diff --git a/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml b/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml new file mode 100644 index 00000000000..b95d4f15137 --- /dev/null +++ b/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml @@ -0,0 +1,153 @@ +Parser: + Title: Process Create ASIM parser for SentinelOne + Version: '0.1.0' + LastUpdated: Sep 18, 2023 +Product: + Name: SentinelOne +Normalization: + Schema: ProcessEvent + Version: '0.1.4' +References: +- Title: ASIM ProcessEvent Schema + Link: https://aka.ms/ASimProcessEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +- Title: SentinelOne Documentation +- Link: https://.sentinelone.net/api-doc/overview +Description: | + This ASIM parser supports normalizing SentinelOne logs to the ASIM Process Event normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. +ParserName: ASimProcessCreateSentinelOne +EquivalentBuiltInParser: _ASim_ProcessCreate_SentinelOne +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let ThreatConfidenceLookup_undefined = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_undefined: int + ) + [ + "FALSE_POSITIVE", 5, + "Undefined", 15, + "SUSPICIOUS", 25, + "TRUE_POSITIVE", 33 + ]; + let ThreatConfidenceLookup_suspicious = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_suspicious: int + ) + [ + "FALSE_POSITIVE", 40, + "Undefined", 50, + "SUSPICIOUS", 60, + "TRUE_POSITIVE", 67 + ]; + let ThreatConfidenceLookup_malicious = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_malicious: int + ) + [ + "FALSE_POSITIVE", 75, + "Undefined", 80, + "SUSPICIOUS", 90, + "TRUE_POSITIVE", 100 + ]; + let parser = (disabled: bool=false) { + let alldata = SentinelOne_CL + | where not(disabled) + and event_name_s == "Alerts." + and alertInfo_eventType_s == "PROCESSCREATION"; + let undefineddata = alldata + | where ruleInfo_treatAsThreat_s == "UNDEFINED" + | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s; + let suspiciousdata = alldata + | where ruleInfo_treatAsThreat_s == "Suspicious" + | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s; + let maaliciousdata = alldata + | where ruleInfo_treatAsThreat_s == "Malicious" + | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s; + union undefineddata, suspiciousdata, maaliciousdata + | extend ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious) + | project-rename + DvcId = agentDetectionInfo_uuid_g, + EventStartTime = sourceProcessInfo_pidStarttime_t, + TargetProcessCommandLine = targetProcessInfo_tgtProcCmdLine_s, + TargetProcessId = targetProcessInfo_tgtProcPid_s, + TargetProcessName = targetProcessInfo_tgtProcName_s, + EventUid = _ItemId, + TargetProcessCreationTime = targetProcessInfo_tgtProcessStartTime_t, + ActingProcessName = sourceProcessInfo_name_s, + ParentProcessName = sourceParentProcessInfo_name_s, + ActingProcessCommandLine = sourceProcessInfo_commandline_s, + ActingProcessGuid = sourceProcessInfo_uniqueId_g, + ActingProcessSHA1 = sourceProcessInfo_fileHashSha1_s, + ParentProcessSHA1 = sourceParentProcessInfo_fileHashSha1_s, + ActingProcessSHA256 = sourceProcessInfo_fileHashSha256_s, + ParentProcessSHA256 = sourceParentProcessInfo_fileHashSha256_s, + DvcOs = agentDetectionInfo_osName_s, + DvcOsVersion = agentDetectionInfo_osRevision_s, + TargetProcessIntegrityLevel = targetProcessInfo_tgtProcIntegrityLevel_s, + EventOriginalType = alertInfo_eventType_s, + EventOriginalSeverity = ruleInfo_severity_s, + EventOriginalUid = alertInfo_dvEventId_s, + RuleName = ruleInfo_name_s, + ThreatOriginalConfidence = ruleInfo_treatAsThreat_s + | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s') + | extend + ActingProcessId = sourceProcessInfo_pid_s, + ActorUsername = sourceProcessInfo_user_s, + TargetUsername = sourceProcessInfo_user_s, + Hash = coalesce(targetProcessInfo_tgtFileHashSha256_s, targetProcessInfo_tgtFileHashSha1_s), + ParentProcessId = sourceProcessInfo_pid_s, + TargetProcessSHA1 = targetProcessInfo_tgtFileHashSha1_s, + TargetProcessSHA256 = targetProcessInfo_tgtFileHashSha256_s, + ParentProcessMD5 = replace_string(sourceParentProcessInfo_fileHashMd5_g, "-", ""), + ActingProcessMD5 = replace_string(sourceProcessInfo_fileHashMd5_g, "-", ""), + EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity) + | extend + EventCount = int(1), + EventProduct = "SentinelOne", + EventResult = "Success", + DvcAction = "Allowed", + EventSchemaVersion = "0.1.4", + EventType = "ProcessCreated", + EventVendor = "SentinelOne", + EventSchema = "ProcessEvent" + | extend + Dvc = DvcId, + EventEndTime = EventStartTime, + User = TargetUsername, + ActingProcessCreationTime = EventStartTime, + CommandLine = TargetProcessCommandLine, + Process = TargetProcessName, + Rule = RuleName + | extend + HashType = case( + isnotempty(Hash) and isnotempty(TargetProcessSHA256), + "TargetProcessSHA256", + isnotempty(Hash) and isnotempty(TargetProcessSHA1), + "TargetProcessSHA1", + "" + ), + TargetUsernameType = _ASIM_GetUsernameType(TargetUsername), + TargetUserType = _ASIM_GetUserType(TargetUsername, ""), + DvcIdType = iff(isnotempty(DvcId), "Other", ""), + ActorUsernameType = _ASIM_GetUsernameType(ActorUsername), + ActorUserType = _ASIM_GetUserType(ActorUsername, "") + | project-away + *_d, + *_s, + *_g, + *_t, + *_b, + _ResourceId, + TenantId, + RawData, + Computer, + MG, + ManagementGroupName, + SourceSystem, + ThreatConfidence_* + }; + parser(disabled=disabled) \ No newline at end of file diff --git a/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml b/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml index 552eb6156ff..798cec4733f 100644 --- a/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml +++ b/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml @@ -29,6 +29,7 @@ Parsers: - _ASim_ProcessEvent_TerminateMicrosoftWindowsEvents - _ASim_ProcessEvent_CreateMicrosoftWindowsEvents - _ASim_ProcessEvent_MD4IoT + - _ASim_ProcessEvent_CreateSentinelOne ParserQuery: | let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); @@ -44,4 +45,5 @@ ParserQuery: | ASimProcessTerminateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )), ASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )), ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )), - ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) )) + ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) )), + ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )) diff --git a/Parsers/ASimProcessEvent/Parsers/ASimProcessEventCreate.yaml b/Parsers/ASimProcessEvent/Parsers/ASimProcessEventCreate.yaml index f62795df256..9ea454cfd02 100644 --- a/Parsers/ASimProcessEvent/Parsers/ASimProcessEventCreate.yaml +++ b/Parsers/ASimProcessEvent/Parsers/ASimProcessEventCreate.yaml @@ -24,6 +24,7 @@ Parsers: - _ASim_ProcessEvent_CreateLinuxSysmon - _ASim_ProcessEvent_CreateMicrosoftWindowsEvents - _ASim_ProcessEvent_MD4IoT + - _ASim_ProcessEvent_CreateSentinelOne ParserQuery: | let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcessEventCreate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); @@ -35,4 +36,5 @@ ParserQuery: | ASimProcessCreateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) )), ASimProcessCreateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateLinuxSysmon' in (DisabledParsers) )), ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )), - ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )) + ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )), + ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )) diff --git a/Parsers/ASimProcessEvent/Parsers/imProcess.yaml b/Parsers/ASimProcessEvent/Parsers/imProcess.yaml new file mode 100644 index 00000000000..ba5161b191d --- /dev/null +++ b/Parsers/ASimProcessEvent/Parsers/imProcess.yaml @@ -0,0 +1,94 @@ +Parser: + Title: Process Event ASIM parser + Version: '0.1.1' + LastUpdated: Aug 28, 2023 +Product: + Name: Source Agnostic +Normalization: + Schema: ProcessEvent + Version: '0.1.0' +References: +- Title: ASIM Process Schema + Link: https://aka.ms/ASimProcessEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing process event logs from all supported sources to the ASIM ProcessEvent normalized schema. +ParserName: imProcess +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: commandline_has_any + Type: dynamic + Default: dynamic([]) + - Name: commandline_has_all + Type: dynamic + Default: dynamic([]) + - Name: commandline_has_any_ip_prefix + Type: dynamic + Default: dynamic([]) + - Name: actingprocess_has_any + Type: dynamic + Default: dynamic([]) + - Name: targetprocess_has_any + Type: dynamic + Default: dynamic([]) + - Name: parentprocess_has_any + Type: dynamic + Default: dynamic([]) + - Name: targetusername_has + Type: string + Default: '*' + - Name: actorusername_has + Type: string + Default: '*' + - Name: dvcipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: dvchostname_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventtype + Type: string + Default: '*' + - Name: hashes_has_any + Type: dynamic + Default: dynamic([]) +ParserQuery: | + let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), targetusername_has:string='*', actorusername_has:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvchostname_has_any:dynamic=dynamic([]), eventtype:string='*', hashes_has_any:dynamic=dynamic([])){ + let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); + let imProcessBuiltInDisabled=toscalar('ExcludeimProcessBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); + union isfuzzy=true + vimProcessEmpty + , vimProcessEventMicrosoft365D ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessEventMicrosoft365D' in (DisabledParsers) ))) + , vimProcessCreateMicrosoftSysmon ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSysmon' in (DisabledParsers) ))) + , vimProcessTerminateMicrosoftSysmon ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSysmon' in (DisabledParsers) ))) + , vimProcessCreateMicrosoftSecurityEvents ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) ))) + , vimProcessTerminateMicrosoftSecurityEvents ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername=actorusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) ))) + , vimProcessCreateLinuxSysmon ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon' in (DisabledParsers) ))) + , vimProcessTerminateLinuxSysmon ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername=actorusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessTerminateLinuxSysmon' in (DisabledParsers) ))) + , vimProcessTerminateMicrosoftWindowsEvents ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) ))) + , vimProcessCreateMicrosoftWindowsEvents ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) ))) + , vimProcessEventMD4IoT ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))) + , vimProcessCreateSentinelOne ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))) + }; + Generic(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any) + +EquivalentBuiltInParser: _Im_Process +Parsers: + - _Im_Process_Empty + - _Im_ProcessEvent_Microsoft365D + - _Im_ProcessCreate_MicrosoftSysmon + - _Im_ProcessTerminate_MicrosoftSysmon + - _Im_ProcessCreate_MicrosoftSecurityEvents + - _Im_ProcessTerminate_MicrosoftSecurityEvents + - _Im_ProcessCreate_LinuxSysmon + - _Im_ProcessTerminate_LinuxSysmon + - _Im_ProcessTerminate_MicrosoftWindowsEvents + - _Im_ProcessCreate_MicrosoftWindowsEvents + - _Im_ProcessCreate_MD4IoT + - _Im_ProcessCreate_SentinelOne diff --git a/Parsers/ASimProcessEvent/Parsers/imProcessCreate.yaml b/Parsers/ASimProcessEvent/Parsers/imProcessCreate.yaml index 6025f6a35a6..ccb0ccfe4b7 100644 --- a/Parsers/ASimProcessEvent/Parsers/imProcessCreate.yaml +++ b/Parsers/ASimProcessEvent/Parsers/imProcessCreate.yaml @@ -66,7 +66,8 @@ ParserQuery: | vimProcessCreateMicrosoftSecurityEvents(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) ))), vimProcessCreateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon' in (DisabledParsers) ))), vimProcessCreateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) ))), - vimProcessCreateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))) + vimProcessCreateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))), + vimProcessCreateSentinelOne (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))) }; Generic(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcipaddr_has_any_prefix, hashes_has_any=hashes_has_any, eventtype=eventtype) @@ -79,4 +80,5 @@ Parsers: - _Im_ProcessCreate_LinuxSysmon - _Im_ProcessCreate_MicrosoftWindowsEvents - _Im_ProcessCreate_MD4IoT + - _Im_ProcessCreate_SentinelOne diff --git a/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml b/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml new file mode 100644 index 00000000000..d40656aec75 --- /dev/null +++ b/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml @@ -0,0 +1,234 @@ +Parser: + Title: Process Create ASIM parser for SentinelOne + Version: '0.1.0' + LastUpdated: Sep 18, 2023 +Product: + Name: SentinelOne +Normalization: + Schema: ProcessEvent + Version: '0.1.4' +References: +- Title: ASIM ProcessEvent Schema + Link: https://aka.ms/ASimProcessEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +- Title: SentinelOne Documentation +- Link: https://.sentinelone.net/api-doc/overview +Description: | + This ASIM parser supports normalizing SentinelOne logs to the ASIM Process Event normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. +ParserName: vimProcessCreateSentinelOne +EquivalentBuiltInParser: _Im_ProcessCreate_SentinelOne +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: commandline_has_any + Type: dynamic + Default: dynamic([]) + - Name: commandline_has_all + Type: dynamic + Default: dynamic([]) + - Name: commandline_has_any_ip_prefix + Type: dynamic + Default: dynamic([]) + - Name: actingprocess_has_any + Type: dynamic + Default: dynamic([]) + - Name: targetprocess_has_any + Type: dynamic + Default: dynamic([]) + - Name: parentprocess_has_any + Type: dynamic + Default: dynamic([]) + - Name: targetusername_has + Type: string + Default: '*' + - Name: dvcipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: dvchostname_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventtype + Type: string + Default: '*' + - Name: hashes_has_any + Type: dynamic + Default: dynamic([]) + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let ThreatConfidenceLookup_undefined = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_undefined: int + ) + [ + "FALSE_POSITIVE", 5, + "Undefined", 15, + "SUSPICIOUS", 25, + "TRUE_POSITIVE", 33 + ]; + let ThreatConfidenceLookup_suspicious = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_suspicious: int + ) + [ + "FALSE_POSITIVE", 40, + "Undefined", 50, + "SUSPICIOUS", 60, + "TRUE_POSITIVE", 67 + ]; + let ThreatConfidenceLookup_malicious = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_malicious: int + ) + [ + "FALSE_POSITIVE", 75, + "Undefined", 80, + "SUSPICIOUS", 90, + "TRUE_POSITIVE", 100 + ]; + let parser = ( + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + commandline_has_any: dynamic=dynamic([]), + commandline_has_all: dynamic=dynamic([]), + commandline_has_any_ip_prefix: dynamic=dynamic([]), + actingprocess_has_any: dynamic=dynamic([]), + targetprocess_has_any: dynamic=dynamic([]), + parentprocess_has_any: dynamic=dynamic([]), + targetusername_has: string='*', + dvcipaddr_has_any_prefix: dynamic=dynamic([]), + dvchostname_has_any: dynamic=dynamic([]), + eventtype: string='*', + hashes_has_any: dynamic=dynamic([]), + disabled: bool=false) { + let alldata = SentinelOne_CL + | where not(disabled) + and (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and event_name_s == "Alerts." + and alertInfo_eventType_s == "PROCESSCREATION" + and (eventtype == '*' or eventtype == 'ProcessCreated') + and array_length(dvcipaddr_has_any_prefix) == 0 + and (targetusername_has == '*' or sourceProcessInfo_user_s has targetusername_has) + and (array_length(commandline_has_all) == 0 or targetProcessInfo_tgtProcCmdLine_s has_all (commandline_has_all)) + and (array_length(commandline_has_any) == 0 or targetProcessInfo_tgtProcCmdLine_s has_any (commandline_has_any)) + and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(targetProcessInfo_tgtProcCmdLine_s, commandline_has_any_ip_prefix)) + and (array_length(actingprocess_has_any) == 0 or sourceProcessInfo_name_s has_any (actingprocess_has_any)) + and (array_length(targetprocess_has_any) == 0 or targetProcessInfo_tgtProcName_s has_any (targetprocess_has_any)) + and (array_length(parentprocess_has_any) == 0 or sourceParentProcessInfo_name_s has_any (parentprocess_has_any)) + and (array_length(dvchostname_has_any) == 0 or agentDetectionInfo_name_s has_any (dvchostname_has_any)) + and (array_length(hashes_has_any) == 0 or targetProcessInfo_tgtFileHashSha1_s has_any (hashes_has_any) or targetProcessInfo_tgtFileHashSha256_s has_any (hashes_has_any)); + let undefineddata = alldata + | where ruleInfo_treatAsThreat_s == "UNDEFINED" + | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s; + let suspiciousdata = alldata + | where ruleInfo_treatAsThreat_s == "Suspicious" + | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s; + let maaliciousdata = alldata + | where ruleInfo_treatAsThreat_s == "Malicious" + | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s; + union undefineddata, suspiciousdata, maaliciousdata + | extend ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious) + | project-rename + DvcId = agentDetectionInfo_uuid_g, + EventStartTime = sourceProcessInfo_pidStarttime_t, + TargetProcessCommandLine = targetProcessInfo_tgtProcCmdLine_s, + TargetProcessId = targetProcessInfo_tgtProcPid_s, + TargetProcessName = targetProcessInfo_tgtProcName_s, + EventUid = _ItemId, + TargetProcessCreationTime = targetProcessInfo_tgtProcessStartTime_t, + ActingProcessName = sourceProcessInfo_name_s, + ParentProcessName = sourceParentProcessInfo_name_s, + ActingProcessCommandLine = sourceProcessInfo_commandline_s, + ActingProcessGuid = sourceProcessInfo_uniqueId_g, + ActingProcessSHA1 = sourceProcessInfo_fileHashSha1_s, + ParentProcessSHA1 = sourceParentProcessInfo_fileHashSha1_s, + ActingProcessSHA256 = sourceProcessInfo_fileHashSha256_s, + ParentProcessSHA256 = sourceParentProcessInfo_fileHashSha256_s, + DvcOs = agentDetectionInfo_osName_s, + DvcOsVersion = agentDetectionInfo_osRevision_s, + TargetProcessIntegrityLevel = targetProcessInfo_tgtProcIntegrityLevel_s, + EventOriginalType = alertInfo_eventType_s, + EventOriginalSeverity = ruleInfo_severity_s, + EventOriginalUid = alertInfo_dvEventId_s, + RuleName = ruleInfo_name_s, + ThreatOriginalConfidence = ruleInfo_treatAsThreat_s + | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s') + | extend + ActingProcessId = sourceProcessInfo_pid_s, + ActorUsername = sourceProcessInfo_user_s, + TargetUsername = sourceProcessInfo_user_s, + Hash = coalesce(targetProcessInfo_tgtFileHashSha256_s, targetProcessInfo_tgtFileHashSha1_s), + ParentProcessId = sourceProcessInfo_pid_s, + TargetProcessSHA1 = targetProcessInfo_tgtFileHashSha1_s, + TargetProcessSHA256 = targetProcessInfo_tgtFileHashSha256_s, + ParentProcessMD5 = replace_string(sourceParentProcessInfo_fileHashMd5_g, "-", ""), + ActingProcessMD5 = replace_string(sourceProcessInfo_fileHashMd5_g, "-", ""), + EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity) + | extend + EventCount = int(1), + EventProduct = "SentinelOne", + EventResult = "Success", + DvcAction = "Allowed", + EventSchemaVersion = "0.1.4", + EventType = "ProcessCreated", + EventVendor = "SentinelOne", + EventSchema = "ProcessEvent" + | extend + Dvc = DvcId, + EventEndTime = EventStartTime, + User = TargetUsername, + ActingProcessCreationTime = EventStartTime, + CommandLine = TargetProcessCommandLine, + Process = TargetProcessName, + Rule = RuleName + | extend + HashType = case( + isnotempty(Hash) and isnotempty(TargetProcessSHA256), + "TargetProcessSHA256", + isnotempty(Hash) and isnotempty(TargetProcessSHA1), + "TargetProcessSHA1", + "" + ), + TargetUsernameType = _ASIM_GetUsernameType(TargetUsername), + TargetUserType = _ASIM_GetUserType(TargetUsername, ""), + DvcIdType = iff(isnotempty(DvcId), "Other", ""), + ActorUsernameType = _ASIM_GetUsernameType(ActorUsername), + ActorUserType = _ASIM_GetUserType(ActorUsername, "") + | project-away + *_d, + *_s, + *_g, + *_t, + *_b, + _ResourceId, + TenantId, + RawData, + Computer, + MG, + ManagementGroupName, + SourceSystem, + ThreatConfidence_* + }; + parser( + starttime=starttime, + endtime=endtime, + commandline_has_any=commandline_has_any, + commandline_has_all=commandline_has_all, + commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, + actingprocess_has_any=actingprocess_has_any, + targetprocess_has_any=targetprocess_has_any, + parentprocess_has_any=parentprocess_has_any, + targetusername_has=targetusername_has, + dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, + dvchostname_has_any=dvchostname_has_any, + eventtype=eventtype, + hashes_has_any=hashes_has_any, + disabled=disabled + ) \ No newline at end of file diff --git a/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_DataTest.csv b/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_DataTest.csv new file mode 100644 index 00000000000..88a92faa256 --- /dev/null +++ b/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_DataTest.csv @@ -0,0 +1,23 @@ +Result +"(0) Error: 1 invalid value(s) (up to 10 listed) in 5185 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:ProcessEvent)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 5185 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:ProcessEvent)" +"(1) Warning: Empty value in 2 records (0.04%) in mandatory field [TargetProcessName] (Schema:ProcessEvent)" +"(1) Warning: Empty value in 4849 records (93.52%) in mandatory field [ActorUsername] (Schema:ProcessEvent)" +"(1) Warning: Empty value in 4849 records (93.52%) in mandatory field [TargetUsername] (Schema:ProcessEvent)" +"(1) Warning: Empty value in 6 records (0.12%) in mandatory field [TargetProcessCommandLine] (Schema:ProcessEvent)" +"(2) Info: Empty value in 140 records (2.7%) in optional field [ActingProcessCommandLine] (Schema:ProcessEvent)" +"(2) Info: Empty value in 140 records (2.7%) in optional field [ActingProcessName] (Schema:ProcessEvent)" +"(2) Info: Empty value in 3125 records (60.27%) in optional field [ParentProcessSHA1] (Schema:ProcessEvent)" +"(2) Info: Empty value in 336 records (6.48%) in optional field [ActingProcessGuid] (Schema:ProcessEvent)" +"(2) Info: Empty value in 3560 records (68.66%) in optional field [DvcFQDN] (Schema:ProcessEvent)" +"(2) Info: Empty value in 3560 records (68.66%) in recommended field [DvcDomain] (Schema:ProcessEvent)" +"(2) Info: Empty value in 469 records (9.05%) in optional field [ParentProcessName] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4849 records (93.52%) in optional field [ActingProcessMD5] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4849 records (93.52%) in optional field [ActingProcessSHA256] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4849 records (93.52%) in optional field [ActorUserType] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4849 records (93.52%) in optional field [TargetUserType] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4851 records (93.56%) in optional field [ParentProcessMD5] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4851 records (93.56%) in optional field [ParentProcessSHA256] (Schema:ProcessEvent)" +"(2) Info: Empty value in 5185 records (100.0%) in optional field [TargetProcessSHA1] (Schema:ProcessEvent)" +"(2) Info: Empty value in 5185 records (100.0%) in optional field [TargetProcessSHA256] (Schema:ProcessEvent)" +"(2) Info: Empty value in 962 records (18.55%) in optional field [ActingProcessSHA1] (Schema:ProcessEvent)" diff --git a/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_SchemaTest.csv b/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_SchemaTest.csv new file mode 100644 index 00000000000..b9b65b4c8f4 --- /dev/null +++ b/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_SchemaTest.csv @@ -0,0 +1,82 @@ +Result +"(1) Warning: Missing recommended field [ActorUserId]" +"(1) Warning: Missing recommended field [DvcIpAddr]" +"(1) Warning: Missing recommended field [TargetUserId]" +"(2) Info: Missing optional field [ActingProcessFileCompany]" +"(2) Info: Missing optional field [ActingProcessFileDescription]" +"(2) Info: Missing optional field [ActingProcessFileInternalName]" +"(2) Info: Missing optional field [ActingProcessFileOriginalName]" +"(2) Info: Missing optional field [ActingProcessFileProduct]" +"(2) Info: Missing optional field [ActingProcessFileSize]" +"(2) Info: Missing optional field [ActingProcessFileVersion]" +"(2) Info: Missing optional field [ActingProcessFilename]" +"(2) Info: Missing optional field [ActingProcessIMPHASH]" +"(2) Info: Missing optional field [ActingProcessInjectedAddress]" +"(2) Info: Missing optional field [ActingProcessIntegrityLevel]" +"(2) Info: Missing optional field [ActingProcessIsHidden]" +"(2) Info: Missing optional field [ActingProcessSHA512]" +"(2) Info: Missing optional field [ActingProcessTokenElevation]" +"(2) Info: Missing optional field [ActorOriginalUserType]" +"(2) Info: Missing optional field [ActorScopeId]" +"(2) Info: Missing optional field [ActorScope]" +"(2) Info: Missing optional field [ActorSessionId]" +"(2) Info: Missing optional field [ActorUserAadId]" +"(2) Info: Missing optional field [ActorUserSid]" +"(2) Info: Missing optional field [ActorUserUpn]" +"(2) Info: Missing optional field [AdditionalFields]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventMessage]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventProductVersion]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [EventResultDetails]" +"(2) Info: Missing optional field [EventSubType]" +"(2) Info: Missing optional field [ParentProcessCreationTime]" +"(2) Info: Missing optional field [ParentProcessFileCompany]" +"(2) Info: Missing optional field [ParentProcessFileDescription]" +"(2) Info: Missing optional field [ParentProcessFileProduct]" +"(2) Info: Missing optional field [ParentProcessFileVersion]" +"(2) Info: Missing optional field [ParentProcessGuid]" +"(2) Info: Missing optional field [ParentProcessIMPHASH]" +"(2) Info: Missing optional field [ParentProcessInjectedAddress]" +"(2) Info: Missing optional field [ParentProcessIntegrityLevel]" +"(2) Info: Missing optional field [ParentProcessIsHidden]" +"(2) Info: Missing optional field [ParentProcessSHA512]" +"(2) Info: Missing optional field [ParentProcessTokenElevation]" +"(2) Info: Missing optional field [TargetOriginalUserType]" +"(2) Info: Missing optional field [TargetProcessCurrentDirectory]" +"(2) Info: Missing optional field [TargetProcessFileCompany]" +"(2) Info: Missing optional field [TargetProcessFileDescription]" +"(2) Info: Missing optional field [TargetProcessFileInternalName]" +"(2) Info: Missing optional field [TargetProcessFileOriginalName]" +"(2) Info: Missing optional field [TargetProcessFileProduct]" +"(2) Info: Missing optional field [TargetProcessFileSize]" +"(2) Info: Missing optional field [TargetProcessFileVersion]" +"(2) Info: Missing optional field [TargetProcessFilename]" +"(2) Info: Missing optional field [TargetProcessGuid]" +"(2) Info: Missing optional field [TargetProcessIMPHASH]" +"(2) Info: Missing optional field [TargetProcessInjectedAddress]" +"(2) Info: Missing optional field [TargetProcessIsHidden]" +"(2) Info: Missing optional field [TargetProcessMD5]" +"(2) Info: Missing optional field [TargetProcessSHA512]" +"(2) Info: Missing optional field [TargetProcessStatusCode]" +"(2) Info: Missing optional field [TargetProcessTokenElevation]" +"(2) Info: Missing optional field [TargetScopeId]" +"(2) Info: Missing optional field [TargetScope]" +"(2) Info: Missing optional field [TargetUserAadId]" +"(2) Info: Missing optional field [TargetUserSessionGuid]" +"(2) Info: Missing optional field [TargetUserSessionId]" +"(2) Info: Missing optional field [TargetUserSid]" +"(2) Info: Missing optional field [TargetUserUpn]" +"(2) Info: extra unnormalized column [RuleName]" +"(2) Info: extra unnormalized column [Rule]" +"(2) Info: extra unnormalized column [ThreatConfidence]" +"(2) Info: extra unnormalized column [ThreatOriginalConfidence]" diff --git a/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_DataTest.csv b/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_DataTest.csv new file mode 100644 index 00000000000..88a92faa256 --- /dev/null +++ b/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_DataTest.csv @@ -0,0 +1,23 @@ +Result +"(0) Error: 1 invalid value(s) (up to 10 listed) in 5185 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:ProcessEvent)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 5185 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:ProcessEvent)" +"(1) Warning: Empty value in 2 records (0.04%) in mandatory field [TargetProcessName] (Schema:ProcessEvent)" +"(1) Warning: Empty value in 4849 records (93.52%) in mandatory field [ActorUsername] (Schema:ProcessEvent)" +"(1) Warning: Empty value in 4849 records (93.52%) in mandatory field [TargetUsername] (Schema:ProcessEvent)" +"(1) Warning: Empty value in 6 records (0.12%) in mandatory field [TargetProcessCommandLine] (Schema:ProcessEvent)" +"(2) Info: Empty value in 140 records (2.7%) in optional field [ActingProcessCommandLine] (Schema:ProcessEvent)" +"(2) Info: Empty value in 140 records (2.7%) in optional field [ActingProcessName] (Schema:ProcessEvent)" +"(2) Info: Empty value in 3125 records (60.27%) in optional field [ParentProcessSHA1] (Schema:ProcessEvent)" +"(2) Info: Empty value in 336 records (6.48%) in optional field [ActingProcessGuid] (Schema:ProcessEvent)" +"(2) Info: Empty value in 3560 records (68.66%) in optional field [DvcFQDN] (Schema:ProcessEvent)" +"(2) Info: Empty value in 3560 records (68.66%) in recommended field [DvcDomain] (Schema:ProcessEvent)" +"(2) Info: Empty value in 469 records (9.05%) in optional field [ParentProcessName] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4849 records (93.52%) in optional field [ActingProcessMD5] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4849 records (93.52%) in optional field [ActingProcessSHA256] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4849 records (93.52%) in optional field [ActorUserType] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4849 records (93.52%) in optional field [TargetUserType] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4851 records (93.56%) in optional field [ParentProcessMD5] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4851 records (93.56%) in optional field [ParentProcessSHA256] (Schema:ProcessEvent)" +"(2) Info: Empty value in 5185 records (100.0%) in optional field [TargetProcessSHA1] (Schema:ProcessEvent)" +"(2) Info: Empty value in 5185 records (100.0%) in optional field [TargetProcessSHA256] (Schema:ProcessEvent)" +"(2) Info: Empty value in 962 records (18.55%) in optional field [ActingProcessSHA1] (Schema:ProcessEvent)" diff --git a/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_SchemaTest.csv b/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_SchemaTest.csv new file mode 100644 index 00000000000..b9b65b4c8f4 --- /dev/null +++ b/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_SchemaTest.csv @@ -0,0 +1,82 @@ +Result +"(1) Warning: Missing recommended field [ActorUserId]" +"(1) Warning: Missing recommended field [DvcIpAddr]" +"(1) Warning: Missing recommended field [TargetUserId]" +"(2) Info: Missing optional field [ActingProcessFileCompany]" +"(2) Info: Missing optional field [ActingProcessFileDescription]" +"(2) Info: Missing optional field [ActingProcessFileInternalName]" +"(2) Info: Missing optional field [ActingProcessFileOriginalName]" +"(2) Info: Missing optional field [ActingProcessFileProduct]" +"(2) Info: Missing optional field [ActingProcessFileSize]" +"(2) Info: Missing optional field [ActingProcessFileVersion]" +"(2) Info: Missing optional field [ActingProcessFilename]" +"(2) Info: Missing optional field [ActingProcessIMPHASH]" +"(2) Info: Missing optional field [ActingProcessInjectedAddress]" +"(2) Info: Missing optional field [ActingProcessIntegrityLevel]" +"(2) Info: Missing optional field [ActingProcessIsHidden]" +"(2) Info: Missing optional field [ActingProcessSHA512]" +"(2) Info: Missing optional field [ActingProcessTokenElevation]" +"(2) Info: Missing optional field [ActorOriginalUserType]" +"(2) Info: Missing optional field [ActorScopeId]" +"(2) Info: Missing optional field [ActorScope]" +"(2) Info: Missing optional field [ActorSessionId]" +"(2) Info: Missing optional field [ActorUserAadId]" +"(2) Info: Missing optional field [ActorUserSid]" +"(2) Info: Missing optional field [ActorUserUpn]" +"(2) Info: Missing optional field [AdditionalFields]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventMessage]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventProductVersion]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [EventResultDetails]" +"(2) Info: Missing optional field [EventSubType]" +"(2) Info: Missing optional field [ParentProcessCreationTime]" +"(2) Info: Missing optional field [ParentProcessFileCompany]" +"(2) Info: Missing optional field [ParentProcessFileDescription]" +"(2) Info: Missing optional field [ParentProcessFileProduct]" +"(2) Info: Missing optional field [ParentProcessFileVersion]" +"(2) Info: Missing optional field [ParentProcessGuid]" +"(2) Info: Missing optional field [ParentProcessIMPHASH]" +"(2) Info: Missing optional field [ParentProcessInjectedAddress]" +"(2) Info: Missing optional field [ParentProcessIntegrityLevel]" +"(2) Info: Missing optional field [ParentProcessIsHidden]" +"(2) Info: Missing optional field [ParentProcessSHA512]" +"(2) Info: Missing optional field [ParentProcessTokenElevation]" +"(2) Info: Missing optional field [TargetOriginalUserType]" +"(2) Info: Missing optional field [TargetProcessCurrentDirectory]" +"(2) Info: Missing optional field [TargetProcessFileCompany]" +"(2) Info: Missing optional field [TargetProcessFileDescription]" +"(2) Info: Missing optional field [TargetProcessFileInternalName]" +"(2) Info: Missing optional field [TargetProcessFileOriginalName]" +"(2) Info: Missing optional field [TargetProcessFileProduct]" +"(2) Info: Missing optional field [TargetProcessFileSize]" +"(2) Info: Missing optional field [TargetProcessFileVersion]" +"(2) Info: Missing optional field [TargetProcessFilename]" +"(2) Info: Missing optional field [TargetProcessGuid]" +"(2) Info: Missing optional field [TargetProcessIMPHASH]" +"(2) Info: Missing optional field [TargetProcessInjectedAddress]" +"(2) Info: Missing optional field [TargetProcessIsHidden]" +"(2) Info: Missing optional field [TargetProcessMD5]" +"(2) Info: Missing optional field [TargetProcessSHA512]" +"(2) Info: Missing optional field [TargetProcessStatusCode]" +"(2) Info: Missing optional field [TargetProcessTokenElevation]" +"(2) Info: Missing optional field [TargetScopeId]" +"(2) Info: Missing optional field [TargetScope]" +"(2) Info: Missing optional field [TargetUserAadId]" +"(2) Info: Missing optional field [TargetUserSessionGuid]" +"(2) Info: Missing optional field [TargetUserSessionId]" +"(2) Info: Missing optional field [TargetUserSid]" +"(2) Info: Missing optional field [TargetUserUpn]" +"(2) Info: extra unnormalized column [RuleName]" +"(2) Info: extra unnormalized column [Rule]" +"(2) Info: extra unnormalized column [ThreatConfidence]" +"(2) Info: extra unnormalized column [ThreatOriginalConfidence]" diff --git a/Sample Data/ASIM/SentinelOne_ASimProcessEvent_IngestedLogs.csv b/Sample Data/ASIM/SentinelOne_ASimProcessEvent_IngestedLogs.csv new file mode 100644 index 00000000000..3109e1011cc --- /dev/null +++ b/Sample Data/ASIM/SentinelOne_ASimProcessEvent_IngestedLogs.csv @@ -0,0 +1,21 @@ +TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,alertInfo_indicatorDescription_s,alertInfo_indicatorName_s,targetProcessInfo_tgtFileOldPath_s,alertInfo_indicatorCategory_s,alertInfo_registryOldValue_g,alertInfo_dstIp_s,alertInfo_dstPort_s,alertInfo_netEventDirection_s,alertInfo_srcIp_s,alertInfo_srcPort_s,containerInfo_id_s,targetProcessInfo_tgtFileId_g,alertInfo_registryOldValue_s,alertInfo_registryOldValueType_s,alertInfo_dnsRequest_s,alertInfo_dnsResponse_s,alertInfo_registryKeyPath_s,alertInfo_registryPath_s,alertInfo_registryValue_g,ruleInfo_description_s,alertInfo_registryValue_s,alertInfo_loginAccountDomain_s,alertInfo_loginAccountSid_s,alertInfo_loginIsAdministratorEquivalent_s,alertInfo_loginIsSuccessful_s,alertInfo_loginType_s,alertInfo_loginsUserName_s,alertInfo_srcMachineIp_s,targetProcessInfo_tgtProcCmdLine_s,targetProcessInfo_tgtProcImagePath_s,targetProcessInfo_tgtProcName_s,targetProcessInfo_tgtProcPid_s,targetProcessInfo_tgtProcSignedStatus_s,targetProcessInfo_tgtProcStorylineId_s,targetProcessInfo_tgtProcUid_s,sourceParentProcessInfo_storyline_g,sourceParentProcessInfo_uniqueId_g,sourceProcessInfo_storyline_g,sourceProcessInfo_uniqueId_g,targetProcessInfo_tgtProcStorylineId_g,targetProcessInfo_tgtProcUid_g,agentDetectionInfo_machineType_s,agentDetectionInfo_name_s,agentDetectionInfo_osFamily_s,agentDetectionInfo_osName_s,agentDetectionInfo_osRevision_s,agentDetectionInfo_uuid_g,agentDetectionInfo_version_s,agentRealtimeInfo_id_s,agentRealtimeInfo_infected_b,agentRealtimeInfo_isActive_b,agentRealtimeInfo_isDecommissioned_b,agentRealtimeInfo_machineType_s,agentRealtimeInfo_name_s,agentRealtimeInfo_os_s,agentRealtimeInfo_uuid_g,alertInfo_alertId_s,alertInfo_analystVerdict_s,alertInfo_createdAt_t [UTC],alertInfo_dvEventId_s,alertInfo_eventType_s,alertInfo_hitType_s,alertInfo_incidentStatus_s,alertInfo_isEdr_b,alertInfo_reportedAt_t [UTC],alertInfo_source_s,alertInfo_updatedAt_t [UTC],ruleInfo_id_s,ruleInfo_name_s,ruleInfo_queryLang_s,ruleInfo_queryType_s,ruleInfo_s1ql_s,ruleInfo_scopeLevel_s,ruleInfo_severity_s,ruleInfo_treatAsThreat_s,sourceParentProcessInfo_commandline_s,sourceParentProcessInfo_fileHashMd5_g,sourceParentProcessInfo_fileHashSha1_s,sourceParentProcessInfo_fileHashSha256_s,sourceParentProcessInfo_filePath_s,sourceParentProcessInfo_fileSignerIdentity_s,sourceParentProcessInfo_integrityLevel_s,sourceParentProcessInfo_name_s,sourceParentProcessInfo_pid_s,sourceParentProcessInfo_pidStarttime_t [UTC],sourceParentProcessInfo_storyline_s,sourceParentProcessInfo_subsystem_s,sourceParentProcessInfo_uniqueId_s,sourceParentProcessInfo_user_s,sourceProcessInfo_commandline_s,sourceProcessInfo_fileHashMd5_g,sourceProcessInfo_fileHashSha1_s,sourceProcessInfo_fileHashSha256_s,sourceProcessInfo_filePath_s,sourceProcessInfo_fileSignerIdentity_s,sourceProcessInfo_integrityLevel_s,sourceProcessInfo_name_s,sourceProcessInfo_pid_s,sourceProcessInfo_pidStarttime_t [UTC],sourceProcessInfo_storyline_s,sourceProcessInfo_subsystem_s,sourceProcessInfo_uniqueId_s,sourceProcessInfo_user_s,targetProcessInfo_tgtFileCreatedAt_t [UTC],targetProcessInfo_tgtFileHashSha1_s,targetProcessInfo_tgtFileHashSha256_s,targetProcessInfo_tgtFileId_s,targetProcessInfo_tgtFileIsSigned_s,targetProcessInfo_tgtFileModifiedAt_t [UTC],targetProcessInfo_tgtFilePath_s,targetProcessInfo_tgtProcIntegrityLevel_s,targetProcessInfo_tgtProcessStartTime_t [UTC],agentUpdatedVersion_s,agentId_s,hash_s,osFamily_s,threatId_s,creator_s,creatorId_s,inherits_b,isDefault_b,name_s,registrationToken_s,totalAgents_d,type_s,agentDetectionInfo_accountId_s,agentDetectionInfo_accountName_s,agentDetectionInfo_agentDetectionState_s,agentDetectionInfo_agentDomain_s,agentDetectionInfo_agentIpV4_s,agentDetectionInfo_agentIpV6_s,agentDetectionInfo_agentLastLoggedInUserName_s,agentDetectionInfo_agentMitigationMode_s,agentDetectionInfo_agentOsName_s,agentDetectionInfo_agentOsRevision_s,agentDetectionInfo_agentRegisteredAt_t [UTC],agentDetectionInfo_agentUuid_g,agentDetectionInfo_agentVersion_s,agentDetectionInfo_externalIp_s,agentDetectionInfo_groupId_s,agentDetectionInfo_groupName_s,agentDetectionInfo_siteId_s,agentDetectionInfo_siteName_s,agentRealtimeInfo_accountId_s,agentRealtimeInfo_accountName_s,agentRealtimeInfo_activeThreats_d,agentRealtimeInfo_agentComputerName_s,agentRealtimeInfo_agentDomain_s,agentRealtimeInfo_agentId_s,agentRealtimeInfo_agentInfected_b,agentRealtimeInfo_agentIsActive_b,agentRealtimeInfo_agentIsDecommissioned_b,agentRealtimeInfo_agentMachineType_s,agentRealtimeInfo_agentMitigationMode_s,agentRealtimeInfo_agentNetworkStatus_s,agentRealtimeInfo_agentOsName_s,agentRealtimeInfo_agentOsRevision_s,agentRealtimeInfo_agentOsType_s,agentRealtimeInfo_agentUuid_g,agentRealtimeInfo_agentVersion_s,agentRealtimeInfo_groupId_s,agentRealtimeInfo_groupName_s,agentRealtimeInfo_networkInterfaces_s,agentRealtimeInfo_operationalState_s,agentRealtimeInfo_rebootRequired_b,agentRealtimeInfo_scanFinishedAt_t [UTC],agentRealtimeInfo_scanStartedAt_t [UTC],agentRealtimeInfo_scanStatus_s,agentRealtimeInfo_siteId_s,agentRealtimeInfo_siteName_s,agentRealtimeInfo_userActionsNeeded_s,indicators_s,mitigationStatus_s,threatInfo_analystVerdict_s,threatInfo_analystVerdictDescription_s,threatInfo_automaticallyResolved_b,threatInfo_certificateId_s,threatInfo_classification_s,threatInfo_classificationSource_s,threatInfo_cloudFilesHashVerdict_s,threatInfo_collectionId_s,threatInfo_confidenceLevel_s,threatInfo_createdAt_t [UTC],threatInfo_detectionEngines_s,threatInfo_detectionType_s,threatInfo_engines_s,threatInfo_externalTicketExists_b,threatInfo_failedActions_b,threatInfo_fileExtension_s,threatInfo_fileExtensionType_s,threatInfo_filePath_s,threatInfo_fileSize_d,threatInfo_fileVerificationType_s,threatInfo_identifiedAt_t [UTC],threatInfo_incidentStatus_s,threatInfo_incidentStatusDescription_s,threatInfo_initiatedBy_s,threatInfo_initiatedByDescription_s,threatInfo_isFileless_b,threatInfo_isValidCertificate_b,threatInfo_mitigatedPreemptively_b,threatInfo_mitigationStatus_s,threatInfo_mitigationStatusDescription_s,threatInfo_originatorProcess_s,threatInfo_pendingActions_b,threatInfo_processUser_s,threatInfo_publisherName_s,threatInfo_reachedEventsLimit_b,threatInfo_rebootRequired_b,threatInfo_sha1_s,threatInfo_storyline_s,threatInfo_threatId_s,threatInfo_threatName_s,threatInfo_updatedAt_t [UTC],whiteningOptions_s,threatInfo_maliciousProcessArguments_s,threatInfo_fileExtension_g,threatInfo_threatName_g,threatInfo_storyline_g,accountId_s,accountName_s,activityType_d,activityUuid_g,createdAt_t [UTC],id_s,primaryDescription_s,secondaryDescription_s,siteId_s,siteName_s,updatedAt_t [UTC],userId_s,event_name_s,DataFields_s,description_s,comments_s,activeDirectory_computerMemberOf_s,activeDirectory_lastUserMemberOf_s,activeThreats_d,agentVersion_s,allowRemoteShell_b,appsVulnerabilityStatus_s,computerName_s,consoleMigrationStatus_s,coreCount_d,cpuCount_d,cpuId_s,detectionState_s,domain_s,encryptedApplications_b,externalId_s,externalIp_s,firewallEnabled_b,firstFullModeTime_t [UTC],fullDiskScanLastUpdatedAt_t [UTC],groupId_s,groupIp_s,groupName_s,inRemoteShellSession_b,infected_b,installerType_s,isActive_b,isDecommissioned_b,isPendingUninstall_b,isUninstalled_b,isUpToDate_b,lastActiveDate_t [UTC],lastIpToMgmt_s,lastLoggedInUserName_s,licenseKey_s,locationEnabled_b,locationType_s,locations_s,machineType_s,mitigationMode_s,mitigationModeSuspicious_s,modelName_s,networkInterfaces_s,networkQuarantineEnabled_b,networkStatus_s,operationalState_s,osArch_s,osName_s,osRevision_s,osStartTime_t [UTC],osType_s,rangerStatus_s,rangerVersion_s,registeredAt_t [UTC],remoteProfilingState_s,scanFinishedAt_t [UTC],scanStartedAt_t [UTC],scanStatus_s,serialNumber_s,showAlertIcon_b,tags_sentinelone_s,threatRebootRequired_b,totalMemory_d,userActionsNeeded_s,uuid_g,osUsername_s,scanAbortedAt_t [UTC],activeDirectory_computerDistinguishedName_s,activeDirectory_lastUserDistinguishedName_s,Type,_ResourceId +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,/usr/sbin/sendmail.postfix,sendmail.postfix,44031,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,73fb37d5-cf36-ab66-cc74-edb26cd47d93,727f2aad-3209-c937-7a56-8e04d9b72a60,73fb41c2-2d0e-fbde-7534-9b3fb198f4a0,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73314876567948E+018,Undefined,"7/20/2023, 6:57:02 AM",01H5S1B1DE1FQ1GQAM9BXQ29RT_3,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:57:13 AM",STAR,"7/20/2023, 6:57:13 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44027,"7/20/2023, 6:55:01 AM",,unknown,,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:55:01 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44032,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,73fb37d5-cf36-ab66-cc74-edb26cd47d93,727f2aad-3209-c937-7a56-8e04d9b72a60,73fb41c2-2d0e-fbde-7534-9b3fb198f4a0,727f2aad-3209-c937-7a56-8e04d9b72a60,73fb420c-d665-d3f6-59dd-0a5d1d0e71f2,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73314877050293E+018,Undefined,"7/20/2023, 6:57:02 AM",01H5S1B1DE1FQ1GQAM9BXQ29RT_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:57:14 AM",STAR,"7/20/2023, 6:57:14 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44027,"7/20/2023, 6:55:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44031,"7/20/2023, 6:55:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:55:01 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,/usr/sbin/sendmail.postfix,sendmail.postfix,44042,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,730930f9-359e-ed7b-6a03-319b08f7fe76,727f2aad-3209-c937-7a56-8e04d9b72a60,73093e27-8ead-6ead-9311-613babbbf6ce,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73314892440035E+018,Undefined,"7/20/2023, 6:57:20 AM",01H5S1CW09T3Y9PJPD6M1BR9W6_3,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:57:32 AM",STAR,"7/20/2023, 6:57:32 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44038,"7/20/2023, 6:56:01 AM",,unknown,,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:56:02 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44043,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,730930f9-359e-ed7b-6a03-319b08f7fe76,727f2aad-3209-c937-7a56-8e04d9b72a60,73093e27-8ead-6ead-9311-613babbbf6ce,727f2aad-3209-c937-7a56-8e04d9b72a60,73093eac-5267-0e8d-984e-89194dce2324,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73314892575091E+018,Undefined,"7/20/2023, 6:57:20 AM",01H5S1CW09T3Y9PJPD6M1BR9W6_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:57:32 AM",STAR,"7/20/2023, 6:57:32 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44038,"7/20/2023, 6:56:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44042,"7/20/2023, 6:56:02 AM",,unknown,,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:56:02 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,/usr/sbin/sendmail.postfix,sendmail.postfix,44054,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,73175795-3d2f-91c7-bdb1-9a00c3b4e6f9,727f2aad-3209-c937-7a56-8e04d9b72a60,7317600a-da57-51e1-f547-19c0f33270a9,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73314931664331E+018,Undefined,"7/20/2023, 6:58:08 AM",01H5S1EPKA5T8SG6SJ2PFAKNQF_3,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:58:19 AM",STAR,"7/20/2023, 6:58:19 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44050,"7/20/2023, 6:57:02 AM",,unknown,,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:57:02 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44055,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,73175795-3d2f-91c7-bdb1-9a00c3b4e6f9,727f2aad-3209-c937-7a56-8e04d9b72a60,7317600a-da57-51e1-f547-19c0f33270a9,727f2aad-3209-c937-7a56-8e04d9b72a60,731760e0-a8a1-0e25-fb68-c809b79a0fcd,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73314934621315E+018,Undefined,"7/20/2023, 6:58:08 AM",01H5S1EPKA5T8SG6SJ2PFAKNQF_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:58:22 AM",STAR,"7/20/2023, 6:58:22 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44050,"7/20/2023, 6:57:02 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44054,"7/20/2023, 6:57:02 AM",,unknown,,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:57:02 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,/usr/sbin/sendmail.postfix,sendmail.postfix,44065,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,73252052-1f72-a515-eb0b-f5620305688a,727f2aad-3209-c937-7a56-8e04d9b72a60,73252e29-0db9-6ca2-c3de-049bfeac30ff,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73314984687888E+018,Undefined,"7/20/2023, 6:59:07 AM",01H5S1GH6B620AGDRX5MF9M52M_3,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:59:22 AM",STAR,"7/20/2023, 6:59:22 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44061,"7/20/2023, 6:58:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:58:01 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44066,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,73252052-1f72-a515-eb0b-f5620305688a,727f2aad-3209-c937-7a56-8e04d9b72a60,73252e29-0db9-6ca2-c3de-049bfeac30ff,727f2aad-3209-c937-7a56-8e04d9b72a60,73252ed6-aff1-c3f8-48c2-765f7b668d7c,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73314988576008E+018,Undefined,"7/20/2023, 6:59:07 AM",01H5S1GH6B620AGDRX5MF9M52M_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:59:27 AM",STAR,"7/20/2023, 6:59:27 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44061,"7/20/2023, 6:58:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44065,"7/20/2023, 6:58:01 AM",,unknown,,CLW547-\Crest,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:58:01 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /bin/sh -c /usr/local/demisto/d1_Test2/upgrade_engine.sh >> /tmp/d1_Test2/demisto_install.log,/usr/bin/bash,bash,44075,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,7333194b-17ac-0f64-4f1c-59ba42bb7da6,727f2aad-3209-c937-7a56-8e04d9b72a60,733322a5-11bb-42e8-c701-7a97051c8a5b,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.7331502833382E+018,Undefined,"7/20/2023, 7:00:06 AM",01H5S1JBSA1YTHPHEXZY2S2G0T_2,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:00:14 AM",STAR,"7/20/2023, 7:00:14 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44073,"7/20/2023, 6:59:01 AM",,unknown,,CLW547-\Crest,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:59:01 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44078,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,7333194b-17ac-0f64-4f1c-59ba42bb7da6,727f2aad-3209-c937-7a56-8e04d9b72a60,733322de-7b5c-6a26-b302-869f3832cbed,727f2aad-3209-c937-7a56-8e04d9b72a60,73332352-8023-8eb1-c3a3-410efe8eeb38,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73315030459493E+018,Undefined,"7/20/2023, 7:00:06 AM",01H5S1JBSA1YTHPHEXZY2S2G0T_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:00:16 AM",STAR,"7/20/2023, 7:00:16 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44073,"7/20/2023, 6:59:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44077,"7/20/2023, 6:59:01 AM",,unknown,,CLW547-\Crest,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:59:01 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44088,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,73411224-c58f-479c-e68d-2bc957ae28d3,727f2aad-3209-c937-7a56-8e04d9b72a60,73414081-5469-2510-07c3-5b74509a4475,727f2aad-3209-c937-7a56-8e04d9b72a60,734140eb-56bf-9270-ae70-d0582e8de351,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73315082138356E+018,Undefined,"7/20/2023, 7:01:07 AM",01H5S1M6C8NJZ7KGNVCFBHK3VP_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:01:18 AM",STAR,"7/20/2023, 7:01:18 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44083,"7/20/2023, 7:00:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44087,"7/20/2023, 7:00:02 AM",,unknown,,CLW547-\Crest,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:00:02 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,/usr/sbin/sendmail.postfix,sendmail.postfix,44087,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,73411224-c58f-479c-e68d-2bc957ae28d3,727f2aad-3209-c937-7a56-8e04d9b72a60,73414081-5469-2510-07c3-5b74509a4475,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73315088610168E+018,Undefined,"7/20/2023, 7:01:07 AM",01H5S1M6C8NJZ7KGNVCFBHK3VP_3,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:01:26 AM",STAR,"7/20/2023, 7:01:26 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44083,"7/20/2023, 7:00:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:00:02 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/unix_chkpwd root chkexpiry,/usr/sbin/unix_chkpwd,unix_chkpwd,44098,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,734f38fd-17b6-7142-0580-c5bd4a6fd003,727f2aad-3209-c937-7a56-8e04d9b72a60,734f3932-0c7f-4e05-bfff-063d6b0c92eb,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73315125441194E+018,Undefined,"7/20/2023, 7:02:07 AM",01H5S1P0Z9027WQRD3PNDF55V0_1,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:02:10 AM",STAR,"7/20/2023, 7:02:10 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44097,"7/20/2023, 7:01:02 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:01:02 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44102,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,734f38fd-17b6-7142-0580-c5bd4a6fd003,727f2aad-3209-c937-7a56-8e04d9b72a60,734f42ea-ba31-4ac2-1273-59fe44124624,727f2aad-3209-c937-7a56-8e04d9b72a60,734f4380-8299-a345-7dd9-8723e4b66bec,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73315131501125E+018,Undefined,"7/20/2023, 7:02:07 AM",01H5S1P0Z9027WQRD3PNDF55V0_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:02:17 AM",STAR,"7/20/2023, 7:02:17 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44097,"7/20/2023, 7:01:02 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44101,"7/20/2023, 7:01:02 AM",,unknown,,NT AUTHORITY\NETWORK SERVICE,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:01:02 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /bin/sh -c /usr/local/demisto/d1_Test2/upgrade_engine.sh >> /tmp/d1_Test2/demisto_install.log,/usr/bin/bash,bash,44109,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,735d01e8-402b-affb-12de-4741599ea560,727f2aad-3209-c937-7a56-8e04d9b72a60,735d0a85-074c-1c9d-7ba8-49901518524b,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73315179676905E+018,Undefined,"7/20/2023, 7:03:07 AM",01H5S1QVJCZMW7ZPZR8JGBQBND_2,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:03:14 AM",STAR,"7/20/2023, 7:03:14 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44107,"7/20/2023, 7:02:01 AM",,unknown,,NT AUTHORITY\NETWORK SERVICE,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:02:01 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44112,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,735d01e8-402b-affb-12de-4741599ea560,727f2aad-3209-c937-7a56-8e04d9b72a60,735d0a9e-eef8-6094-bc77-c95b9a8c2b34,727f2aad-3209-c937-7a56-8e04d9b72a60,735d0b74-844c-af22-aa4a-433abde9c7a9,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73315181789996E+018,Undefined,"7/20/2023, 7:03:07 AM",01H5S1QVJCZMW7ZPZR8JGBQBND_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:03:17 AM",STAR,"7/20/2023, 7:03:17 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44107,"7/20/2023, 7:02:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44111,"7/20/2023, 7:02:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:02:01 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44124,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,736afa1a-7181-0a1c-b160-6d7da000a15d,727f2aad-3209-c937-7a56-8e04d9b72a60,736b0393-0386-ba70-5da1-2c09cf3433f6,727f2aad-3209-c937-7a56-8e04d9b72a60,736b0422-db47-f377-3d29-85f017d9f67f,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73315233598044E+018,Undefined,"7/20/2023, 7:04:07 AM",01H5S1SP59R24VZ5C4YRRQVRH7_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:04:19 AM",STAR,"7/20/2023, 7:04:19 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44119,"7/20/2023, 7:03:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44123,"7/20/2023, 7:03:01 AM",,unknown,,NT AUTHORITY\LOCAL SERVICE,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:03:01 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/unix_chkpwd root chkexpiry,/usr/sbin/unix_chkpwd,unix_chkpwd,44120,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,736afa1a-7181-0a1c-b160-6d7da000a15d,727f2aad-3209-c937-7a56-8e04d9b72a60,736afa63-ed30-cc33-824b-b8dadff8a989,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73315233951204E+018,Undefined,"7/20/2023, 7:04:07 AM",01H5S1SP59R24VZ5C4YRRQVRH7_1,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:04:19 AM",STAR,"7/20/2023, 7:04:19 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44119,"7/20/2023, 7:03:01 AM",,unknown,,NT AUTHORITY\LOCAL SERVICE,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:03:01 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /bin/sh -c /usr/local/demisto/d1_Test2/upgrade_engine.sh >> /tmp/d1_Test2/demisto_install.log,/usr/bin/bash,bash,44132,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,7378f36b-3f84-3586-8482-9d904ea960df,727f2aad-3209-c937-7a56-8e04d9b72a60,73792846-4f61-1bc2-4505-aa7291b30f42,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73315287234808E+018,Undefined,"7/20/2023, 7:05:07 AM",01H5S1VGR81T56G4ZCKR5V7N29_2,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:05:23 AM",STAR,"7/20/2023, 7:05:23 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44130,"7/20/2023, 7:04:02 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:04:02 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44135,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,7378f36b-3f84-3586-8482-9d904ea960df,727f2aad-3209-c937-7a56-8e04d9b72a60,73792885-f06d-ebe3-9fd2-16c6bbeeb4f6,727f2aad-3209-c937-7a56-8e04d9b72a60,73792a93-b3f1-a4a6-2706-a764c17d214e,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73315288498133E+018,Undefined,"7/20/2023, 7:05:07 AM",01H5S1VGR81T56G4ZCKR5V7N29_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:05:24 AM",STAR,"7/20/2023, 7:05:24 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44130,"7/20/2023, 7:04:02 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44134,"7/20/2023, 7:04:02 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:04:02 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, diff --git a/Sample Data/ASIM/SentinelOne_ASimProcessEvent_RawLogs.json b/Sample Data/ASIM/SentinelOne_ASimProcessEvent_RawLogs.json new file mode 100644 index 00000000000..2e40b94007c --- /dev/null +++ b/Sample Data/ASIM/SentinelOne_ASimProcessEvent_RawLogs.json @@ -0,0 +1,6042 @@ +[ + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:10:09 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "0f81ec00-9e52-48e6-b899-eb3bbeede741", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "FB4511F580778F51", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "78d7744d-2837-40d2-aff4-bede5877836e", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/sendmail.postfix", + "targetProcessInfo_tgtProcName": "sendmail.postfix", + "targetProcessInfo_tgtProcPid": 44031, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "73fb41c2-2d0e-fbde-7534-9b3fb198f4a0", + "sourceParentProcessInfo_storyline": "73ffdf8e-0a44-5079-fd74-243fc15cbe7c", + "sourceParentProcessInfo_uniqueId": "73ffdf8e-0a44-5079-fd74-243fc15cbe7d", + "sourceProcessInfo_storyline": "73ffdf8e-0a33-5079-fd74-243fc15cbe7c", + "sourceProcessInfo_uniqueId": "73ffdf8e-0a22-5079-fd74-243fc15cbe7c", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733148765679480300, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 6:57:02 AM", + "alertInfo_dvEventId": "01H5S1B1DE1FQ1GQAM9BXQ29RT_3", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 6:57:13 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 6:57:13 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 889, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/18/2023, 8:56:05 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/crond", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "crond", + "sourceProcessInfo_pid": 44027, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:55:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 6:55:01 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:10:09 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "AC644457DCBAD901", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/postdrop -r", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/postdrop", + "targetProcessInfo_tgtProcName": "postdrop", + "targetProcessInfo_tgtProcPid": 44032, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "433C0EF580778F52", + "targetProcessInfo_tgtProcUid": "433C0EF580778F53", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "553D0EF580778F51", + "sourceProcessInfo_uniqueId": "543D0EF580778F51", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733148770502930700, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 6:57:02 AM", + "alertInfo_dvEventId": "01H5S1B1DE1FQ1GQAM9BXQ29RT_4", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 6:57:14 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 6:57:14 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 44027, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:55:01 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "090f9f343c64158f5590276eade3bc120ca19b1a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/sendmail.postfix", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sendmail.postfix", + "sourceProcessInfo_pid": 44031, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:55:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 6:55:01 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:10:09 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/sendmail.postfix", + "targetProcessInfo_tgtProcName": "sendmail.postfix", + "targetProcessInfo_tgtProcPid": 44042, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "73093e27-8ead-6ead-9311-613babbbf6ce", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733148924400349000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 6:57:20 AM", + "alertInfo_dvEventId": "01H5S1CW09T3Y9PJPD6M1BR9W6_3", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 6:57:32 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 6:57:32 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 889, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/18/2023, 8:56:05 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/crond", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "crond", + "sourceProcessInfo_pid": 44038, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:56:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 6:56:02 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:10:09 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/postdrop -r", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/postdrop", + "targetProcessInfo_tgtProcName": "postdrop", + "targetProcessInfo_tgtProcPid": 44043, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "73093eac-5267-0e8d-984e-89194dce2324", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733148925750914800, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 6:57:20 AM", + "alertInfo_dvEventId": "01H5S1CW09T3Y9PJPD6M1BR9W6_4", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 6:57:32 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 6:57:32 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 44038, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:56:01 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "090f9f343c64158f5590276eade3bc120ca19b1a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/sendmail.postfix", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sendmail.postfix", + "sourceProcessInfo_pid": 44042, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:56:02 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 6:56:02 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:10:09 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/sendmail.postfix", + "targetProcessInfo_tgtProcName": "sendmail.postfix", + "targetProcessInfo_tgtProcPid": 44054, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "7317600a-da57-51e1-f547-19c0f33270a9", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733149316643306500, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 6:58:08 AM", + "alertInfo_dvEventId": "01H5S1EPKA5T8SG6SJ2PFAKNQF_3", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 6:58:19 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 6:58:19 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 889, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/18/2023, 8:56:05 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/crond", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "crond", + "sourceProcessInfo_pid": 44050, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:57:02 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 6:57:02 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:10:09 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/postdrop -r", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/postdrop", + "targetProcessInfo_tgtProcName": "postdrop", + "targetProcessInfo_tgtProcPid": 44055, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "731760e0-a8a1-0e25-fb68-c809b79a0fcd", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733149346213152000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 6:58:08 AM", + "alertInfo_dvEventId": "01H5S1EPKA5T8SG6SJ2PFAKNQF_4", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 6:58:22 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 6:58:22 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 44050, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:57:02 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "090f9f343c64158f5590276eade3bc120ca19b1a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/sendmail.postfix", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sendmail.postfix", + "sourceProcessInfo_pid": 44054, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:57:02 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 6:57:02 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:10:09 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/sendmail.postfix", + "targetProcessInfo_tgtProcName": "sendmail.postfix", + "targetProcessInfo_tgtProcPid": 44065, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "73252e29-0db9-6ca2-c3de-049bfeac30ff", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733149846878878500, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 6:59:07 AM", + "alertInfo_dvEventId": "01H5S1GH6B620AGDRX5MF9M52M_3", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 6:59:22 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 6:59:22 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 889, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/18/2023, 8:56:05 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/crond", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "crond", + "sourceProcessInfo_pid": 44061, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:58:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 6:58:01 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:10:09 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/postdrop -r", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/postdrop", + "targetProcessInfo_tgtProcName": "postdrop", + "targetProcessInfo_tgtProcPid": 44066, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "73252ed6-aff1-c3f8-48c2-765f7b668d7c", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733149885760081000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 6:59:07 AM", + "alertInfo_dvEventId": "01H5S1GH6B620AGDRX5MF9M52M_4", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 6:59:27 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 6:59:27 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 44061, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:58:01 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "090f9f343c64158f5590276eade3bc120ca19b1a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/sendmail.postfix", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sendmail.postfix", + "sourceProcessInfo_pid": 44065, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:58:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "CLW547-\\Crest", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 6:58:01 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/bin/sh -c /usr/local/demisto/d1_Test2/upgrade_engine.sh >> /tmp/d1_Test2/demisto_install.log", + "targetProcessInfo_tgtProcImagePath": "/usr/bin/bash", + "targetProcessInfo_tgtProcName": "bash", + "targetProcessInfo_tgtProcPid": 44075, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "733322a5-11bb-42e8-c701-7a97051c8a5b", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733150283338197000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:00:06 AM", + "alertInfo_dvEventId": "01H5S1JBSA1YTHPHEXZY2S2G0T_2", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:00:14 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:00:14 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 889, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/18/2023, 8:56:05 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/crond", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "crond", + "sourceProcessInfo_pid": 44073, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:59:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "CLW547-\\Crest", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 6:59:01 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/postdrop -r", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/postdrop", + "targetProcessInfo_tgtProcName": "postdrop", + "targetProcessInfo_tgtProcPid": 44078, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "73332352-8023-8eb1-c3a3-410efe8eeb38", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733150304594931200, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:00:06 AM", + "alertInfo_dvEventId": "01H5S1JBSA1YTHPHEXZY2S2G0T_4", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:00:16 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:00:16 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 44073, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:59:01 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "090f9f343c64158f5590276eade3bc120ca19b1a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/sendmail.postfix", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sendmail.postfix", + "sourceProcessInfo_pid": 44077, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:59:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "CLW547-\\Crest", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 6:59:01 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/postdrop -r", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/postdrop", + "targetProcessInfo_tgtProcName": "postdrop", + "targetProcessInfo_tgtProcPid": 44088, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "734140eb-56bf-9270-ae70-d0582e8de351", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733150821383560400, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:01:07 AM", + "alertInfo_dvEventId": "01H5S1M6C8NJZ7KGNVCFBHK3VP_4", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:01:18 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:01:18 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 44083, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:00:01 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "090f9f343c64158f5590276eade3bc120ca19b1a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/sendmail.postfix", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sendmail.postfix", + "sourceProcessInfo_pid": 44087, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:00:02 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "CLW547-\\Crest", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 7:00:02 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/sendmail.postfix", + "targetProcessInfo_tgtProcName": "sendmail.postfix", + "targetProcessInfo_tgtProcPid": 44087, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "73414081-5469-2510-07c3-5b74509a4475", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733150886101677600, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:01:07 AM", + "alertInfo_dvEventId": "01H5S1M6C8NJZ7KGNVCFBHK3VP_3", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:01:26 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:01:26 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 889, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/18/2023, 8:56:05 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/crond", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "crond", + "sourceProcessInfo_pid": 44083, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:00:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 7:00:02 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/unix_chkpwd root chkexpiry", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/unix_chkpwd", + "targetProcessInfo_tgtProcName": "unix_chkpwd", + "targetProcessInfo_tgtProcPid": 44098, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "734f3932-0c7f-4e05-bfff-063d6b0c92eb", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733151254411937800, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:02:07 AM", + "alertInfo_dvEventId": "01H5S1P0Z9027WQRD3PNDF55V0_1", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:02:10 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:02:10 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 889, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/18/2023, 8:56:05 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/crond", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "crond", + "sourceProcessInfo_pid": 44097, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:01:02 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 7:01:02 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/postdrop -r", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/postdrop", + "targetProcessInfo_tgtProcName": "postdrop", + "targetProcessInfo_tgtProcPid": 44102, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "734f4380-8299-a345-7dd9-8723e4b66bec", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733151315011247400, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:02:07 AM", + "alertInfo_dvEventId": "01H5S1P0Z9027WQRD3PNDF55V0_4", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:02:17 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:02:17 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 44097, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:01:02 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "090f9f343c64158f5590276eade3bc120ca19b1a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/sendmail.postfix", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sendmail.postfix", + "sourceProcessInfo_pid": 44101, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:01:02 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "NT AUTHORITY\\NETWORK SERVICE", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 7:01:02 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/bin/sh -c /usr/local/demisto/d1_Test2/upgrade_engine.sh >> /tmp/d1_Test2/demisto_install.log", + "targetProcessInfo_tgtProcImagePath": "/usr/bin/bash", + "targetProcessInfo_tgtProcName": "bash", + "targetProcessInfo_tgtProcPid": 44109, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "735d0a85-074c-1c9d-7ba8-49901518524b", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733151796769051600, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:03:07 AM", + "alertInfo_dvEventId": "01H5S1QVJCZMW7ZPZR8JGBQBND_2", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:03:14 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:03:14 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 889, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/18/2023, 8:56:05 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/crond", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "crond", + "sourceProcessInfo_pid": 44107, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:02:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "NT AUTHORITY\\NETWORK SERVICE", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 7:02:01 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/postdrop -r", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/postdrop", + "targetProcessInfo_tgtProcName": "postdrop", + "targetProcessInfo_tgtProcPid": 44112, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "735d0b74-844c-af22-aa4a-433abde9c7a9", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733151817899958000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:03:07 AM", + "alertInfo_dvEventId": "01H5S1QVJCZMW7ZPZR8JGBQBND_4", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:03:17 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:03:17 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 44107, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:02:01 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "090f9f343c64158f5590276eade3bc120ca19b1a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/sendmail.postfix", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sendmail.postfix", + "sourceProcessInfo_pid": 44111, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:02:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 7:02:01 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/postdrop -r", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/postdrop", + "targetProcessInfo_tgtProcName": "postdrop", + "targetProcessInfo_tgtProcPid": 44124, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "736b0422-db47-f377-3d29-85f017d9f67f", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733152335980435000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:04:07 AM", + "alertInfo_dvEventId": "01H5S1SP59R24VZ5C4YRRQVRH7_4", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:04:19 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:04:19 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 44119, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:03:01 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "090f9f343c64158f5590276eade3bc120ca19b1a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/sendmail.postfix", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sendmail.postfix", + "sourceProcessInfo_pid": 44123, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:03:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "NT AUTHORITY\\LOCAL SERVICE", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 7:03:01 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/unix_chkpwd root chkexpiry", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/unix_chkpwd", + "targetProcessInfo_tgtProcName": "unix_chkpwd", + "targetProcessInfo_tgtProcPid": 44120, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "736afa63-ed30-cc33-824b-b8dadff8a989", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733152339512039400, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:04:07 AM", + "alertInfo_dvEventId": "01H5S1SP59R24VZ5C4YRRQVRH7_1", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:04:19 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:04:19 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 889, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/18/2023, 8:56:05 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/crond", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "crond", + "sourceProcessInfo_pid": 44119, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:03:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "NT AUTHORITY\\LOCAL SERVICE", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 7:03:01 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/bin/sh -c /usr/local/demisto/d1_Test2/upgrade_engine.sh >> /tmp/d1_Test2/demisto_install.log", + "targetProcessInfo_tgtProcImagePath": "/usr/bin/bash", + "targetProcessInfo_tgtProcName": "bash", + "targetProcessInfo_tgtProcPid": 44132, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "73792846-4f61-1bc2-4505-aa7291b30f42", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733152872348083200, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:05:07 AM", + "alertInfo_dvEventId": "01H5S1VGR81T56G4ZCKR5V7N29_2", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:05:23 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:05:23 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 889, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/18/2023, 8:56:05 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/crond", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "crond", + "sourceProcessInfo_pid": 44130, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:04:02 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 7:04:02 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/postdrop -r", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/postdrop", + "targetProcessInfo_tgtProcName": "postdrop", + "targetProcessInfo_tgtProcPid": 44135, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "73792a93-b3f1-a4a6-2706-a764c17d214e", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733152884981328000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:05:07 AM", + "alertInfo_dvEventId": "01H5S1VGR81T56G4ZCKR5V7N29_4", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:05:24 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:05:24 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 44130, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:04:02 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "090f9f343c64158f5590276eade3bc120ca19b1a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/sendmail.postfix", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sendmail.postfix", + "sourceProcessInfo_pid": 44134, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:04:02 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 7:04:02 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + } +] \ No newline at end of file