" or eventresult == "Success")
+          and (isnull(dstportnumber) or toint(alertInfo_dstPort_s) == dstportnumber)
+          and (array_length(hostname_has_any) == 0 or agentDetectionInfo_name_s has_any (hostname_has_any))
+          and array_length(dvcaction) == 0
+      | extend
+          temp_SrcMatch = has_any_ipv4_prefix(alertInfo_srcIp_s, src_or_any),
+          temp_DstMatch = has_any_ipv4_prefix(alertInfo_dstIp_s, dst_or_any)
+      | extend 
+          ASimMatchingIpAddr=case(
+                        array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,
+                        "-",
+                        temp_SrcMatch and temp_DstMatch,
+                        "Both",
+                        temp_SrcMatch,
+                        "SrcIpAddr",
+                        temp_DstMatch,
+                        "DstIpAddr",
+                        "No match"
+                    ),
+          ASimMatchingHostname = "SrcHostname"
+      | where ASimMatchingIpAddr != "No match"
+      | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s
+      | extend 
+          DstPortNumber = toint(alertInfo_dstPort_s),
+          SrcPortNumber = toint(alertInfo_srcPort_s),
+          AdditionalFields = bag_pack(
+                        "MachineType",
+                        agentDetectionInfo_machineType_s,
+                        "OsRevision",
+                        agentDetectionInfo_osRevision_s
+                    )
+      | project-rename
+          EventStartTime = sourceProcessInfo_pidStarttime_t,
+          DstIpAddr = alertInfo_dstIp_s,
+          DvcHostname = agentDetectionInfo_name_s,
+          EventUid = _ResourceId,
+          SrcIpAddr = alertInfo_srcIp_s,
+          DvcId = agentDetectionInfo_uuid_g,
+          DvcOs = agentDetectionInfo_osName_s,
+          DvcOsVersion = agentDetectionInfo_version_s,
+          EventOriginalSeverity = ruleInfo_severity_s,
+          EventOriginalUid = alertInfo_dvEventId_s,
+          SrcProcessName = sourceProcessInfo_name_s,
+          SrcProcessId = sourceProcessInfo_pid_s,
+          SrcUsername = sourceProcessInfo_user_s
+      | extend
+          EventEndTime = EventStartTime,
+          Dst = DstIpAddr,
+          DvcIpAddr = SrcIpAddr,
+          Src = SrcIpAddr,
+          SrcHostname = DvcHostname,
+          SrcDvcId = DvcId,
+          IpAddr = SrcIpAddr,
+          EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity),
+          SrcDvcIdType = iff(isnotempty(DvcId), "Other", ""),
+          DvcIdType = iff(isnotempty(DvcId), "Other", ""),
+          SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)
+      | extend
+          Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr)
+      | extend
+          EventCount = int(1),
+          EventProduct = "SentinelOne",
+          EventResult = "Success",
+          EventSchema = "NetworkSession",
+          EventSchemaVersion = "0.2.6",
+          EventResultDetails = "Unknown",
+          EventType = "EndpointNetworkSession",
+          EventVendor = "SentinelOne",
+          NetworkProtocol = "TCP",
+          NetworkProtocolVersion = "IPv4"
+      | project-away
+          *_d,
+          *_s,
+          *_g,
+          *_t,
+          *_b,
+          temp*,
+          TenantId,
+          RawData,
+          Computer,
+          MG,
+          ManagementGroupName,
+          SourceSystem
+  };
+  parser(
+      disabled=disabled,
+      starttime=starttime, 
+      endtime=endtime,
+      eventresult=eventresult,
+      srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,
+      dstipaddr_has_any_prefix=dstipaddr_has_any_prefix,
+      ipaddr_has_any_prefix=ipaddr_has_any_prefix,
+      hostname_has_any=hostname_has_any,
+      dstportnumber=dstportnumber,
+      dvcaction=dvcaction
+  )
@@ -0,0 +1,8 @@
+Result
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [DvcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [SrcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)"
+"(2) Info: Empty value in 10986 records (96.52%)  in optional field [SrcUsername] (Schema:NetworkSession)"
+"(2) Info: Empty value in 11382 records (100.0%)  in recommended field [EventUid] (Schema:NetworkSession)"
+"(2) Info: Empty value in 2 records (0.02%)  in optional field [SrcProcessName] (Schema:NetworkSession)"