Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ASIM Process Event schema parser with its sample and test data for SentinelOne #8669

Merged
merged 12 commits into from
Sep 27, 2023
Merged

ASIM Process Event schema parser with its sample and test data for SentinelOne #8669

merged 12 commits into from
Sep 27, 2023

Conversation

jayeshprajapaticrest
Copy link
Contributor

Required items, please complete

Change(s):

  • Added ASIM Process Event schema parser for SentinelOne based on API Data

Reason for Change(s):

  • Initial version ASIM Process Event Parser

Version Updated:

  • Initial version

Testing Completed:

  • Yes

Checked that the validations are passing and have addressed any issues that are present:

  • Yes

@jayeshprajapaticrest jayeshprajapaticrest requested review from a team as code owners July 30, 2023 07:27
@v-sudkharat
Copy link
Contributor

Hello @jayeshprajapaticrest, thank you for raising Pull Request with us! We will review it internally and get back to you by shortly.

@vakohl
Copy link
Contributor

vakohl commented Aug 12, 2023
edited
Loading

ETA: for review by 18th Aug

vakohl
vakohl requested changes Aug 15, 2023
View reviewed changes
Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml Show resolved Hide resolved
Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml Outdated Show resolved Hide resolved
Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml Show resolved Hide resolved
Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml Outdated Show resolved Hide resolved
Sample Data/ASIM/SentinelOne_ASimFileEvent_IngestedLogs.csv Outdated Show resolved Hide resolved
Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_SchemaTest.csv Show resolved Hide resolved
Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml Outdated Show resolved Hide resolved
Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml Outdated Show resolved Hide resolved
Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_SchemaTest.csv Outdated Show resolved Hide resolved
Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_DataTest.csv Outdated Show resolved Hide resolved
@v-rbajaj
Copy link
Contributor

Hi @jayeshprajapaticrest, can you please make the above suggested changes?

@v-rbajaj
Copy link
Contributor

Hi @jayeshprajapaticrest, please make the above suggested changes.

@v-rbajaj
Copy link
Contributor

Hi @jayeshprajapaticrest, can you please make the suggested changes ?

@v-rbajaj
Copy link
Contributor

Hi @jayeshprajapaticrest, can you please make the suggested changes ?

@jayeshprajapaticrest
Copy link
Contributor Author

Hi @jayeshprajapaticrest, can you please make the suggested changes ?

Suggested changes are made in commit 868ebb8 and unifying parser related changes are done in commit e94a8d9

@v-atulyadav
Copy link
Contributor

Hi @jayeshprajapaticrest,
KQL validations are failing for the items mentioned below. Please have a look at them. Thanks
image
image

@jayeshprajapaticrest
Copy link
Contributor Author

@v-atulyadav Two validation error gets resolved. And the currently getting error is not because of our code implementation. As I check its in the other ASIM parser added in the unifying parser file.

Jayesh Prajapati added 2 commits September 18, 2023 20:07
Updated parser by adding inspection fields, added EventProduct and Ev…
8b6a62b 
…ent Vender in tester file and updated sample data as per change.
Resolved Merge COnflicts.
00e6b7d
@niralishah-crest
Copy link
Contributor

@vakohl we have mapped the inspection fields below in the ProcessCreate parser, which we found from SentinelOne Alerts logs.
RuleName
Rule
ThreatConfidence
ThreatOriginalConfidence

@vakohl
Copy link
Contributor

vakohl commented Sep 20, 2023

@v-atulyadav can you check the validation error?

@vakohl
Copy link
Contributor

vakohl commented Sep 22, 2023

@v-atulyadav Two validation error gets resolved. And the currently getting error is not because of our code implementation. As I check its in the other ASIM parser added in the unifying parser file.

@jayeshprajapaticrest can you pull the latest files from github. there might be some changes done recently for the process union parsers files. See if this resolves the error

@v-atulyadav
Copy link
Contributor

Hi @vakohl @jayeshprajapaticrest,
It still fails for the below error after pulling the latest master from this branch. Thanks

image

@jayeshprajapaticrest
Copy link
Contributor Author

Hi @vakohl @jayeshprajapaticrest, It still fails for the below error after pulling the latest master from this branch. Thanks

image

@vakohl @v-atulyadav I also merged latest from master to the PR but it gives error

@v-atulyadav v-atulyadav merged commit e1e09d0 into Azure:master Sep 27, 2023
25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@v-atulyadav v-atulyadav v-atulyadav approved these changes

@vakohl vakohl vakohl approved these changes

Assignees

@vakohl vakohl

@v-rbajaj v-rbajaj

@v-sudkharat v-sudkharat

Labels
ASIM
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@jayeshprajapaticrest @v-sudkharat @vakohl @v-rbajaj @v-atulyadav @niralishah-crest