From 0b196dd65ec4c9874a63082ef9ae2ab426ef2d95 Mon Sep 17 00:00:00 2001 From: Jayesh Prajapati Date: Sun, 30 Jul 2023 12:55:36 +0530 Subject: [PATCH 1/9] ASIM Process Event schema parser with its sample and test data for SentinelOne. --- .../CustomTables/SentinelOne_CL.json | 896 ++++++++++++++++++ .../Parsers/ASimProcessCreateSentinelOne.yaml | 103 ++ .../Parsers/ASimProcessEvent.yaml | 4 +- .../ASimProcessEvent/Parsers/imProcess.yaml | 3 +- .../Parsers/vimProcessCreateSentinelOne.yaml | 184 ++++ ...SentinelOne_ASimProcessCreate_DataTest.csv | 20 + ...ntinelOne_ASimProcessCreate_SchemaTest.csv | 85 ++ .../SentinelOne_vimProcessCreate_DataTest.csv | 20 + ...entinelOne_vimProcessCreate_SchemaTest.csv | 85 ++ ...SentinelOne_ASimFileEvent_IngestedLogs.csv | 17 + Sample Data/ASIM/SentinelOne_CL_Schema.csv | 313 ++++++ 11 files changed, 1728 insertions(+), 2 deletions(-) create mode 100644 Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml create mode 100644 Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml create mode 100644 Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_DataTest.csv create mode 100644 Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_SchemaTest.csv create mode 100644 Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_DataTest.csv create mode 100644 Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_SchemaTest.csv create mode 100644 Sample Data/ASIM/SentinelOne_ASimFileEvent_IngestedLogs.csv create mode 100644 Sample Data/ASIM/SentinelOne_CL_Schema.csv diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json index c88a505bedd..a240d92d89b 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json @@ -388,6 +388,902 @@ { "Name": "_ResourceId", "Type": "string" + }, + { + "Name": "alertInfo_indicatorDescription_s", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorName_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileOldPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorCategory_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValue_g", + "Type": "string" + }, + { + "Name": "alertInfo_dstIp_s", + "Type": "string" + }, + { + "Name": "alertInfo_dstPort_s", + "Type": "string" + }, + { + "Name": "alertInfo_netEventDirection_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcIp_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcPort_s", + "Type": "string" + }, + { + "Name": "containerInfo_id_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileId_g", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValue_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValueType_s", + "Type": "string" + }, + { + "Name": "alertInfo_dnsRequest_s", + "Type": "string" + }, + { + "Name": "alertInfo_dnsResponse_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryKeyPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryValue_g", + "Type": "string" + }, + { + "Name": "ruleInfo_description_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryValue_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginAccountDomain_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginAccountSid_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginIsAdministratorEquivalent_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginIsSuccessful_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginType_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginsUserName_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcMachineIp_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcCmdLine_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcImagePath_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcName_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcPid_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcSignedStatus_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcStorylineId_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcUid_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_storyline_g", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_uniqueId_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_storyline_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_uniqueId_g", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcStorylineId_g", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcUid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_machineType_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_name_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osFamily_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osRevision_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_uuid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_version_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_id_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_infected_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_isActive_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_isDecommissioned_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_machineType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_name_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_os_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_uuid_g", + "Type": "string" + }, + { + "Name": "alertInfo_alertId_s", + "Type": "string" + }, + { + "Name": "alertInfo_analystVerdict_s", + "Type": "string" + }, + { + "Name": "alertInfo_createdAt_t", + "Type": "datetime" + }, + { + "Name": "alertInfo_dvEventId_s", + "Type": "string" + }, + { + "Name": "alertInfo_eventType_s", + "Type": "string" + }, + { + "Name": "alertInfo_hitType_s", + "Type": "string" + }, + { + "Name": "alertInfo_incidentStatus_s", + "Type": "string" + }, + { + "Name": "alertInfo_isEdr_b", + "Type": "bool" + }, + { + "Name": "alertInfo_reportedAt_t", + "Type": "datetime" + }, + { + "Name": "alertInfo_source_s", + "Type": "string" + }, + { + "Name": "alertInfo_updatedAt_t", + "Type": "datetime" + }, + { + "Name": "ruleInfo_id_s", + "Type": "string" + }, + { + "Name": "ruleInfo_name_s", + "Type": "string" + }, + { + "Name": "ruleInfo_queryLang_s", + "Type": "string" + }, + { + "Name": "ruleInfo_queryType_s", + "Type": "string" + }, + { + "Name": "ruleInfo_s1ql_s", + "Type": "string" + }, + { + "Name": "ruleInfo_scopeLevel_s", + "Type": "string" + }, + { + "Name": "ruleInfo_severity_s", + "Type": "string" + }, + { + "Name": "ruleInfo_treatAsThreat_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_commandline_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashMd5_g", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashSha1_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashSha256_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_filePath_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileSignerIdentity_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_integrityLevel_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_name_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_pid_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_pidStarttime_t", + "Type": "datetime" + }, + { + "Name": "sourceParentProcessInfo_storyline_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_subsystem_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_uniqueId_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_user_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_commandline_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashMd5_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashSha1_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashSha256_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_filePath_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileSignerIdentity_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_integrityLevel_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_name_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_pid_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_pidStarttime_t", + "Type": "datetime" + }, + { + "Name": "sourceProcessInfo_storyline_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_subsystem_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_uniqueId_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_user_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileCreatedAt_t", + "Type": "datetime" + }, + { + "Name": "targetProcessInfo_tgtFileHashSha1_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileHashSha256_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileId_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileIsSigned_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileModifiedAt_t", + "Type": "datetime" + }, + { + "Name": "targetProcessInfo_tgtFilePath_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcIntegrityLevel_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcessStartTime_t", + "Type": "datetime" + }, + { + "Name": "agentUpdatedVersion_s", + "Type": "string" + }, + { + "Name": "agentId_s", + "Type": "string" + }, + { + "Name": "hash_s", + "Type": "string" + }, + { + "Name": "osFamily_s", + "Type": "string" + }, + { + "Name": "threatId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_accountId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_accountName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentDetectionState_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentDomain_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentIpV4_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentIpV6_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentLastLoggedInUserName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentMitigationMode_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentOsName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentOsRevision_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentRegisteredAt_t", + "Type": "datetime" + }, + { + "Name": "agentDetectionInfo_agentUuid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentVersion_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_externalIp_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_groupId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_groupName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_siteId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_siteName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_accountId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_accountName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_activeThreats_d", + "Type": "real" + }, + { + "Name": "agentRealtimeInfo_agentComputerName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentDomain_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentInfected_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentIsActive_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentIsDecommissioned_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentMachineType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentMitigationMode_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentNetworkStatus_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsRevision_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentUuid_g", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentVersion_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_groupId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_groupName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_networkInterfaces_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_operationalState_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_rebootRequired_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_scanFinishedAt_t", + "Type": "datetime" + }, + { + "Name": "agentRealtimeInfo_scanStartedAt_t", + "Type": "datetime" + }, + { + "Name": "agentRealtimeInfo_scanStatus_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_siteId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_siteName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_userActionsNeeded_s", + "Type": "string" + }, + { + "Name": "indicators_s", + "Type": "string" + }, + { + "Name": "mitigationStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_analystVerdict_s", + "Type": "string" + }, + { + "Name": "threatInfo_analystVerdictDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_automaticallyResolved_b", + "Type": "bool" + }, + { + "Name": "threatInfo_certificateId_s", + "Type": "string" + }, + { + "Name": "threatInfo_classification_s", + "Type": "string" + }, + { + "Name": "threatInfo_classificationSource_s", + "Type": "string" + }, + { + "Name": "threatInfo_cloudFilesHashVerdict_s", + "Type": "string" + }, + { + "Name": "threatInfo_collectionId_s", + "Type": "string" + }, + { + "Name": "threatInfo_confidenceLevel_s", + "Type": "string" + }, + { + "Name": "threatInfo_createdAt_t", + "Type": "datetime" + }, + { + "Name": "threatInfo_detectionEngines_s", + "Type": "string" + }, + { + "Name": "threatInfo_detectionType_s", + "Type": "string" + }, + { + "Name": "threatInfo_engines_s", + "Type": "string" + }, + { + "Name": "threatInfo_externalTicketExists_b", + "Type": "bool" + }, + { + "Name": "threatInfo_failedActions_b", + "Type": "bool" + }, + { + "Name": "threatInfo_fileExtension_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileExtensionType_s", + "Type": "string" + }, + { + "Name": "threatInfo_filePath_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileSize_d", + "Type": "real" + }, + { + "Name": "threatInfo_fileVerificationType_s", + "Type": "string" + }, + { + "Name": "threatInfo_identifiedAt_t", + "Type": "datetime" + }, + { + "Name": "threatInfo_incidentStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_incidentStatusDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_initiatedBy_s", + "Type": "string" + }, + { + "Name": "threatInfo_initiatedByDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_isFileless_b", + "Type": "bool" + }, + { + "Name": "threatInfo_isValidCertificate_b", + "Type": "bool" + }, + { + "Name": "threatInfo_mitigatedPreemptively_b", + "Type": "bool" + }, + { + "Name": "threatInfo_mitigationStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_mitigationStatusDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_originatorProcess_s", + "Type": "string" + }, + { + "Name": "threatInfo_pendingActions_b", + "Type": "bool" + }, + { + "Name": "threatInfo_processUser_s", + "Type": "string" + }, + { + "Name": "threatInfo_publisherName_s", + "Type": "string" + }, + { + "Name": "threatInfo_reachedEventsLimit_b", + "Type": "bool" + }, + { + "Name": "threatInfo_rebootRequired_b", + "Type": "bool" + }, + { + "Name": "threatInfo_sha1_s", + "Type": "string" + }, + { + "Name": "threatInfo_storyline_s", + "Type": "string" + }, + { + "Name": "threatInfo_threatId_s", + "Type": "string" + }, + { + "Name": "threatInfo_threatName_s", + "Type": "string" + }, + { + "Name": "threatInfo_updatedAt_t", + "Type": "datetime" + }, + { + "Name": "whiteningOptions_s", + "Type": "string" + }, + { + "Name": "threatInfo_maliciousProcessArguments_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileExtension_g", + "Type": "string" + }, + { + "Name": "threatInfo_threatName_g", + "Type": "string" + }, + { + "Name": "threatInfo_storyline_g", + "Type": "string" + }, + { + "Name": "activityUuid_g", + "Type": "string" + }, + { + "Name": "secondaryDescription_s", + "Type": "string" + }, + { + "Name": "DataFields_s", + "Type": "string" + }, + { + "Name": "description_s", + "Type": "string" + }, + { + "Name": "comments_s", + "Type": "string" + }, + { + "Name": "detectionState_s", + "Type": "string" + }, + { + "Name": "firstFullModeTime_t", + "Type": "datetime" + }, + { + "Name": "fullDiskScanLastUpdatedAt_t", + "Type": "datetime" + }, + { + "Name": "serialNumber_s", + "Type": "string" + }, + { + "Name": "showAlertIcon_b", + "Type": "bool" + }, + { + "Name": "tags_sentinelone_s", + "Type": "string" + }, + { + "Name": "osUsername_s", + "Type": "string" + }, + { + "Name": "scanAbortedAt_t", + "Type": "datetime" } ] } \ No newline at end of file diff --git a/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml b/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml new file mode 100644 index 00000000000..893a24d8fdb --- /dev/null +++ b/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml @@ -0,0 +1,103 @@ +Parser: + Title: Process Create ASIM parser for SentinelOne + Version: '0.1.1' + LastUpdated: Jul 24, 2023 +Product: + Name: SentinelOne +Normalization: + Schema: ProcessEvent + Version: '0.1.4' +References: +- Title: ASIM ProcessEvent Schema + Link: https://aka.ms/ASimProcessEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +- Title: SentinelOne Documentation +- Link: https://.sentinelone.net/api-doc/overview +Description: | + This ASIM parser supports normalizing SentinelOne logs to the ASIM Process Event normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. +ParserName: ASimProcessCreateSentinelOne +EquivalentBuiltInParser: _Im_ProcessCreate_SentinelOne +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let parser = (disabled: bool=false) { + SentinelOne_CL + | where not(disabled) + and event_name_s == "Alerts." + and alertInfo_eventType_s == "PROCESSCREATION" + | project-rename + DvcId = agentDetectionInfo_uuid_g, + EventStartTime = sourceProcessInfo_pidStarttime_t, + TargetProcessCommandLine = targetProcessInfo_tgtProcCmdLine_s, + TargetProcessId = targetProcessInfo_tgtProcPid_s, + TargetProcessName = targetProcessInfo_tgtProcName_s, + EventUid = _ResourceId, + TargetProcessCreationTime = targetProcessInfo_tgtProcessStartTime_t, + DvcHostname = agentDetectionInfo_name_s, + ActingProcessName = sourceProcessInfo_name_s, + ParentProcessName = sourceParentProcessInfo_name_s, + ActingProcessCommandLine = sourceProcessInfo_commandline_s, + ActingProcessGuid = sourceProcessInfo_uniqueId_g, + ActingProcessSHA1 = sourceProcessInfo_fileHashSha1_s, + ParentProcessSHA1 = sourceParentProcessInfo_fileHashSha1_s, + ActingProcessSHA256 = sourceProcessInfo_fileHashSha256_s, + ParentProcessSHA256 = sourceParentProcessInfo_fileHashSha256_s, + DvcOs = agentDetectionInfo_osName_s, + DvcOsVersion = agentDetectionInfo_version_s, + TargetProcessIntegrityLevel = targetProcessInfo_tgtProcIntegrityLevel_s, + EventOriginalType = alertInfo_eventType_s, + EventOriginalUid = alertInfo_dvEventId_s + | extend + ActingProcessId = sourceProcessInfo_pid_s, + ActorUsername = coalesce(sourceProcessInfo_user_s, 'N/A'), + TargetUsername = coalesce(sourceProcessInfo_user_s, 'N/A'), + Hash = coalesce(targetProcessInfo_tgtFileHashSha256_s, targetProcessInfo_tgtFileHashSha1_s), + ParentProcessId = sourceProcessInfo_pid_s, + TargetProcessSHA1 = targetProcessInfo_tgtFileHashSha1_s, + TargetProcessSHA256 = targetProcessInfo_tgtFileHashSha256_s, + ParentProcessMD5 = replace_string(sourceParentProcessInfo_fileHashMd5_g, "-", ""), + ActingProcessMD5 = replace_string(sourceProcessInfo_fileHashMd5_g, "-", ""), + EventSeverity = iff(ruleInfo_severity_s == "Critical", "High", ruleInfo_severity_s) + | extend + EventCount = int(1), + EventProduct = "SentinelOne", + EventResult = "Success", + EventSchemaVersion = "0.1.4", + EventType = "ProcessCreated", + EventVendor = "SentinelOne", + EventSchema = "ProcessEvent" + | extend + Dvc = DvcId, + EventEndTime = EventStartTime, + User = TargetUsername, + ActingProcessCreationTime = EventStartTime, + CommandLine = TargetProcessCommandLine, + Process = TargetProcessName + | extend + HashType = case( + isnotempty(Hash) and isnotempty(TargetProcessSHA256), + "SHA256", + isnotempty(Hash) and isnotempty(TargetProcessSHA1), + "SHA1", + "" + ), + TargetUsernameType = _ASIM_GetUsernameType(TargetUsername), + DvcIdType = iff(isnotempty(DvcId), "Other", ""), + ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) + | project-away + *_d, + *_s, + *_g, + *_t, + *_b, + TenantId, + RawData, + Computer, + MG, + ManagementGroupName, + SourceSystem + }; + parser(disabled=disabled) \ No newline at end of file diff --git a/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml b/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml index 5acb6b87c27..0b0320cb7ad 100644 --- a/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml +++ b/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml @@ -29,6 +29,7 @@ Parsers: - _ASim_ProcessEvent_TerminateMicrosoftWindowsEvents - _ASim_ProcessEvent_CreateMicrosoftWindowsEvents - _ASim_ProcessEvent_MD4IoT + - _ASim_ProcessEvent_CreateSentinelOne ParserQuery: | let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); @@ -44,4 +45,5 @@ ParserQuery: | ASimProcessTerminateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )), ASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )), ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )), - ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) )) + ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) )), + ASimProcessvimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessvimProcessCreateSentinelOne' in (DisabledParsers) )) diff --git a/Parsers/ASimProcessEvent/Parsers/imProcess.yaml b/Parsers/ASimProcessEvent/Parsers/imProcess.yaml index 5e836892c46..d8730566d71 100644 --- a/Parsers/ASimProcessEvent/Parsers/imProcess.yaml +++ b/Parsers/ASimProcessEvent/Parsers/imProcess.yaml @@ -28,4 +28,5 @@ ParserQuery: | vimProcessTerminateLinuxSysmon, vimProcessTerminateMicrosoftWindowsEvents, vimProcessCreateMicrosoftWindowsEvents, - vimProcessEventMD4IoT + vimProcessEventMD4IoT, + vimProcessEventCreateSentinelOne diff --git a/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml b/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml new file mode 100644 index 00000000000..ac2cfed3479 --- /dev/null +++ b/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml @@ -0,0 +1,184 @@ +Parser: + Title: Process Create ASIM parser for SentinelOne + Version: '0.1.1' + LastUpdated: Jul 24, 2023 +Product: + Name: SentinelOne +Normalization: + Schema: ProcessEvent + Version: '0.1.4' +References: +- Title: ASIM ProcessEvent Schema + Link: https://aka.ms/ASimProcessEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +- Title: SentinelOne Documentation +- Link: https://.sentinelone.net/api-doc/overview +Description: | + This ASIM parser supports normalizing SentinelOne logs to the ASIM Process Event normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. +ParserName: vimProcessCreateSentinelOne +EquivalentBuiltInParser: _Im_ProcessCreate_SentinelOne +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: commandline_has_any + Type: dynamic + Default: dynamic([]) + - Name: commandline_has_all + Type: dynamic + Default: dynamic([]) + - Name: commandline_has_any_ip_prefix + Type: dynamic + Default: dynamic([]) + - Name: actingprocess_has_any + Type: dynamic + Default: dynamic([]) + - Name: targetprocess_has_any + Type: dynamic + Default: dynamic([]) + - Name: parentprocess_has_any + Type: dynamic + Default: dynamic([]) + - Name: targetusername_has + Type: string + Default: '*' + - Name: dvcipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: dvcname_has_any + Type: dynamic + Default: dynamic([]) + - Name: hashes_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventtype + Type: string + Default: '*' + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let parser = ( + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + commandline_has_any: dynamic=dynamic([]), + commandline_has_all: dynamic=dynamic([]), + commandline_has_any_ip_prefix: dynamic=dynamic([]), + actingprocess_has_any: dynamic=dynamic([]), + targetprocess_has_any: dynamic=dynamic([]), + parentprocess_has_any: dynamic=dynamic([]), + targetusername_has: string='*', + dvcipaddr_has_any_prefix: dynamic=dynamic([]), + dvcname_has_any: dynamic=dynamic([]), + eventtype: string='*', + hashes_has_any: dynamic=dynamic([]), + disabled: bool=false) { + SentinelOne_CL + | where not(disabled) + and (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and event_name_s == "Alerts." + and alertInfo_eventType_s == "PROCESSCREATION" + and (eventtype == '*' or eventtype == 'PROCESSCREATION') + and array_length(dvcipaddr_has_any_prefix) == 0 + and (targetusername_has == '*' or sourceProcessInfo_user_s has targetusername_has) + and (array_length(commandline_has_all) == 0 or targetProcessInfo_tgtProcCmdLine_s has_all (commandline_has_all)) + and (array_length(commandline_has_any) == 0 or targetProcessInfo_tgtProcCmdLine_s has_any (commandline_has_any)) + and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(targetProcessInfo_tgtProcCmdLine_s, commandline_has_any_ip_prefix)) + and (array_length(actingprocess_has_any) == 0 or sourceProcessInfo_name_s has_any (actingprocess_has_any)) + and (array_length(targetprocess_has_any) == 0 or targetProcessInfo_tgtProcName_s has_any (targetprocess_has_any)) + and (array_length(parentprocess_has_any) == 0 or sourceParentProcessInfo_name_s has_any (parentprocess_has_any)) + and (array_length(dvcname_has_any) == 0 or agentDetectionInfo_name_s has_any (dvcname_has_any)) + and array_length(hashes_has_any) == 0 or targetProcessInfo_tgtFileHashSha1_s has_any (hashes_has_any) or targetProcessInfo_tgtFileHashSha256_s has_any (hashes_has_any) + | project-rename + DvcId = agentDetectionInfo_uuid_g, + EventStartTime = sourceProcessInfo_pidStarttime_t, + TargetProcessCommandLine = targetProcessInfo_tgtProcCmdLine_s, + TargetProcessId = targetProcessInfo_tgtProcPid_s, + TargetProcessName = targetProcessInfo_tgtProcName_s, + EventUid = _ResourceId, + TargetProcessCreationTime = targetProcessInfo_tgtProcessStartTime_t, + DvcHostname = agentDetectionInfo_name_s, + ActingProcessName = sourceProcessInfo_name_s, + ParentProcessName = sourceParentProcessInfo_name_s, + ActingProcessCommandLine = sourceProcessInfo_commandline_s, + ActingProcessGuid = sourceProcessInfo_uniqueId_g, + ActingProcessSHA1 = sourceProcessInfo_fileHashSha1_s, + ParentProcessSHA1 = sourceParentProcessInfo_fileHashSha1_s, + ActingProcessSHA256 = sourceProcessInfo_fileHashSha256_s, + ParentProcessSHA256 = sourceParentProcessInfo_fileHashSha256_s, + DvcOs = agentDetectionInfo_osName_s, + DvcOsVersion = agentDetectionInfo_version_s, + TargetProcessIntegrityLevel = targetProcessInfo_tgtProcIntegrityLevel_s, + EventOriginalType = alertInfo_eventType_s, + EventOriginalUid = alertInfo_dvEventId_s + | extend + ActingProcessId = sourceProcessInfo_pid_s, + ActorUsername = coalesce(sourceProcessInfo_user_s, 'N/A'), + TargetUsername = coalesce(sourceProcessInfo_user_s, 'N/A'), + Hash = coalesce(targetProcessInfo_tgtFileHashSha256_s, targetProcessInfo_tgtFileHashSha1_s), + ParentProcessId = sourceProcessInfo_pid_s, + TargetProcessSHA1 = targetProcessInfo_tgtFileHashSha1_s, + TargetProcessSHA256 = targetProcessInfo_tgtFileHashSha256_s, + ParentProcessMD5 = replace_string(sourceParentProcessInfo_fileHashMd5_g, "-", ""), + ActingProcessMD5 = replace_string(sourceProcessInfo_fileHashMd5_g, "-", ""), + EventSeverity = iff(ruleInfo_severity_s == "Critical", "High", ruleInfo_severity_s) + | extend + EventCount = int(1), + EventProduct = "SentinelOne", + EventResult = "Success", + EventSchemaVersion = "0.1.4", + EventType = "ProcessCreated", + EventVendor = "SentinelOne", + EventSchema = "ProcessEvent" + | extend + Dvc = DvcId, + EventEndTime = EventStartTime, + User = TargetUsername, + ActingProcessCreationTime = EventStartTime, + CommandLine = TargetProcessCommandLine, + Process = TargetProcessName + | extend + HashType = case( + isnotempty(Hash) and isnotempty(TargetProcessSHA256), + "SHA256", + isnotempty(Hash) and isnotempty(TargetProcessSHA1), + "SHA1", + "" + ), + TargetUsernameType = _ASIM_GetUsernameType(TargetUsername), + DvcIdType = iff(isnotempty(DvcId), "Other", ""), + ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) + | project-away + *_d, + *_s, + *_g, + *_t, + *_b, + TenantId, + RawData, + Computer, + MG, + ManagementGroupName, + SourceSystem + }; + parser( + starttime=starttime, + endtime=endtime, + commandline_has_any=commandline_has_any, + commandline_has_all=commandline_has_all, + commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, + actingprocess_has_any=actingprocess_has_any, + targetprocess_has_any=targetprocess_has_any, + parentprocess_has_any=parentprocess_has_any, + targetusername_has=targetusername_has, + dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, + dvcname_has_any=dvcname_has_any, + eventtype=eventtype, + hashes_has_any=hashes_has_any, + disabled=disabled + ) diff --git a/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_DataTest.csv b/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_DataTest.csv new file mode 100644 index 00000000000..5d2a5911362 --- /dev/null +++ b/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_DataTest.csv @@ -0,0 +1,20 @@ +Result +"(0) Error: 1 invalid value(s) (up to 10 listed) in 1625 records (32.22%) for field [DvcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:ProcessEvent)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 5043 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:ProcessEvent)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 5043 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:ProcessEvent)" +"(1) Warning: Empty value in 2 records (0.04%) in mandatory field [TargetProcessName] (Schema:ProcessEvent)" +"(1) Warning: Empty value in 6 records (0.12%) in mandatory field [TargetProcessCommandLine] (Schema:ProcessEvent)" +"(2) Info: Empty value in 140 records (2.78%) in optional field [ActingProcessCommandLine] (Schema:ProcessEvent)" +"(2) Info: Empty value in 140 records (2.78%) in optional field [ActingProcessName] (Schema:ProcessEvent)" +"(2) Info: Empty value in 194 records (3.85%) in optional field [ActingProcessGuid] (Schema:ProcessEvent)" +"(2) Info: Empty value in 3125 records (61.97%) in optional field [ParentProcessSHA1] (Schema:ProcessEvent)" +"(2) Info: Empty value in 469 records (9.3%) in optional field [ParentProcessName] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4849 records (96.15%) in optional field [ActingProcessMD5] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4849 records (96.15%) in optional field [ActingProcessSHA256] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4850 records (96.17%) in optional field [ParentProcessMD5] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4850 records (96.17%) in optional field [ParentProcessSHA256] (Schema:ProcessEvent)" +"(2) Info: Empty value in 5043 records (100.0%) in optional field [TargetProcessSHA1] (Schema:ProcessEvent)" +"(2) Info: Empty value in 5043 records (100.0%) in optional field [TargetProcessSHA256] (Schema:ProcessEvent)" +"(2) Info: Empty value in 5043 records (100.0%) in recommended field [EventUid] (Schema:ProcessEvent)" +"(2) Info: Empty value in 5043 records (100.0%) in recommended field [Hash] (Schema:ProcessEvent)" +"(2) Info: Empty value in 962 records (19.08%) in optional field [ActingProcessSHA1] (Schema:ProcessEvent)" diff --git a/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_SchemaTest.csv b/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_SchemaTest.csv new file mode 100644 index 00000000000..ff523a3ed7f --- /dev/null +++ b/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_SchemaTest.csv @@ -0,0 +1,85 @@ +Result +"(1) Warning: Missing recommended field [ActorUserId]" +"(1) Warning: Missing recommended field [DvcDomainType]" +"(1) Warning: Missing recommended field [DvcDomain]" +"(1) Warning: Missing recommended field [DvcIpAddr]" +"(1) Warning: Missing recommended field [TargetUserId]" +"(2) Info: Missing optional field [ActingProcessFileCompany]" +"(2) Info: Missing optional field [ActingProcessFileDescription]" +"(2) Info: Missing optional field [ActingProcessFileInternalName]" +"(2) Info: Missing optional field [ActingProcessFileOriginalName]" +"(2) Info: Missing optional field [ActingProcessFileProduct]" +"(2) Info: Missing optional field [ActingProcessFileSize]" +"(2) Info: Missing optional field [ActingProcessFileVersion]" +"(2) Info: Missing optional field [ActingProcessFilename]" +"(2) Info: Missing optional field [ActingProcessIMPHASH]" +"(2) Info: Missing optional field [ActingProcessInjectedAddress]" +"(2) Info: Missing optional field [ActingProcessIntegrityLevel]" +"(2) Info: Missing optional field [ActingProcessIsHidden]" +"(2) Info: Missing optional field [ActingProcessSHA512]" +"(2) Info: Missing optional field [ActingProcessTokenElevation]" +"(2) Info: Missing optional field [ActorOriginalUserType]" +"(2) Info: Missing optional field [ActorScopeId]" +"(2) Info: Missing optional field [ActorScope]" +"(2) Info: Missing optional field [ActorSessionId]" +"(2) Info: Missing optional field [ActorUserAadId]" +"(2) Info: Missing optional field [ActorUserSid]" +"(2) Info: Missing optional field [ActorUserType]" +"(2) Info: Missing optional field [ActorUserUpn]" +"(2) Info: Missing optional field [AdditionalFields]" +"(2) Info: Missing optional field [DvcAction]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcFQDN]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventMessage]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSeverity]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventProductVersion]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [EventResultDetails]" +"(2) Info: Missing optional field [EventSubType]" +"(2) Info: Missing optional field [ParentProcessCreationTime]" +"(2) Info: Missing optional field [ParentProcessFileCompany]" +"(2) Info: Missing optional field [ParentProcessFileDescription]" +"(2) Info: Missing optional field [ParentProcessFileProduct]" +"(2) Info: Missing optional field [ParentProcessFileVersion]" +"(2) Info: Missing optional field [ParentProcessGuid]" +"(2) Info: Missing optional field [ParentProcessIMPHASH]" +"(2) Info: Missing optional field [ParentProcessInjectedAddress]" +"(2) Info: Missing optional field [ParentProcessIntegrityLevel]" +"(2) Info: Missing optional field [ParentProcessIsHidden]" +"(2) Info: Missing optional field [ParentProcessSHA512]" +"(2) Info: Missing optional field [ParentProcessTokenElevation]" +"(2) Info: Missing optional field [TargetOriginalUserType]" +"(2) Info: Missing optional field [TargetProcessCurrentDirectory]" +"(2) Info: Missing optional field [TargetProcessFileCompany]" +"(2) Info: Missing optional field [TargetProcessFileDescription]" +"(2) Info: Missing optional field [TargetProcessFileInternalName]" +"(2) Info: Missing optional field [TargetProcessFileOriginalName]" +"(2) Info: Missing optional field [TargetProcessFileProduct]" +"(2) Info: Missing optional field [TargetProcessFileSize]" +"(2) Info: Missing optional field [TargetProcessFileVersion]" +"(2) Info: Missing optional field [TargetProcessFilename]" +"(2) Info: Missing optional field [TargetProcessGuid]" +"(2) Info: Missing optional field [TargetProcessIMPHASH]" +"(2) Info: Missing optional field [TargetProcessInjectedAddress]" +"(2) Info: Missing optional field [TargetProcessIsHidden]" +"(2) Info: Missing optional field [TargetProcessMD5]" +"(2) Info: Missing optional field [TargetProcessSHA512]" +"(2) Info: Missing optional field [TargetProcessStatusCode]" +"(2) Info: Missing optional field [TargetProcessTokenElevation]" +"(2) Info: Missing optional field [TargetScopeId]" +"(2) Info: Missing optional field [TargetScope]" +"(2) Info: Missing optional field [TargetUserAadId]" +"(2) Info: Missing optional field [TargetUserSessionGuid]" +"(2) Info: Missing optional field [TargetUserSessionId]" +"(2) Info: Missing optional field [TargetUserSid]" +"(2) Info: Missing optional field [TargetUserType]" +"(2) Info: Missing optional field [TargetUserUpn]" diff --git a/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_DataTest.csv b/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_DataTest.csv new file mode 100644 index 00000000000..5d2a5911362 --- /dev/null +++ b/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_DataTest.csv @@ -0,0 +1,20 @@ +Result +"(0) Error: 1 invalid value(s) (up to 10 listed) in 1625 records (32.22%) for field [DvcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:ProcessEvent)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 5043 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:ProcessEvent)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 5043 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:ProcessEvent)" +"(1) Warning: Empty value in 2 records (0.04%) in mandatory field [TargetProcessName] (Schema:ProcessEvent)" +"(1) Warning: Empty value in 6 records (0.12%) in mandatory field [TargetProcessCommandLine] (Schema:ProcessEvent)" +"(2) Info: Empty value in 140 records (2.78%) in optional field [ActingProcessCommandLine] (Schema:ProcessEvent)" +"(2) Info: Empty value in 140 records (2.78%) in optional field [ActingProcessName] (Schema:ProcessEvent)" +"(2) Info: Empty value in 194 records (3.85%) in optional field [ActingProcessGuid] (Schema:ProcessEvent)" +"(2) Info: Empty value in 3125 records (61.97%) in optional field [ParentProcessSHA1] (Schema:ProcessEvent)" +"(2) Info: Empty value in 469 records (9.3%) in optional field [ParentProcessName] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4849 records (96.15%) in optional field [ActingProcessMD5] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4849 records (96.15%) in optional field [ActingProcessSHA256] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4850 records (96.17%) in optional field [ParentProcessMD5] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4850 records (96.17%) in optional field [ParentProcessSHA256] (Schema:ProcessEvent)" +"(2) Info: Empty value in 5043 records (100.0%) in optional field [TargetProcessSHA1] (Schema:ProcessEvent)" +"(2) Info: Empty value in 5043 records (100.0%) in optional field [TargetProcessSHA256] (Schema:ProcessEvent)" +"(2) Info: Empty value in 5043 records (100.0%) in recommended field [EventUid] (Schema:ProcessEvent)" +"(2) Info: Empty value in 5043 records (100.0%) in recommended field [Hash] (Schema:ProcessEvent)" +"(2) Info: Empty value in 962 records (19.08%) in optional field [ActingProcessSHA1] (Schema:ProcessEvent)" diff --git a/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_SchemaTest.csv b/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_SchemaTest.csv new file mode 100644 index 00000000000..ff523a3ed7f --- /dev/null +++ b/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_SchemaTest.csv @@ -0,0 +1,85 @@ +Result +"(1) Warning: Missing recommended field [ActorUserId]" +"(1) Warning: Missing recommended field [DvcDomainType]" +"(1) Warning: Missing recommended field [DvcDomain]" +"(1) Warning: Missing recommended field [DvcIpAddr]" +"(1) Warning: Missing recommended field [TargetUserId]" +"(2) Info: Missing optional field [ActingProcessFileCompany]" +"(2) Info: Missing optional field [ActingProcessFileDescription]" +"(2) Info: Missing optional field [ActingProcessFileInternalName]" +"(2) Info: Missing optional field [ActingProcessFileOriginalName]" +"(2) Info: Missing optional field [ActingProcessFileProduct]" +"(2) Info: Missing optional field [ActingProcessFileSize]" +"(2) Info: Missing optional field [ActingProcessFileVersion]" +"(2) Info: Missing optional field [ActingProcessFilename]" +"(2) Info: Missing optional field [ActingProcessIMPHASH]" +"(2) Info: Missing optional field [ActingProcessInjectedAddress]" +"(2) Info: Missing optional field [ActingProcessIntegrityLevel]" +"(2) Info: Missing optional field [ActingProcessIsHidden]" +"(2) Info: Missing optional field [ActingProcessSHA512]" +"(2) Info: Missing optional field [ActingProcessTokenElevation]" +"(2) Info: Missing optional field [ActorOriginalUserType]" +"(2) Info: Missing optional field [ActorScopeId]" +"(2) Info: Missing optional field [ActorScope]" +"(2) Info: Missing optional field [ActorSessionId]" +"(2) Info: Missing optional field [ActorUserAadId]" +"(2) Info: Missing optional field [ActorUserSid]" +"(2) Info: Missing optional field [ActorUserType]" +"(2) Info: Missing optional field [ActorUserUpn]" +"(2) Info: Missing optional field [AdditionalFields]" +"(2) Info: Missing optional field [DvcAction]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcFQDN]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventMessage]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSeverity]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventProductVersion]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [EventResultDetails]" +"(2) Info: Missing optional field [EventSubType]" +"(2) Info: Missing optional field [ParentProcessCreationTime]" +"(2) Info: Missing optional field [ParentProcessFileCompany]" +"(2) Info: Missing optional field [ParentProcessFileDescription]" +"(2) Info: Missing optional field [ParentProcessFileProduct]" +"(2) Info: Missing optional field [ParentProcessFileVersion]" +"(2) Info: Missing optional field [ParentProcessGuid]" +"(2) Info: Missing optional field [ParentProcessIMPHASH]" +"(2) Info: Missing optional field [ParentProcessInjectedAddress]" +"(2) Info: Missing optional field [ParentProcessIntegrityLevel]" +"(2) Info: Missing optional field [ParentProcessIsHidden]" +"(2) Info: Missing optional field [ParentProcessSHA512]" +"(2) Info: Missing optional field [ParentProcessTokenElevation]" +"(2) Info: Missing optional field [TargetOriginalUserType]" +"(2) Info: Missing optional field [TargetProcessCurrentDirectory]" +"(2) Info: Missing optional field [TargetProcessFileCompany]" +"(2) Info: Missing optional field [TargetProcessFileDescription]" +"(2) Info: Missing optional field [TargetProcessFileInternalName]" +"(2) Info: Missing optional field [TargetProcessFileOriginalName]" +"(2) Info: Missing optional field [TargetProcessFileProduct]" +"(2) Info: Missing optional field [TargetProcessFileSize]" +"(2) Info: Missing optional field [TargetProcessFileVersion]" +"(2) Info: Missing optional field [TargetProcessFilename]" +"(2) Info: Missing optional field [TargetProcessGuid]" +"(2) Info: Missing optional field [TargetProcessIMPHASH]" +"(2) Info: Missing optional field [TargetProcessInjectedAddress]" +"(2) Info: Missing optional field [TargetProcessIsHidden]" +"(2) Info: Missing optional field [TargetProcessMD5]" +"(2) Info: Missing optional field [TargetProcessSHA512]" +"(2) Info: Missing optional field [TargetProcessStatusCode]" +"(2) Info: Missing optional field [TargetProcessTokenElevation]" +"(2) Info: Missing optional field [TargetScopeId]" +"(2) Info: Missing optional field [TargetScope]" +"(2) Info: Missing optional field [TargetUserAadId]" +"(2) Info: Missing optional field [TargetUserSessionGuid]" +"(2) Info: Missing optional field [TargetUserSessionId]" +"(2) Info: Missing optional field [TargetUserSid]" +"(2) Info: Missing optional field [TargetUserType]" +"(2) Info: Missing optional field [TargetUserUpn]" diff --git a/Sample Data/ASIM/SentinelOne_ASimFileEvent_IngestedLogs.csv b/Sample Data/ASIM/SentinelOne_ASimFileEvent_IngestedLogs.csv new file mode 100644 index 00000000000..976eb23f6c8 --- /dev/null +++ b/Sample Data/ASIM/SentinelOne_ASimFileEvent_IngestedLogs.csv @@ -0,0 +1,17 @@ +TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,alertInfo_indicatorDescription_s,alertInfo_indicatorName_s,targetProcessInfo_tgtFileOldPath_s,alertInfo_indicatorCategory_s,alertInfo_registryOldValue_g,alertInfo_dstIp_s,alertInfo_dstPort_s,alertInfo_netEventDirection_s,alertInfo_srcIp_s,alertInfo_srcPort_s,containerInfo_id_s,targetProcessInfo_tgtFileId_g,alertInfo_registryOldValue_s,alertInfo_registryOldValueType_s,alertInfo_dnsRequest_s,alertInfo_dnsResponse_s,alertInfo_registryKeyPath_s,alertInfo_registryPath_s,alertInfo_registryValue_g,ruleInfo_description_s,alertInfo_registryValue_s,alertInfo_loginAccountDomain_s,alertInfo_loginAccountSid_s,alertInfo_loginIsAdministratorEquivalent_s,alertInfo_loginIsSuccessful_s,alertInfo_loginType_s,alertInfo_loginsUserName_s,alertInfo_srcMachineIp_s,targetProcessInfo_tgtProcCmdLine_s,targetProcessInfo_tgtProcImagePath_s,targetProcessInfo_tgtProcName_s,targetProcessInfo_tgtProcPid_s,targetProcessInfo_tgtProcSignedStatus_s,targetProcessInfo_tgtProcStorylineId_s,targetProcessInfo_tgtProcUid_s,sourceParentProcessInfo_storyline_g,sourceParentProcessInfo_uniqueId_g,sourceProcessInfo_storyline_g,sourceProcessInfo_uniqueId_g,targetProcessInfo_tgtProcStorylineId_g,targetProcessInfo_tgtProcUid_g,agentDetectionInfo_machineType_s,agentDetectionInfo_name_s,agentDetectionInfo_osFamily_s,agentDetectionInfo_osName_s,agentDetectionInfo_osRevision_s,agentDetectionInfo_uuid_g,agentDetectionInfo_version_s,agentRealtimeInfo_id_s,agentRealtimeInfo_infected_b,agentRealtimeInfo_isActive_b,agentRealtimeInfo_isDecommissioned_b,agentRealtimeInfo_machineType_s,agentRealtimeInfo_name_s,agentRealtimeInfo_os_s,agentRealtimeInfo_uuid_g,alertInfo_alertId_s,alertInfo_analystVerdict_s,alertInfo_createdAt_t [UTC],alertInfo_dvEventId_s,alertInfo_eventType_s,alertInfo_hitType_s,alertInfo_incidentStatus_s,alertInfo_isEdr_b,alertInfo_reportedAt_t [UTC],alertInfo_source_s,alertInfo_updatedAt_t [UTC],ruleInfo_id_s,ruleInfo_name_s,ruleInfo_queryLang_s,ruleInfo_queryType_s,ruleInfo_s1ql_s,ruleInfo_scopeLevel_s,ruleInfo_severity_s,ruleInfo_treatAsThreat_s,sourceParentProcessInfo_commandline_s,sourceParentProcessInfo_fileHashMd5_g,sourceParentProcessInfo_fileHashSha1_s,sourceParentProcessInfo_fileHashSha256_s,sourceParentProcessInfo_filePath_s,sourceParentProcessInfo_fileSignerIdentity_s,sourceParentProcessInfo_integrityLevel_s,sourceParentProcessInfo_name_s,sourceParentProcessInfo_pid_s,sourceParentProcessInfo_pidStarttime_t [UTC],sourceParentProcessInfo_storyline_s,sourceParentProcessInfo_subsystem_s,sourceParentProcessInfo_uniqueId_s,sourceParentProcessInfo_user_s,sourceProcessInfo_commandline_s,sourceProcessInfo_fileHashMd5_g,sourceProcessInfo_fileHashSha1_s,sourceProcessInfo_fileHashSha256_s,sourceProcessInfo_filePath_s,sourceProcessInfo_fileSignerIdentity_s,sourceProcessInfo_integrityLevel_s,sourceProcessInfo_name_s,sourceProcessInfo_pid_s,sourceProcessInfo_pidStarttime_t [UTC],sourceProcessInfo_storyline_s,sourceProcessInfo_subsystem_s,sourceProcessInfo_uniqueId_s,sourceProcessInfo_user_s,targetProcessInfo_tgtFileCreatedAt_t [UTC],targetProcessInfo_tgtFileHashSha1_s,targetProcessInfo_tgtFileHashSha256_s,targetProcessInfo_tgtFileId_s,targetProcessInfo_tgtFileIsSigned_s,targetProcessInfo_tgtFileModifiedAt_t [UTC],targetProcessInfo_tgtFilePath_s,targetProcessInfo_tgtProcIntegrityLevel_s,targetProcessInfo_tgtProcessStartTime_t [UTC],agentUpdatedVersion_s,agentId_s,hash_s,osFamily_s,threatId_s,creator_s,creatorId_s,inherits_b,isDefault_b,name_s,registrationToken_s,totalAgents_d,type_s,agentDetectionInfo_accountId_s,agentDetectionInfo_accountName_s,agentDetectionInfo_agentDetectionState_s,agentDetectionInfo_agentDomain_s,agentDetectionInfo_agentIpV4_s,agentDetectionInfo_agentIpV6_s,agentDetectionInfo_agentLastLoggedInUserName_s,agentDetectionInfo_agentMitigationMode_s,agentDetectionInfo_agentOsName_s,agentDetectionInfo_agentOsRevision_s,agentDetectionInfo_agentRegisteredAt_t [UTC],agentDetectionInfo_agentUuid_g,agentDetectionInfo_agentVersion_s,agentDetectionInfo_externalIp_s,agentDetectionInfo_groupId_s,agentDetectionInfo_groupName_s,agentDetectionInfo_siteId_s,agentDetectionInfo_siteName_s,agentRealtimeInfo_accountId_s,agentRealtimeInfo_accountName_s,agentRealtimeInfo_activeThreats_d,agentRealtimeInfo_agentComputerName_s,agentRealtimeInfo_agentDomain_s,agentRealtimeInfo_agentId_s,agentRealtimeInfo_agentInfected_b,agentRealtimeInfo_agentIsActive_b,agentRealtimeInfo_agentIsDecommissioned_b,agentRealtimeInfo_agentMachineType_s,agentRealtimeInfo_agentMitigationMode_s,agentRealtimeInfo_agentNetworkStatus_s,agentRealtimeInfo_agentOsName_s,agentRealtimeInfo_agentOsRevision_s,agentRealtimeInfo_agentOsType_s,agentRealtimeInfo_agentUuid_g,agentRealtimeInfo_agentVersion_s,agentRealtimeInfo_groupId_s,agentRealtimeInfo_groupName_s,agentRealtimeInfo_networkInterfaces_s,agentRealtimeInfo_operationalState_s,agentRealtimeInfo_rebootRequired_b,agentRealtimeInfo_scanFinishedAt_t [UTC],agentRealtimeInfo_scanStartedAt_t [UTC],agentRealtimeInfo_scanStatus_s,agentRealtimeInfo_siteId_s,agentRealtimeInfo_siteName_s,agentRealtimeInfo_userActionsNeeded_s,indicators_s,mitigationStatus_s,threatInfo_analystVerdict_s,threatInfo_analystVerdictDescription_s,threatInfo_automaticallyResolved_b,threatInfo_certificateId_s,threatInfo_classification_s,threatInfo_classificationSource_s,threatInfo_cloudFilesHashVerdict_s,threatInfo_collectionId_s,threatInfo_confidenceLevel_s,threatInfo_createdAt_t [UTC],threatInfo_detectionEngines_s,threatInfo_detectionType_s,threatInfo_engines_s,threatInfo_externalTicketExists_b,threatInfo_failedActions_b,threatInfo_fileExtension_s,threatInfo_fileExtensionType_s,threatInfo_filePath_s,threatInfo_fileSize_d,threatInfo_fileVerificationType_s,threatInfo_identifiedAt_t [UTC],threatInfo_incidentStatus_s,threatInfo_incidentStatusDescription_s,threatInfo_initiatedBy_s,threatInfo_initiatedByDescription_s,threatInfo_isFileless_b,threatInfo_isValidCertificate_b,threatInfo_mitigatedPreemptively_b,threatInfo_mitigationStatus_s,threatInfo_mitigationStatusDescription_s,threatInfo_originatorProcess_s,threatInfo_pendingActions_b,threatInfo_processUser_s,threatInfo_publisherName_s,threatInfo_reachedEventsLimit_b,threatInfo_rebootRequired_b,threatInfo_sha1_s,threatInfo_storyline_s,threatInfo_threatId_s,threatInfo_threatName_s,threatInfo_updatedAt_t [UTC],whiteningOptions_s,threatInfo_maliciousProcessArguments_s,threatInfo_fileExtension_g,threatInfo_threatName_g,threatInfo_storyline_g,accountId_s,accountName_s,activityType_d,activityUuid_g,createdAt_t [UTC],id_s,primaryDescription_s,secondaryDescription_s,siteId_s,siteName_s,updatedAt_t [UTC],userId_s,event_name_s,DataFields_s,description_s,comments_s,activeDirectory_computerMemberOf_s,activeDirectory_lastUserMemberOf_s,activeThreats_d,agentVersion_s,allowRemoteShell_b,appsVulnerabilityStatus_s,computerName_s,consoleMigrationStatus_s,coreCount_d,cpuCount_d,cpuId_s,detectionState_s,domain_s,encryptedApplications_b,externalId_s,externalIp_s,firewallEnabled_b,firstFullModeTime_t [UTC],fullDiskScanLastUpdatedAt_t [UTC],groupId_s,groupIp_s,groupName_s,inRemoteShellSession_b,infected_b,installerType_s,isActive_b,isDecommissioned_b,isPendingUninstall_b,isUninstalled_b,isUpToDate_b,lastActiveDate_t [UTC],lastIpToMgmt_s,lastLoggedInUserName_s,licenseKey_s,locationEnabled_b,locationType_s,locations_s,machineType_s,mitigationMode_s,mitigationModeSuspicious_s,modelName_s,networkInterfaces_s,networkQuarantineEnabled_b,networkStatus_s,operationalState_s,osArch_s,osName_s,osRevision_s,osStartTime_t [UTC],osType_s,rangerStatus_s,rangerVersion_s,registeredAt_t [UTC],remoteProfilingState_s,scanFinishedAt_t [UTC],scanStartedAt_t [UTC],scanStatus_s,serialNumber_s,showAlertIcon_b,tags_sentinelone_s,threatRebootRequired_b,totalMemory_d,userActionsNeeded_s,uuid_g,osUsername_s,scanAbortedAt_t [UTC],activeDirectory_computerDistinguishedName_s,activeDirectory_lastUserDistinguishedName_s,Type,_ResourceId +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 1:30:05.042 PM",,,,,/var/log/demisto/d1_Test2/d1.log,,,,,,,,,73a7707e-7bab-e79f-9c49-510c60321972,,,,,,,,,,,,,,,,,,,,,,,,727f2a7d-3997-199c-b5d9-e962c2389980,727f2a79-b96b-79ca-c3f2-3f8bf533b533,727f2ab1-dc50-82a1-cf98-4ad46daede5f,727f2ab1-681c-2167-fda1-df29915f20c9,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,false,true,false,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733340103401284845,Undefined,"7/20/2023, 1:17:11.900 PM",01H5SQ4NMCXWHAQ5FDZVZD1DZD_21,FILERENAME,Events,Unresolved,true,"7/20/2023, 1:17:22.275 PM",STAR,"7/20/2023, 1:17:22.275 PM",1733331490875496472,File Activity,1.0,events,"EventType = ""File Creation"" OR EventType = ""File Deletion"" OR EventType = ""File Modification"" OR EventType = ""File Rename"" OR EventType = ""File Scan""",account,Low,UNDEFINED, /usr/lib/systemd/systemd --switched-root --system --deserialize 22,,d00e622d514a3351de5cede74496dd50c65fbabb,,/usr/lib/systemd/systemd,,unknown,systemd,1,"7/18/2023, 8:55:41.180 AM",,unknown,,, /usr/local/demisto/d1_Test2/d1,,f69e54850b3774d38769e4c401496f88c003d3c8,,/usr/local/demisto/d1_Test2/d1,,unknown,d1,1137,"7/18/2023, 8:56:10.270 AM",,unknown,,,"7/20/2023, 12:55:20.831 PM",,,,unsigned,"1/1/1970, 12:00:00.000 AM",/var/log/demisto/d1_Test2/d1-2023-07-20T13-16-51.917.log,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/27/2023, 6:50:07.211 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,DESKTOP-AB1CD,windows,Windows 11 Pro,22621,20ee9f81-027b-432f-b6c5-d549705f3419,23.1.2.400,1713023112770967412,true,true,false,laptop,DESKTOP-AB1CD,windows,20ee9f81-027b-432f-b6c5-d549705f3419,1738210213570412146,Undefined,"7/27/2023, 6:33:13.641 AM",01H6B0WXM7A30GV66B9RRTPAJK_413,FILEMODIFICATION,Events,Unresolved,true,"7/27/2023, 6:33:24.648 AM",STAR,"7/27/2023, 6:33:24.648 AM",1726010588144703192,Windows-KB2670838.msu.exe,1.0,events,"TgtFileSha1 = ""ccb7898c509c3a1de96d2010d638f6a719f6f400""",account,Critical,Malicious,C:\Windows\system32\userinit.exe,8592ae60-a986-7d35-cb19-8309a342ce1a,3eb1d07db5a6c7912db39ba92928f04db00cc5c1,3c8c6bf586dc8be65789b1186f27ba8ab26d61ccaf51f2ac6a23eaba5126b0bb,C:\Windows\System32\userinit.exe,MICROSOFT WINDOWS,medium,userinit.exe,8884,"7/27/2023, 5:59:32.132 AM",2DED9BC6A067F7A0,sys_win32,2CED9BC6A067F7A0,DESKTOP-AB1CD\Crest,C:\Windows\Explorer.EXE,5c780589-4b39-ba7a-aa9c-53d013ae92c2,b4f089ec1627b1333078df2bafb3b4e9c77dcf88,e89840322edaf4a7855ab296bc298add055c6d6910edc6c93ac866eb264e74a3,C:\Windows\explorer.exe,MICROSOFT WINDOWS,medium,explorer.exe,9032,"7/27/2023, 5:59:32.209 AM",30ED9BC6A067F7A0,sys_win32,2FED9BC6A067F7A0,DESKTOP-AB1CD\Crest,"7/27/2023, 6:34:19.435 AM",ccb7898c509c3a1de96d2010d638f6a719f6f400,f91f02fd27ada64f36f6df59a611fef106ff7734833dea825d0612e73bdfb621,72A59CC6A067F7A0,unsigned,"7/27/2023, 6:34:19.435 AM",C:\Users\Crest\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Windows-KB2670838.msu.exe,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/27/2023, 6:50:07.211 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,DESKTOP-AB1CD,windows,Windows 11 Pro,22621,20ee9f81-027b-432f-b6c5-d549705f3419,23.1.2.400,1713023112770967412,true,true,false,laptop,DESKTOP-AB1CD,windows,20ee9f81-027b-432f-b6c5-d549705f3419,1738210225264132788,Undefined,"7/27/2023, 6:33:13.649 AM",01H6B0WXM7A30GV66B9RRTPAJK_519,FILECREATION,Events,Unresolved,true,"7/27/2023, 6:33:26.041 AM",STAR,"7/27/2023, 6:33:26.041 AM",1725975030124192555,CrimsonRAT.exe,1.0,events,"TgtFileSha1 = ""ec0efbe8fd2fa5300164e9e4eded0d40da549c60""",account,Critical,Malicious,C:\Windows\system32\userinit.exe,8592ae60-a986-7d35-cb19-8309a342ce1a,3eb1d07db5a6c7912db39ba92928f04db00cc5c1,3c8c6bf586dc8be65789b1186f27ba8ab26d61ccaf51f2ac6a23eaba5126b0bb,C:\Windows\System32\userinit.exe,MICROSOFT WINDOWS,medium,userinit.exe,8884,"7/27/2023, 5:59:32.132 AM",2DED9BC6A067F7A0,sys_win32,2CED9BC6A067F7A0,DESKTOP-AB1CD\Crest,C:\Windows\Explorer.EXE,5c780589-4b39-ba7a-aa9c-53d013ae92c2,b4f089ec1627b1333078df2bafb3b4e9c77dcf88,e89840322edaf4a7855ab296bc298add055c6d6910edc6c93ac866eb264e74a3,C:\Windows\explorer.exe,MICROSOFT WINDOWS,medium,explorer.exe,9032,"7/27/2023, 5:59:32.209 AM",30ED9BC6A067F7A0,sys_win32,2FED9BC6A067F7A0,DESKTOP-AB1CD\Crest,"7/27/2023, 6:34:20.505 AM",ec0efbe8fd2fa5300164e9e4eded0d40da549c60,dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba,A9A59CC6A067F7A0,,"7/27/2023, 6:34:20.505 AM",C:\Users\Crest\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/27/2023, 6:50:07.211 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,DESKTOP-AB1CD,windows,Windows 11 Pro,22621,20ee9f81-027b-432f-b6c5-d549705f3419,23.1.2.400,1713023112770967412,true,true,false,laptop,DESKTOP-AB1CD,windows,20ee9f81-027b-432f-b6c5-d549705f3419,1738210244927031908,Undefined,"7/27/2023, 6:33:13.624 AM",01H6B0WXM7A30GV66B9RRTPAJK_67,FILECREATION,Events,Unresolved,true,"7/27/2023, 6:33:28.385 AM",STAR,"7/27/2023, 6:33:28.385 AM",1726067642318496051,Emotet.zip (,1.0,events,"TgtFileSha1 = ""acb5bc4b83a7d383c161917d2de137fd6358aabd""",account,Critical,Malicious,C:\Windows\system32\userinit.exe,8592ae60-a986-7d35-cb19-8309a342ce1a,3eb1d07db5a6c7912db39ba92928f04db00cc5c1,3c8c6bf586dc8be65789b1186f27ba8ab26d61ccaf51f2ac6a23eaba5126b0bb,C:\Windows\System32\userinit.exe,MICROSOFT WINDOWS,medium,userinit.exe,8884,"7/27/2023, 5:59:32.132 AM",2DED9BC6A067F7A0,sys_win32,2CED9BC6A067F7A0,DESKTOP-AB1CD\Crest,C:\Windows\Explorer.EXE,5c780589-4b39-ba7a-aa9c-53d013ae92c2,b4f089ec1627b1333078df2bafb3b4e9c77dcf88,e89840322edaf4a7855ab296bc298add055c6d6910edc6c93ac866eb264e74a3,C:\Windows\explorer.exe,MICROSOFT WINDOWS,medium,explorer.exe,9032,"7/27/2023, 5:59:32.209 AM",30ED9BC6A067F7A0,sys_win32,2FED9BC6A067F7A0,DESKTOP-AB1CD\Crest,"7/27/2023, 6:34:17.094 AM",acb5bc4b83a7d383c161917d2de137fd6358aabd,f62125428644746f081ca587ffa9449513dd786d793e83003c1f9607ca741c89,B3A49CC6A067F7A0,,"7/27/2023, 6:34:17.094 AM",Anonymized Data,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/21/2023, 10:10:03.752 AM",,,,,/run/NetworkManager/resolv.conf.tmp,,,,,,,,,7365cb43-e8a5-6056-ad37-b8eb60de75a2,,,,,,,,,,,,,,,,,,,,,,,,73c80b06-1061-e164-bdde-acf15170e205,73c80b04-5237-eb0f-0727-54a158641580,73c80b24-6ec0-90ed-1d5c-19bda9503b05,73c80b24-0395-912e-2db7-d931a51e0955,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,false,true,false,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733963468448059912,Undefined,"7/21/2023, 9:55:35.864 AM",01H5VY0D3160GH2Y9EJRN156NV_63,FILERENAME,Events,Unresolved,true,"7/21/2023, 9:55:53.178 AM",STAR,"7/21/2023, 9:55:53.178 AM",1733175396878455794,File Activity Test,1.0,events,"EventType = ""File Creation"" OR EventType = ""File Deletion"" OR EventType = ""File Modification"" OR EventType = ""File Rename"" OR EventType = ""File Scan""",site,Low,UNDEFINED, /usr/lib/systemd/systemd --switched-root --system --deserialize 22,,d00e622d514a3351de5cede74496dd50c65fbabb,,/usr/lib/systemd/systemd,,unknown,systemd,1,"7/21/2023, 6:39:14.230 AM",,unknown,,, /usr/sbin/NetworkManager --no-daemon,,1cfe129a867e17e356ddc6d5036d8f031669844d,,/usr/sbin/NetworkManager,,unknown,NetworkManager,764,"7/21/2023, 6:39:40.910 AM",,unknown,,,"7/21/2023, 9:55:15.954 AM",,,,unsigned,"1/1/1970, 12:00:00.000 AM",/run/NetworkManager/resolv.conf,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/21/2023, 10:10:03.752 AM",,,,,/run/NetworkManager/resolv.conf.tmp,,,,,,,,,7365cb43-e8a5-6056-ad37-b8eb60de75a2,,,,,,,,,,,,,,,,,,,,,,,,73c80b06-1061-e164-bdde-acf15170e205,73c80b04-5237-eb0f-0727-54a158641580,73c80b24-6ec0-90ed-1d5c-19bda9503b05,73c80b24-0395-912e-2db7-d931a51e0955,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,false,true,false,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733963482071160962,Undefined,"7/21/2023, 9:55:35.865 AM",01H5VY0D3160GH2Y9EJRN156NV_63,FILERENAME,Events,Unresolved,true,"7/21/2023, 9:55:54.803 AM",STAR,"7/21/2023, 9:55:54.803 AM",1733331490875496472,File Activity,1.0,events,"EventType = ""File Creation"" OR EventType = ""File Deletion"" OR EventType = ""File Modification"" OR EventType = ""File Rename"" OR EventType = ""File Scan""",account,Low,UNDEFINED, /usr/lib/systemd/systemd --switched-root --system --deserialize 22,,d00e622d514a3351de5cede74496dd50c65fbabb,,/usr/lib/systemd/systemd,,unknown,systemd,1,"7/21/2023, 6:39:14.230 AM",,unknown,,, /usr/sbin/NetworkManager --no-daemon,,1cfe129a867e17e356ddc6d5036d8f031669844d,,/usr/sbin/NetworkManager,,unknown,NetworkManager,764,"7/21/2023, 6:39:40.910 AM",,unknown,,,"7/21/2023, 9:55:15.954 AM",,,,unsigned,"1/1/1970, 12:00:00.000 AM",/run/NetworkManager/resolv.conf,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/21/2023, 6:00:15.610 AM",,,,,/var/lib/net-snmp/snmpd.conf,,,,,,,,,73bff444-0620-5aee-9e8c-0f5ea67bfefb,,,,,,,,,,,,,,,,,,,,,,,,727f2a7d-3997-199c-b5d9-e962c2389980,727f2a79-b96b-79ca-c3f2-3f8bf533b533,73bff5ea-3e85-27cf-caeb-92d05aaa3fe4,73bff73b-5235-2b64-bf6d-c204633f03e5,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,false,true,false,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733837854154317394,Undefined,"7/21/2023, 5:46:06.516 AM",01H5VFQJVC21222HX0VDG1D0KZ_57,FILERENAME,Events,Unresolved,true,"7/21/2023, 5:46:18.788 AM",STAR,"7/21/2023, 5:46:18.788 AM",1733331490875496472,File Activity,1.0,events,"EventType = ""File Creation"" OR EventType = ""File Deletion"" OR EventType = ""File Modification"" OR EventType = ""File Rename"" OR EventType = ""File Scan""",account,Low,UNDEFINED, /usr/lib/systemd/systemd --switched-root --system --deserialize 22,,d00e622d514a3351de5cede74496dd50c65fbabb,,/usr/lib/systemd/systemd,,unknown,systemd,1,"7/18/2023, 8:55:41.180 AM",,unknown,,, /usr/sbin/snmpd -LS0-6d -f,,f33063ea7de94571a4434561e1a25e98c5190513,,/usr/sbin/snmpd,,unknown,snmpd,59923,"7/21/2023, 5:45:09.970 AM",,unknown,,,"7/21/2023, 5:44:55.045 AM",,,,unsigned,"1/1/1970, 12:00:00.000 AM",/var/lib/net-snmp/snmpd.0.conf,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:30:04.449 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO07,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,false,true,false,laptop,CLO07,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736752240802854154,Undefined,"7/25/2023, 6:16:26.266 AM",01H65V20HBQGX37555XC4A34RQ_222,FILEMODIFICATION,Events,Unresolved,true,"7/25/2023, 6:16:40.750 AM",STAR,"7/25/2023, 6:16:40.750 AM",1736743171400115521,CWL547,1.0,events,"EndpointName = ""CLO07""",account,Medium,UNDEFINED,"""C:\Windows\uus\AMD64\wuaucltcore.exe"" /DeploymentHandlerFullPath \\?\C:\Windows\UUS\AMD64\UpdateDeploy.dll /ClassId a6a6d102-c473-4702-bc7f-3e1e37137816 /RunHandlerComServer",2d56afae-0889-13ee-6eba-53cfc5b32f01,fd6f764c7308d5fd33afbc1d0fc44616976dc7ad,26626c962f11296b599166c0ba57ce0919909c316531425a542874838516392d,C:\Windows\UUS\amd64\wuaucltcore.exe,MICROSOFT WINDOWS,system,wuaucltcore.exe,8616,"7/25/2023, 6:15:48.228 AM",26D712F580778F51,sys_win32,25D712F580778F51,NT AUTHORITY\SYSTEM,"""C:\Windows\SoftwareDistribution\Download\Install\UpdatePlatform.amd64fre.exe""",dbacc2da-d34e-574b-da86-f4c54cd709a5,aa7e29ece94fbaacd94a7f34896b3f9671a18d18,6985f93749efde6ec7e228f87d0b14a4f61aecd04ba7889a5a25a2ae7244b775,C:\Windows\SoftwareDistribution\Download\Install\UpdatePlatform.amd64fre.exe,MICROSOFT WINDOWS PUBLISHER,system,UpdatePlatform.amd64fre.exe,15544,"7/25/2023, 6:15:48.825 AM",26D712F580778F51,sys_win32,28D712F580778F51,NT AUTHORITY\SYSTEM,"7/21/2185, 11:34:33.709 PM",a6fcade03347ac64bdefabe64e25cebdbefe3498,b48cd4860107c7b5ad8fa80cb78b67dfff63796e99a237c4405660f9235e4de6,5CD812F580778F51,,"7/21/2185, 11:34:33.709 PM",C:\Windows\SystemTemp\CDF02ABE-F59C-4A41-AC3F-F104625D635E\Powershell\MSFT_MpPerformanceRecording.psm1,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:30:04.449 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO07,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,false,true,false,laptop,CLO07,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736752270305590149,Undefined,"7/25/2023, 6:16:26.308 AM",01H65V20HBQGX37555XC4A34RQ_431,FILEMODIFICATION,Events,Unresolved,true,"7/25/2023, 6:16:44.267 AM",STAR,"7/25/2023, 6:16:44.267 AM",1736743171400115521,CWL547,1.0,events,"EndpointName = ""CLO07""",account,Medium,UNDEFINED,"""C:\Windows\SoftwareDistribution\Download\Install\UpdatePlatform.amd64fre.exe""",dbacc2da-d34e-574b-da86-f4c54cd709a5,aa7e29ece94fbaacd94a7f34896b3f9671a18d18,6985f93749efde6ec7e228f87d0b14a4f61aecd04ba7889a5a25a2ae7244b775,C:\Windows\SoftwareDistribution\Download\Install\UpdatePlatform.amd64fre.exe,MICROSOFT WINDOWS PUBLISHER,system,UpdatePlatform.amd64fre.exe,15544,"7/25/2023, 6:15:48.825 AM",26D712F580778F51,sys_win32,28D712F580778F51,NT AUTHORITY\SYSTEM,C:\Windows\SystemTemp\CDF02ABE-F59C-4A41-AC3F-F104625D635E\MpSigStub.exe /stub 1.1.20300.1 /payload 4.18.23050.9 /program C:\Windows\SoftwareDistribution\Download\Install\UpdatePlatform.amd64fre.exe,d00d22fc-9d25-6ead-476f-0afd7e69ddae,a7e6f93498811cdfe189b3e036d864735fbf91e4,03410cb89092b20188e30aae345a92ab1efa4f21b5229e3b1a7c57b424e976f0,C:\Windows\SystemTemp\CDF02ABE-F59C-4A41-AC3F-F104625D635E\MpSigStub.exe,MICROSOFT CORPORATION,system,MpSigStub.exe,16296,"7/25/2023, 6:15:50.959 AM",26D712F580778F51,sys_win32,64D812F580778F51,NT AUTHORITY\SYSTEM,"7/21/2185, 11:34:33.709 PM",aec3290fd5e3bd7e2502cc845f18265f813eb870,159e76a4a4077222b3c201f07401f3f97b293738511e0fd97b2ce18536de461b,ABD912F580778F51,signed,"7/21/2185, 11:34:33.709 PM",C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23050.9-0\mpextms.exe,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:30:04.449 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO07,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,false,true,false,laptop,CLO07,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736752758036066424,Undefined,"7/25/2023, 6:17:24.096 AM",01H65V3V1DZ8YA39PZ5EWX1NJ3_41,FILEDELETION,Events,Unresolved,true,"7/25/2023, 6:17:42.409 AM",STAR,"7/25/2023, 6:17:42.409 AM",1736743171400115521,CWL547,1.0,events,"EndpointName = ""CLO07""",account,Medium,UNDEFINED,"""C:\Windows\SystemTemp\mpam-db6b0d9f.exe"" /q WD",ffc35934-b31a-0d62-eeb0-8f8aa40b5982,1013c718063b124fb306b245c183ed094430d374,3a79ba90f0acef5f3fbfc0b654381eef938acbea0814ed1e375f9cdbccf63e78,C:\Windows\SystemTemp\mpam-db6b0d9f.exe,MICROSOFT CORPORATION,system,mpam-db6b0d9f.exe,16380,"7/25/2023, 6:16:33.761 AM",F83C0EF580778F51,sys_win32,65DA12F580778F51,NT AUTHORITY\SYSTEM,C:\Windows\SystemTemp\E0D919E5-665D-4048-8C24-3DEF4B640D1E\MpSigStub.exe /stub 1.1.23060.3001 /payload 1.393.1315.0 /program C:\Windows\SystemTemp\mpam-db6b0d9f.exe /q WD,8b6eac30-eab7-9e24-df5e-43d8bec9e243,5ce942034143949709b779de297bbb355102e050,dbb282f630dc503b55b37da93abc67212795beb046335f1166a935ce07b16086,C:\Windows\SystemTemp\E0D919E5-665D-4048-8C24-3DEF4B640D1E\MpSigStub.exe,MICROSOFT CORPORATION,system,MpSigStub.exe,12528,"7/25/2023, 6:16:34.479 AM",F83C0EF580778F51,sys_win32,6ADA12F580778F51,NT AUTHORITY\SYSTEM,"7/21/2185, 11:34:33.709 PM",acd087a51035cafe4a68181deede8ae260ea92ca,a8e1aeb9c2684628125c0aef8fdcbe4e6894c3842f59c4eeee7bb12e9e1fa944,CC4B0EF580778F51,,"7/21/2185, 11:34:33.709 PM",C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B7471214-A63A-4C99-B4C3-17663864BCB8}\mpengine.dll,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:30:04.449 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO07,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,false,true,false,laptop,CLO07,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736752762683355536,Undefined,"7/25/2023, 6:17:24.098 AM",01H65V3V1DZ8YA39PZ5EWX1NJ3_51,FILEDELETION,Events,Unresolved,true,"7/25/2023, 6:17:42.962 AM",STAR,"7/25/2023, 6:17:42.962 AM",1736743171400115521,CWL547,1.0,events,"EndpointName = ""CLO07""",account,Medium,UNDEFINED,"""C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23050.5-0\MpCmdRun.exe"" SignatureUpdate -ScheduleJob -RestrictPrivileges",94e52781-2df3-b448-e18f-5cb7b38e0216,808c44d9accddd45b0c86ffe8acc533dda1c07ff,b370f2d32704cd1bdea8f1836f68a3af72cb9385eb8719dd84be9a6b3018d17a,C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23050.5-0\MpCmdRun.exe,MICROSOFT WINDOWS,system,MpCmdRun.exe,17220,"7/25/2023, 6:05:35.311 AM",F83C0EF580778F51,sys_win32,25D612F580778F51,NT AUTHORITY\SYSTEM,"""C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23050.9-0\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob -HttpDownload -RestrictPrivileges",86dc797f-060f-9739-842e-13b668079be2,b95ff405a0dd527fd8ffa8916b26108692ac28da,a43bf3d7f0991a3aac1bc93e7f7ea49e21737b3915367b9d12a3d27702212704,C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23050.9-0\MpCmdRun.exe,MICROSOFT WINDOWS,system,MpCmdRun.exe,13172,"7/25/2023, 6:16:29.189 AM",F83C0EF580778F51,sys_win32,4ADA12F580778F51,NT AUTHORITY\SYSTEM,"7/25/2023, 6:16:29.323 AM",1013c718063b124fb306b245c183ed094430d374,3a79ba90f0acef5f3fbfc0b654381eef938acbea0814ed1e375f9cdbccf63e78,4CDA12F580778F51,signed,"7/25/2023, 6:16:29.323 AM",C:\Windows\SystemTemp\mpam-db6b0d9f.exe,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:30:04.449 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO07,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,false,true,false,laptop,CLO07,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736752765501927943,Undefined,"7/25/2023, 6:17:24.098 AM",01H65V3V1DZ8YA39PZ5EWX1NJ3_48,FILEDELETION,Events,Unresolved,true,"7/25/2023, 6:17:43.299 AM",STAR,"7/25/2023, 6:17:43.299 AM",1736743171400115521,CWL547,1.0,events,"EndpointName = ""CLO07""",account,Medium,UNDEFINED,"""C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23050.9-0\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob -HttpDownload -RestrictPrivileges",86dc797f-060f-9739-842e-13b668079be2,b95ff405a0dd527fd8ffa8916b26108692ac28da,a43bf3d7f0991a3aac1bc93e7f7ea49e21737b3915367b9d12a3d27702212704,C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23050.9-0\MpCmdRun.exe,MICROSOFT WINDOWS,system,MpCmdRun.exe,13172,"7/25/2023, 6:16:29.189 AM",F83C0EF580778F51,sys_win32,4ADA12F580778F51,NT AUTHORITY\SYSTEM,"""C:\Windows\SystemTemp\mpam-db6b0d9f.exe"" /q WD",ffc35934-b31a-0d62-eeb0-8f8aa40b5982,1013c718063b124fb306b245c183ed094430d374,3a79ba90f0acef5f3fbfc0b654381eef938acbea0814ed1e375f9cdbccf63e78,C:\Windows\SystemTemp\mpam-db6b0d9f.exe,MICROSOFT CORPORATION,system,mpam-db6b0d9f.exe,16380,"7/25/2023, 6:16:33.761 AM",F83C0EF580778F51,sys_win32,65DA12F580778F51,NT AUTHORITY\SYSTEM,"7/25/2023, 6:16:34.290 AM",5f1403aeba45dbc96d89c4dd16b2b02c1acd3b58,24e14fd2287f14dc27336fa4bb0edf77823f8a63979f76c1b754f1a958ed17d9,69DA12F580778F51,signed,"7/25/2023, 6:16:34.291 AM",C:\Windows\SystemTemp\E0D919E5-665D-4048-8C24-3DEF4B640D1E\mpavdlta.vdm,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/26/2023, 5:10:04.255 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO07,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,false,true,true,laptop,CLO07,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1737433999490006774,Undefined,"7/26/2023, 4:50:56.094 AM",01H688J6CXA4PKEDVB5RE122AT_35,FILEDELETION,Events,Unresolved,true,"7/26/2023, 4:51:12.719 AM",STAR,"7/26/2023, 4:51:12.719 AM",1736743171400115521,CWL547,1.0,events,"EndpointName = ""CLO07""",account,Medium,UNDEFINED,Anonymized Data,c574c38d-9c6c-b239-6115-ee765103ccf9,1d136ade3825e5995863522a3893c7cd03576aa8,4c874b8ff8493be0f3fd9363fb7bb59e7b36ff6b98d37e9bb5c42158ed5f867b,C:\Program Files\LibreOffice\program\soffice.exe,THE DOCUMENT FOUNDATION,medium,soffice.exe,16528,"7/26/2023, 4:49:56.421 AM",840614F580778F51,sys_win32,830614F580778F51,CLO07\Crest,Anonymized Data,ad6bf6b4-a972-64fd-c147-e01208cef496,0d6bd79e1270fcca6d6281ae85c45641b98ac330,f32600df28791670ebc171516bce954c6a7dfb3068eb163cebf86f5137700c2c,C:\Program Files\LibreOffice\program\soffice.bin,THE DOCUMENT FOUNDATION,medium,soffice.bin,11392,"7/26/2023, 4:49:56.456 AM",860614F580778F51,sys_win32,850614F580778F51,CLO07\Crest,"7/26/2023, 4:49:57.276 AM",356a192b7913b04c54574d18c28d46e6395428ab,6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b,8A0614F580778F51,,"7/26/2023, 4:49:57.276 AM",C:\Users\Crest\AppData\Roaming\LibreOffice\4\user\extensions\tmp\stamp.sys,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/26/2023, 5:10:04.255 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO07,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,false,true,true,laptop,CLO07,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1737434458179132195,Undefined,"7/26/2023, 4:51:56.257 AM",01H688M11R9VGSZ6SCGEF72BC8_307,FILEMODIFICATION,Events,Unresolved,true,"7/26/2023, 4:52:07.399 AM",STAR,"7/26/2023, 4:52:07.399 AM",1736743171400115521,CWL547,1.0,events,"EndpointName = ""CLO07""",account,Medium,UNDEFINED,C:\Windows\Explorer.EXE,357b678c-68d3-d5ee-86e1-b706fbfd994b,a4e4e2bc502e4ab249b219da357d1aad163ab175,8375581b32e510a1ddf90b1ff8ffb8a756d71e1d5572b1c7c027e9b7393ccd3b,C:\Windows\explorer.exe,MICROSOFT WINDOWS,medium,explorer.exe,2184,"7/26/2023, 4:43:13.069 AM",20EC12F580778F51,sys_win32,1FEC12F580778F51,CLO07\Crest,"C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding",357b678c-68d3-d5ee-86e1-b706fbfd994b,a4e4e2bc502e4ab249b219da357d1aad163ab175,8375581b32e510a1ddf90b1ff8ffb8a756d71e1d5572b1c7c027e9b7393ccd3b,C:\Windows\explorer.exe,MICROSOFT WINDOWS,medium,explorer.exe,3752,"7/26/2023, 4:51:18.156 AM",240814F580778F51,sys_win32,230814F580778F51,CLO07\Crest,"7/26/2023, 4:51:40.873 AM",e6b4c40c98eb9023ad522ef8664f6a8256c65a64,a36ba35cf5b5386e7c76e5b9673b999c7bf4e2a30e6408b85102aa61f3be4523,7A0814F580778F51,signed,"7/26/2023, 4:51:40.874 AM",C:\Windows\Installer\MSI62BC.tmp,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/26/2023, 5:10:04.255 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO07,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,false,true,true,laptop,CLO07,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1737436495713459493,Undefined,"7/26/2023, 4:55:56.747 AM",01H688VBDBEK7BMHE6RB25DPQ7_41,FILEMODIFICATION,Events,Unresolved,true,"7/26/2023, 4:56:10.292 AM",STAR,"7/26/2023, 4:56:10.292 AM",1736743171400115521,CWL547,1.0,events,"EndpointName = ""CLO07""",account,Medium,UNDEFINED,"C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding",357b678c-68d3-d5ee-86e1-b706fbfd994b,a4e4e2bc502e4ab249b219da357d1aad163ab175,8375581b32e510a1ddf90b1ff8ffb8a756d71e1d5572b1c7c027e9b7393ccd3b,C:\Windows\explorer.exe,MICROSOFT WINDOWS,medium,explorer.exe,3752,"7/26/2023, 4:51:18.156 AM",240814F580778F51,sys_win32,230814F580778F51,CLO07\Crest,C:\Windows\System32\MsiExec.exe -Embedding A970964D09FC76D0369C3F0735F8F6CB A,302be4b7-434e-6797-6902-9c8570825cc0,f3d7fee4ced78e37f49ce4e38ac681f07bca6ae0,5a31ea6a517a065166fafa01a0ac6a350d0e2dcba1b6dd4fdb41ae59109568e1,C:\Windows\System32\msiexec.exe,MICROSOFT WINDOWS,high,msiexec.exe,1524,"7/26/2023, 4:54:54.008 AM",3F0C14F580778F51,sys_win32,3E0C14F580778F51,CLO07\Crest,"7/21/2185, 11:34:33.709 PM",b85d02ba0e8de4aeded1a2f5679505cd403bd201,f6fb39a8578f19616570d5a3dc7212c84a9da232b30a03376bbf08f4264fedf2,480C14F580778F51,signed,"7/21/2185, 11:34:33.709 PM",C:\Users\Crest\AppData\Local\Temp\sen617C.tmp,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/26/2023, 5:00:31.604 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO07,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,false,true,true,laptop,CLO07,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1737430320011352678,Undefined,"7/26/2023, 4:43:33.000 AM",01H6884MR8FZHK9TYD68PC12V2_59,FILEDELETION,Events,Unresolved,true,"7/26/2023, 4:43:54.090 AM",STAR,"7/26/2023, 4:43:54.090 AM",1736743171400115521,CWL547,1.0,events,"EndpointName = ""CLO07""",account,Medium,UNDEFINED,"""C:\Program Files\WindowsApps\MicrosoftTeams_23119.303.2080.2726_x64__8wekyb3d8bbwe\msteams.exe"" ms-teams:system-initiated",1626f236-c0dc-28d5-92a1-0a359ebe3460,0fc1714b93869441cba7d44368ec411bac434e68,8cca5e46f6e9dfe566795c4e76aae4d44de8885f43bed759ef6bcad2516ac285,C:\Program Files\WindowsApps\MicrosoftTeams_23119.303.2080.2726_x64__8wekyb3d8bbwe\msteams.exe,MICROSOFT CORPORATION,medium,msteams.exe,12792,"7/25/2023, 5:42:29.630 AM",38BD12F580778F51,sys_win32,3EBD12F580778F51,CLO07\Crest,"""C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.82\msedgewebview2.exe"" --embedded-browser-webview=1 --webview-exe-name=msteams.exe --webview-exe-version=23119.303.2080.2726 --user-data-dir=""C:\Users\Crest\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView"" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --edge-webview-custom-scheme --disable-features=MojoIpcz,msWebOOUI --edge-webview-is-background --enable-features=msSingleSignOnOSForPrimaryAccountIsShared,msEdgeFluentOverlayScrollbar,msWebView2CodeCache,msWebView2EnableDraggableRegions --mojo-named-platform-channel-pipe=12792.17304.14378710367050045082 /pfhostedapp:e7e952ed836442a682dca713cb7c4d91d21a087a",0f259745-8e7a-c81b-049d-45ef5b291246,bbd88a2a41c94d4140ccaef71bfb771e0ccc5c32,0ce0ef234aba4bf60f1c48a058ce764d52e91078e95312de4db4b0911f4cc7d4,C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.82\msedgewebview2.exe,MICROSOFT CORPORATION,medium,msedgewebview2.exe,3316,"7/25/2023, 5:42:30.143 AM",38BD12F580778F51,sys_win32,48BD12F580778F51,CLO07\Crest,"7/25/2023, 5:42:30.637 AM",,,81BD12F580778F51,,"7/25/2023, 5:43:42.536 AM",C:\Users\Crest\AppData\Local\Temp\48d577fd-6e2f-441b-af70-03ea7c1fe9b5.tmp,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, \ No newline at end of file diff --git a/Sample Data/ASIM/SentinelOne_CL_Schema.csv b/Sample Data/ASIM/SentinelOne_CL_Schema.csv new file mode 100644 index 00000000000..7432410acb8 --- /dev/null +++ b/Sample Data/ASIM/SentinelOne_CL_Schema.csv @@ -0,0 +1,313 @@ +ColumnName,ColumnOrdinal,DataType,ColumnType +TenantId,0,"System.String",string +SourceSystem,1,"System.String",string +MG,2,"System.String",string +ManagementGroupName,3,"System.String",string +TimeGenerated,4,"System.DateTime",datetime +Computer,5,"System.String",string +RawData,6,"System.String",string +"alertInfo_indicatorDescription_s",7,"System.String",string +"alertInfo_indicatorName_s",8,"System.String",string +"targetProcessInfo_tgtFileOldPath_s",9,"System.String",string +"alertInfo_indicatorCategory_s",10,"System.String",string +"alertInfo_registryOldValue_g",11,"System.String",string +"alertInfo_dstIp_s",12,"System.String",string +"alertInfo_dstPort_s",13,"System.String",string +"alertInfo_netEventDirection_s",14,"System.String",string +"alertInfo_srcIp_s",15,"System.String",string +"alertInfo_srcPort_s",16,"System.String",string +"containerInfo_id_s",17,"System.String",string +"targetProcessInfo_tgtFileId_g",18,"System.String",string +"alertInfo_registryOldValue_s",19,"System.String",string +"alertInfo_registryOldValueType_s",20,"System.String",string +"alertInfo_dnsRequest_s",21,"System.String",string +"alertInfo_dnsResponse_s",22,"System.String",string +"alertInfo_registryKeyPath_s",23,"System.String",string +"alertInfo_registryPath_s",24,"System.String",string +"alertInfo_registryValue_g",25,"System.String",string +"ruleInfo_description_s",26,"System.String",string +"alertInfo_registryValue_s",27,"System.String",string +"alertInfo_loginAccountDomain_s",28,"System.String",string +"alertInfo_loginAccountSid_s",29,"System.String",string +"alertInfo_loginIsAdministratorEquivalent_s",30,"System.String",string +"alertInfo_loginIsSuccessful_s",31,"System.String",string +"alertInfo_loginType_s",32,"System.String",string +"alertInfo_loginsUserName_s",33,"System.String",string +"alertInfo_srcMachineIp_s",34,"System.String",string +"targetProcessInfo_tgtProcCmdLine_s",35,"System.String",string +"targetProcessInfo_tgtProcImagePath_s",36,"System.String",string +"targetProcessInfo_tgtProcName_s",37,"System.String",string +"targetProcessInfo_tgtProcPid_s",38,"System.String",string +"targetProcessInfo_tgtProcSignedStatus_s",39,"System.String",string +"targetProcessInfo_tgtProcStorylineId_s",40,"System.String",string +"targetProcessInfo_tgtProcUid_s",41,"System.String",string +"sourceParentProcessInfo_storyline_g",42,"System.String",string +"sourceParentProcessInfo_uniqueId_g",43,"System.String",string +"sourceProcessInfo_storyline_g",44,"System.String",string +"sourceProcessInfo_uniqueId_g",45,"System.String",string +"targetProcessInfo_tgtProcStorylineId_g",46,"System.String",string +"targetProcessInfo_tgtProcUid_g",47,"System.String",string +"agentDetectionInfo_machineType_s",48,"System.String",string +"agentDetectionInfo_name_s",49,"System.String",string +"agentDetectionInfo_osFamily_s",50,"System.String",string +"agentDetectionInfo_osName_s",51,"System.String",string +"agentDetectionInfo_osRevision_s",52,"System.String",string +"agentDetectionInfo_uuid_g",53,"System.String",string +"agentDetectionInfo_version_s",54,"System.String",string +"agentRealtimeInfo_id_s",55,"System.String",string +"agentRealtimeInfo_infected_b",56,"System.SByte",bool +"agentRealtimeInfo_isActive_b",57,"System.SByte",bool +"agentRealtimeInfo_isDecommissioned_b",58,"System.SByte",bool +"agentRealtimeInfo_machineType_s",59,"System.String",string +"agentRealtimeInfo_name_s",60,"System.String",string +"agentRealtimeInfo_os_s",61,"System.String",string +"agentRealtimeInfo_uuid_g",62,"System.String",string +"alertInfo_alertId_s",63,"System.String",string +"alertInfo_analystVerdict_s",64,"System.String",string +"alertInfo_createdAt_t",65,"System.DateTime",datetime +"alertInfo_dvEventId_s",66,"System.String",string +"alertInfo_eventType_s",67,"System.String",string +"alertInfo_hitType_s",68,"System.String",string +"alertInfo_incidentStatus_s",69,"System.String",string +"alertInfo_isEdr_b",70,"System.SByte",bool +"alertInfo_reportedAt_t",71,"System.DateTime",datetime +"alertInfo_source_s",72,"System.String",string +"alertInfo_updatedAt_t",73,"System.DateTime",datetime +"ruleInfo_id_s",74,"System.String",string +"ruleInfo_name_s",75,"System.String",string +"ruleInfo_queryLang_s",76,"System.String",string +"ruleInfo_queryType_s",77,"System.String",string +"ruleInfo_s1ql_s",78,"System.String",string +"ruleInfo_scopeLevel_s",79,"System.String",string +"ruleInfo_severity_s",80,"System.String",string +"ruleInfo_treatAsThreat_s",81,"System.String",string +"sourceParentProcessInfo_commandline_s",82,"System.String",string +"sourceParentProcessInfo_fileHashMd5_g",83,"System.String",string +"sourceParentProcessInfo_fileHashSha1_s",84,"System.String",string +"sourceParentProcessInfo_fileHashSha256_s",85,"System.String",string +"sourceParentProcessInfo_filePath_s",86,"System.String",string +"sourceParentProcessInfo_fileSignerIdentity_s",87,"System.String",string +"sourceParentProcessInfo_integrityLevel_s",88,"System.String",string +"sourceParentProcessInfo_name_s",89,"System.String",string +"sourceParentProcessInfo_pid_s",90,"System.String",string +"sourceParentProcessInfo_pidStarttime_t",91,"System.DateTime",datetime +"sourceParentProcessInfo_storyline_s",92,"System.String",string +"sourceParentProcessInfo_subsystem_s",93,"System.String",string +"sourceParentProcessInfo_uniqueId_s",94,"System.String",string +"sourceParentProcessInfo_user_s",95,"System.String",string +"sourceProcessInfo_commandline_s",96,"System.String",string +"sourceProcessInfo_fileHashMd5_g",97,"System.String",string +"sourceProcessInfo_fileHashSha1_s",98,"System.String",string +"sourceProcessInfo_fileHashSha256_s",99,"System.String",string +"sourceProcessInfo_filePath_s",100,"System.String",string +"sourceProcessInfo_fileSignerIdentity_s",101,"System.String",string +"sourceProcessInfo_integrityLevel_s",102,"System.String",string +"sourceProcessInfo_name_s",103,"System.String",string +"sourceProcessInfo_pid_s",104,"System.String",string +"sourceProcessInfo_pidStarttime_t",105,"System.DateTime",datetime +"sourceProcessInfo_storyline_s",106,"System.String",string +"sourceProcessInfo_subsystem_s",107,"System.String",string +"sourceProcessInfo_uniqueId_s",108,"System.String",string +"sourceProcessInfo_user_s",109,"System.String",string +"targetProcessInfo_tgtFileCreatedAt_t",110,"System.DateTime",datetime +"targetProcessInfo_tgtFileHashSha1_s",111,"System.String",string +"targetProcessInfo_tgtFileHashSha256_s",112,"System.String",string +"targetProcessInfo_tgtFileId_s",113,"System.String",string +"targetProcessInfo_tgtFileIsSigned_s",114,"System.String",string +"targetProcessInfo_tgtFileModifiedAt_t",115,"System.DateTime",datetime +"targetProcessInfo_tgtFilePath_s",116,"System.String",string +"targetProcessInfo_tgtProcIntegrityLevel_s",117,"System.String",string +"targetProcessInfo_tgtProcessStartTime_t",118,"System.DateTime",datetime +"agentUpdatedVersion_s",119,"System.String",string +"agentId_s",120,"System.String",string +"hash_s",121,"System.String",string +"osFamily_s",122,"System.String",string +"threatId_s",123,"System.String",string +"creator_s",124,"System.String",string +"creatorId_s",125,"System.String",string +"inherits_b",126,"System.SByte",bool +"isDefault_b",127,"System.SByte",bool +"name_s",128,"System.String",string +"registrationToken_s",129,"System.String",string +"totalAgents_d",130,"System.Double",real +"type_s",131,"System.String",string +"agentDetectionInfo_accountId_s",132,"System.String",string +"agentDetectionInfo_accountName_s",133,"System.String",string +"agentDetectionInfo_agentDetectionState_s",134,"System.String",string +"agentDetectionInfo_agentDomain_s",135,"System.String",string +"agentDetectionInfo_agentIpV4_s",136,"System.String",string +"agentDetectionInfo_agentIpV6_s",137,"System.String",string +"agentDetectionInfo_agentLastLoggedInUserName_s",138,"System.String",string +"agentDetectionInfo_agentMitigationMode_s",139,"System.String",string +"agentDetectionInfo_agentOsName_s",140,"System.String",string +"agentDetectionInfo_agentOsRevision_s",141,"System.String",string +"agentDetectionInfo_agentRegisteredAt_t",142,"System.DateTime",datetime +"agentDetectionInfo_agentUuid_g",143,"System.String",string +"agentDetectionInfo_agentVersion_s",144,"System.String",string +"agentDetectionInfo_externalIp_s",145,"System.String",string +"agentDetectionInfo_groupId_s",146,"System.String",string +"agentDetectionInfo_groupName_s",147,"System.String",string +"agentDetectionInfo_siteId_s",148,"System.String",string +"agentDetectionInfo_siteName_s",149,"System.String",string +"agentRealtimeInfo_accountId_s",150,"System.String",string +"agentRealtimeInfo_accountName_s",151,"System.String",string +"agentRealtimeInfo_activeThreats_d",152,"System.Double",real +"agentRealtimeInfo_agentComputerName_s",153,"System.String",string +"agentRealtimeInfo_agentDomain_s",154,"System.String",string +"agentRealtimeInfo_agentId_s",155,"System.String",string +"agentRealtimeInfo_agentInfected_b",156,"System.SByte",bool +"agentRealtimeInfo_agentIsActive_b",157,"System.SByte",bool +"agentRealtimeInfo_agentIsDecommissioned_b",158,"System.SByte",bool +"agentRealtimeInfo_agentMachineType_s",159,"System.String",string +"agentRealtimeInfo_agentMitigationMode_s",160,"System.String",string +"agentRealtimeInfo_agentNetworkStatus_s",161,"System.String",string +"agentRealtimeInfo_agentOsName_s",162,"System.String",string +"agentRealtimeInfo_agentOsRevision_s",163,"System.String",string +"agentRealtimeInfo_agentOsType_s",164,"System.String",string +"agentRealtimeInfo_agentUuid_g",165,"System.String",string +"agentRealtimeInfo_agentVersion_s",166,"System.String",string +"agentRealtimeInfo_groupId_s",167,"System.String",string +"agentRealtimeInfo_groupName_s",168,"System.String",string +"agentRealtimeInfo_networkInterfaces_s",169,"System.String",string +"agentRealtimeInfo_operationalState_s",170,"System.String",string +"agentRealtimeInfo_rebootRequired_b",171,"System.SByte",bool +"agentRealtimeInfo_scanFinishedAt_t",172,"System.DateTime",datetime +"agentRealtimeInfo_scanStartedAt_t",173,"System.DateTime",datetime +"agentRealtimeInfo_scanStatus_s",174,"System.String",string +"agentRealtimeInfo_siteId_s",175,"System.String",string +"agentRealtimeInfo_siteName_s",176,"System.String",string +"agentRealtimeInfo_userActionsNeeded_s",177,"System.String",string +"indicators_s",178,"System.String",string +"mitigationStatus_s",179,"System.String",string +"threatInfo_analystVerdict_s",180,"System.String",string +"threatInfo_analystVerdictDescription_s",181,"System.String",string +"threatInfo_automaticallyResolved_b",182,"System.SByte",bool +"threatInfo_certificateId_s",183,"System.String",string +"threatInfo_classification_s",184,"System.String",string +"threatInfo_classificationSource_s",185,"System.String",string +"threatInfo_cloudFilesHashVerdict_s",186,"System.String",string +"threatInfo_collectionId_s",187,"System.String",string +"threatInfo_confidenceLevel_s",188,"System.String",string +"threatInfo_createdAt_t",189,"System.DateTime",datetime +"threatInfo_detectionEngines_s",190,"System.String",string +"threatInfo_detectionType_s",191,"System.String",string +"threatInfo_engines_s",192,"System.String",string +"threatInfo_externalTicketExists_b",193,"System.SByte",bool +"threatInfo_failedActions_b",194,"System.SByte",bool +"threatInfo_fileExtension_s",195,"System.String",string +"threatInfo_fileExtensionType_s",196,"System.String",string +"threatInfo_filePath_s",197,"System.String",string +"threatInfo_fileSize_d",198,"System.Double",real +"threatInfo_fileVerificationType_s",199,"System.String",string +"threatInfo_identifiedAt_t",200,"System.DateTime",datetime +"threatInfo_incidentStatus_s",201,"System.String",string +"threatInfo_incidentStatusDescription_s",202,"System.String",string +"threatInfo_initiatedBy_s",203,"System.String",string +"threatInfo_initiatedByDescription_s",204,"System.String",string +"threatInfo_isFileless_b",205,"System.SByte",bool +"threatInfo_isValidCertificate_b",206,"System.SByte",bool +"threatInfo_mitigatedPreemptively_b",207,"System.SByte",bool +"threatInfo_mitigationStatus_s",208,"System.String",string +"threatInfo_mitigationStatusDescription_s",209,"System.String",string +"threatInfo_originatorProcess_s",210,"System.String",string +"threatInfo_pendingActions_b",211,"System.SByte",bool +"threatInfo_processUser_s",212,"System.String",string +"threatInfo_publisherName_s",213,"System.String",string +"threatInfo_reachedEventsLimit_b",214,"System.SByte",bool +"threatInfo_rebootRequired_b",215,"System.SByte",bool +"threatInfo_sha1_s",216,"System.String",string +"threatInfo_storyline_s",217,"System.String",string +"threatInfo_threatId_s",218,"System.String",string +"threatInfo_threatName_s",219,"System.String",string +"threatInfo_updatedAt_t",220,"System.DateTime",datetime +"whiteningOptions_s",221,"System.String",string +"threatInfo_maliciousProcessArguments_s",222,"System.String",string +"threatInfo_fileExtension_g",223,"System.String",string +"threatInfo_threatName_g",224,"System.String",string +"threatInfo_storyline_g",225,"System.String",string +"accountId_s",226,"System.String",string +"accountName_s",227,"System.String",string +"activityType_d",228,"System.Double",real +"activityUuid_g",229,"System.String",string +"createdAt_t",230,"System.DateTime",datetime +"id_s",231,"System.String",string +"primaryDescription_s",232,"System.String",string +"secondaryDescription_s",233,"System.String",string +"siteId_s",234,"System.String",string +"siteName_s",235,"System.String",string +"updatedAt_t",236,"System.DateTime",datetime +"userId_s",237,"System.String",string +"event_name_s",238,"System.String",string +"DataFields_s",239,"System.String",string +"description_s",240,"System.String",string +"comments_s",241,"System.String",string +"activeDirectory_computerMemberOf_s",242,"System.String",string +"activeDirectory_lastUserMemberOf_s",243,"System.String",string +"activeThreats_d",244,"System.Double",real +"agentVersion_s",245,"System.String",string +"allowRemoteShell_b",246,"System.SByte",bool +"appsVulnerabilityStatus_s",247,"System.String",string +"computerName_s",248,"System.String",string +"consoleMigrationStatus_s",249,"System.String",string +"coreCount_d",250,"System.Double",real +"cpuCount_d",251,"System.Double",real +"cpuId_s",252,"System.String",string +"detectionState_s",253,"System.String",string +"domain_s",254,"System.String",string +"encryptedApplications_b",255,"System.SByte",bool +"externalId_s",256,"System.String",string +"externalIp_s",257,"System.String",string +"firewallEnabled_b",258,"System.SByte",bool +"firstFullModeTime_t",259,"System.DateTime",datetime +"fullDiskScanLastUpdatedAt_t",260,"System.DateTime",datetime +"groupId_s",261,"System.String",string +"groupIp_s",262,"System.String",string +"groupName_s",263,"System.String",string +"inRemoteShellSession_b",264,"System.SByte",bool +"infected_b",265,"System.SByte",bool +"installerType_s",266,"System.String",string +"isActive_b",267,"System.SByte",bool +"isDecommissioned_b",268,"System.SByte",bool +"isPendingUninstall_b",269,"System.SByte",bool +"isUninstalled_b",270,"System.SByte",bool +"isUpToDate_b",271,"System.SByte",bool +"lastActiveDate_t",272,"System.DateTime",datetime +"lastIpToMgmt_s",273,"System.String",string +"lastLoggedInUserName_s",274,"System.String",string +"licenseKey_s",275,"System.String",string +"locationEnabled_b",276,"System.SByte",bool +"locationType_s",277,"System.String",string +"locations_s",278,"System.String",string +"machineType_s",279,"System.String",string +"mitigationMode_s",280,"System.String",string +"mitigationModeSuspicious_s",281,"System.String",string +"modelName_s",282,"System.String",string +"networkInterfaces_s",283,"System.String",string +"networkQuarantineEnabled_b",284,"System.SByte",bool +"networkStatus_s",285,"System.String",string +"operationalState_s",286,"System.String",string +"osArch_s",287,"System.String",string +"osName_s",288,"System.String",string +"osRevision_s",289,"System.String",string +"osStartTime_t",290,"System.DateTime",datetime +"osType_s",291,"System.String",string +"rangerStatus_s",292,"System.String",string +"rangerVersion_s",293,"System.String",string +"registeredAt_t",294,"System.DateTime",datetime +"remoteProfilingState_s",295,"System.String",string +"scanFinishedAt_t",296,"System.DateTime",datetime +"scanStartedAt_t",297,"System.DateTime",datetime +"scanStatus_s",298,"System.String",string +"serialNumber_s",299,"System.String",string +"showAlertIcon_b",300,"System.SByte",bool +"tags_sentinelone_s",301,"System.String",string +"threatRebootRequired_b",302,"System.SByte",bool +"totalMemory_d",303,"System.Double",real +"userActionsNeeded_s",304,"System.String",string +"uuid_g",305,"System.String",string +"osUsername_s",306,"System.String",string +"scanAbortedAt_t",307,"System.DateTime",datetime +"activeDirectory_computerDistinguishedName_s",308,"System.String",string +"activeDirectory_lastUserDistinguishedName_s",309,"System.String",string +Type,310,"System.String",string +"_ResourceId",311,"System.String",string From 5e316b311deaaea3159d618ee66d8ccf55f62a19 Mon Sep 17 00:00:00 2001 From: Jayesh Prajapati Date: Sun, 30 Jul 2023 13:06:34 +0530 Subject: [PATCH 2/9] Fixed Kqlvalidation by correcting unifying parser name. --- Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml b/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml index 0b0320cb7ad..5ac4cf9a698 100644 --- a/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml +++ b/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml @@ -46,4 +46,4 @@ ParserQuery: | ASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )), ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )), ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) )), - ASimProcessvimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessvimProcessCreateSentinelOne' in (DisabledParsers) )) + ASimProcessASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessvimProcessCreateSentinelOne' in (DisabledParsers) )) From 868ebb88a734a4dca39384d02e4ef2e763978d15 Mon Sep 17 00:00:00 2001 From: Jayesh Prajapati Date: Thu, 24 Aug 2023 23:01:27 +0530 Subject: [PATCH 3/9] Fixed the suggested review1 changes and added RAW log files for sentinel one. --- .../CustomTables/SentinelOne_CL.json | 4 + .../Parsers/ASimProcessCreateSentinelOne.yaml | 27 +- .../Parsers/ASimProcessEvent.yaml | 6 +- .../Parsers/ASimProcessEventCreate.yaml | 4 +- .../Parsers/ASimProcessEventTerminate.yaml | 4 +- .../ASimProcessEvent/Parsers/imProcess.yaml | 3 +- .../Parsers/imProcessCreate.yaml | 6 +- .../Parsers/imProcessTerminate.yaml | 6 +- .../Parsers/vimProcessCreateSentinelOne.yaml | 25 +- ...SentinelOne_ASimProcessCreate_DataTest.csv | 37 +- ...ntinelOne_ASimProcessCreate_SchemaTest.csv | 7 - .../SentinelOne_vimProcessCreate_DataTest.csv | 37 +- ...entinelOne_vimProcessCreate_SchemaTest.csv | 7 - ...SentinelOne_ASimFileEvent_IngestedLogs.csv | 17 - ...tinelOne_ASimProcessEvent_IngestedLogs.csv | 21 + .../SentinelOne_ASimProcessEvent_RawLogs.json | 6042 +++++++++++++++++ Sample Data/ASIM/SentinelOne_CL_Schema.csv | 1 + 17 files changed, 6159 insertions(+), 95 deletions(-) delete mode 100644 Sample Data/ASIM/SentinelOne_ASimFileEvent_IngestedLogs.csv create mode 100644 Sample Data/ASIM/SentinelOne_ASimProcessEvent_IngestedLogs.csv create mode 100644 Sample Data/ASIM/SentinelOne_ASimProcessEvent_RawLogs.json diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json index a240d92d89b..bbce9d77495 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json @@ -389,6 +389,10 @@ "Name": "_ResourceId", "Type": "string" }, + { + "Name": "_ItemId", + "Type": "string" + }, { "Name": "alertInfo_indicatorDescription_s", "Type": "string" diff --git a/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml b/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml index 893a24d8fdb..287ee023f81 100644 --- a/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml +++ b/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml @@ -1,6 +1,6 @@ Parser: Title: Process Create ASIM parser for SentinelOne - Version: '0.1.1' + Version: '0.1.0' LastUpdated: Jul 24, 2023 Product: Name: SentinelOne @@ -17,7 +17,7 @@ References: Description: | This ASIM parser supports normalizing SentinelOne logs to the ASIM Process Event normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. ParserName: ASimProcessCreateSentinelOne -EquivalentBuiltInParser: _Im_ProcessCreate_SentinelOne +EquivalentBuiltInParser: _ASim_ProcessCreate_SentinelOne ParserParams: - Name: disabled Type: bool @@ -34,9 +34,8 @@ ParserQuery: | TargetProcessCommandLine = targetProcessInfo_tgtProcCmdLine_s, TargetProcessId = targetProcessInfo_tgtProcPid_s, TargetProcessName = targetProcessInfo_tgtProcName_s, - EventUid = _ResourceId, + EventUid = _ItemId, TargetProcessCreationTime = targetProcessInfo_tgtProcessStartTime_t, - DvcHostname = agentDetectionInfo_name_s, ActingProcessName = sourceProcessInfo_name_s, ParentProcessName = sourceParentProcessInfo_name_s, ActingProcessCommandLine = sourceProcessInfo_commandline_s, @@ -46,25 +45,28 @@ ParserQuery: | ActingProcessSHA256 = sourceProcessInfo_fileHashSha256_s, ParentProcessSHA256 = sourceParentProcessInfo_fileHashSha256_s, DvcOs = agentDetectionInfo_osName_s, - DvcOsVersion = agentDetectionInfo_version_s, + DvcOsVersion = agentDetectionInfo_osRevision_s, TargetProcessIntegrityLevel = targetProcessInfo_tgtProcIntegrityLevel_s, EventOriginalType = alertInfo_eventType_s, + EventOriginalSeverity = ruleInfo_severity_s, EventOriginalUid = alertInfo_dvEventId_s + | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s') | extend ActingProcessId = sourceProcessInfo_pid_s, - ActorUsername = coalesce(sourceProcessInfo_user_s, 'N/A'), - TargetUsername = coalesce(sourceProcessInfo_user_s, 'N/A'), + ActorUsername = sourceProcessInfo_user_s, + TargetUsername = sourceProcessInfo_user_s, Hash = coalesce(targetProcessInfo_tgtFileHashSha256_s, targetProcessInfo_tgtFileHashSha1_s), ParentProcessId = sourceProcessInfo_pid_s, TargetProcessSHA1 = targetProcessInfo_tgtFileHashSha1_s, TargetProcessSHA256 = targetProcessInfo_tgtFileHashSha256_s, ParentProcessMD5 = replace_string(sourceParentProcessInfo_fileHashMd5_g, "-", ""), ActingProcessMD5 = replace_string(sourceProcessInfo_fileHashMd5_g, "-", ""), - EventSeverity = iff(ruleInfo_severity_s == "Critical", "High", ruleInfo_severity_s) + EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity) | extend EventCount = int(1), EventProduct = "SentinelOne", EventResult = "Success", + DvcAction = "Allowed", EventSchemaVersion = "0.1.4", EventType = "ProcessCreated", EventVendor = "SentinelOne", @@ -79,20 +81,23 @@ ParserQuery: | | extend HashType = case( isnotempty(Hash) and isnotempty(TargetProcessSHA256), - "SHA256", + "TargetProcessSHA256", isnotempty(Hash) and isnotempty(TargetProcessSHA1), - "SHA1", + "TargetProcessSHA1", "" ), TargetUsernameType = _ASIM_GetUsernameType(TargetUsername), + TargetUserType = _ASIM_GetUserType(TargetUsername, ""), DvcIdType = iff(isnotempty(DvcId), "Other", ""), - ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) + ActorUsernameType = _ASIM_GetUsernameType(ActorUsername), + ActorUserType = _ASIM_GetUserType(ActorUsername, "") | project-away *_d, *_s, *_g, *_t, *_b, + _ResourceId, TenantId, RawData, Computer, diff --git a/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml b/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml index 5ac4cf9a698..91e55b4b07d 100644 --- a/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml +++ b/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml @@ -29,6 +29,7 @@ Parsers: - _ASim_ProcessEvent_TerminateMicrosoftWindowsEvents - _ASim_ProcessEvent_CreateMicrosoftWindowsEvents - _ASim_ProcessEvent_MD4IoT + - _ASim_ProcessEvent_TerminateSentinelOne - _ASim_ProcessEvent_CreateSentinelOne ParserQuery: | @@ -45,5 +46,6 @@ ParserQuery: | ASimProcessTerminateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )), ASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )), ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )), - ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) )), - ASimProcessASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessvimProcessCreateSentinelOne' in (DisabledParsers) )) + ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) )),, + ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )), + ASimProcessTerminateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateSentinelOne' in (DisabledParsers) )) diff --git a/Parsers/ASimProcessEvent/Parsers/ASimProcessEventCreate.yaml b/Parsers/ASimProcessEvent/Parsers/ASimProcessEventCreate.yaml index 33502678cd0..f2a716a2890 100644 --- a/Parsers/ASimProcessEvent/Parsers/ASimProcessEventCreate.yaml +++ b/Parsers/ASimProcessEvent/Parsers/ASimProcessEventCreate.yaml @@ -24,6 +24,7 @@ Parsers: - _ASim_ProcessEvent_CreateLinuxSysmon - _ASim_ProcessEvent_CreateMicrosoftWindowsEvents - _ASim_ProcessEvent_MD4IoT + - _ASim_ProcessEvent_SentinelOne ParserQuery: | let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcessEventCreate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); @@ -35,4 +36,5 @@ ParserQuery: | ASimProcessCreateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) )), ASimProcessCreateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateLinuxSysmon' in (DisabledParsers) )), ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )), - ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )) + ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )), + ASimProcessEventCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )) diff --git a/Parsers/ASimProcessEvent/Parsers/ASimProcessEventTerminate.yaml b/Parsers/ASimProcessEvent/Parsers/ASimProcessEventTerminate.yaml index fd756d2612a..ead0f00fd8c 100644 --- a/Parsers/ASimProcessEvent/Parsers/ASimProcessEventTerminate.yaml +++ b/Parsers/ASimProcessEvent/Parsers/ASimProcessEventTerminate.yaml @@ -24,6 +24,7 @@ Parsers: - _ASim_ProcessEvent_TerminateLinuxSysmon - _ASim_ProcessEvent_TerminateMicrosoftWindowsEvents - _ASim_ProcessEvent_MD4IoT + - _ASim_ProcessEvent_TerminateSentinelOne ParserQuery: | let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); let imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); @@ -34,5 +35,6 @@ ParserQuery: | ASimProcessTerminateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) )), ASimProcessTerminateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )), ASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )), - ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )) + ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )), + ASimProcessEventTerminateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateSentinelOne' in (DisabledParsers) )) diff --git a/Parsers/ASimProcessEvent/Parsers/imProcess.yaml b/Parsers/ASimProcessEvent/Parsers/imProcess.yaml index d8730566d71..41ac0323f82 100644 --- a/Parsers/ASimProcessEvent/Parsers/imProcess.yaml +++ b/Parsers/ASimProcessEvent/Parsers/imProcess.yaml @@ -29,4 +29,5 @@ ParserQuery: | vimProcessTerminateMicrosoftWindowsEvents, vimProcessCreateMicrosoftWindowsEvents, vimProcessEventMD4IoT, - vimProcessEventCreateSentinelOne + vimProcessCreateSentinelOne, + vimProcessTerminateSentinelOne diff --git a/Parsers/ASimProcessEvent/Parsers/imProcessCreate.yaml b/Parsers/ASimProcessEvent/Parsers/imProcessCreate.yaml index 1cb4b5944d5..e58ca399f7f 100644 --- a/Parsers/ASimProcessEvent/Parsers/imProcessCreate.yaml +++ b/Parsers/ASimProcessEvent/Parsers/imProcessCreate.yaml @@ -66,7 +66,8 @@ ParserQuery: | vimProcessCreateMicrosoftSecurityEvents(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) ))), vimProcessCreateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon' in (DisabledParsers) ))), vimProcessCreateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) ))), - vimProcessCreateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))) + vimProcessCreateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))), + vimProcessCreateSentinelOne (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))) }; Generic(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcipaddr_has_any_prefix, hashes_has_any=hashes_has_any, eventtype=eventtype) @@ -78,5 +79,6 @@ Parsers: - _Im_ProcessCreate_MicrosoftSecurityEvents - _Im_ProcessCreate_LinuxSysmon - _Im_ProcessCreate_MicrosoftWindowsEvents - - _Im_ProcessCreate_MD4IoT + - _Im_ProcessCreate_MD4IoT + - _Im_ProcessCreate_SentinelOne diff --git a/Parsers/ASimProcessEvent/Parsers/imProcessTerminate.yaml b/Parsers/ASimProcessEvent/Parsers/imProcessTerminate.yaml index 2ac5b1469e4..64031db5771 100644 --- a/Parsers/ASimProcessEvent/Parsers/imProcessTerminate.yaml +++ b/Parsers/ASimProcessEvent/Parsers/imProcessTerminate.yaml @@ -63,7 +63,8 @@ ParserQuery: | vimProcessTerminateMicrosoftSecurityEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) ))), vimProcessTerminateMicrosoftWindowsEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) ))), vimProcessTerminateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateLinuxSysmon' in (DisabledParsers) ))), - vimProcessTerminateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))) + vimProcessTerminateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))), + vimProcessTerminateSentinelOne (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateSentinelOne' in (DisabledParsers) ))) }; Generic(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype) @@ -74,4 +75,5 @@ Parsers: - _Im_ProcessTerminate_MicrosoftSecurityEvents - _Im_ProcessTerminate_LinuxSysmon - _Im_ProcessTerminate_MicrosoftWindowsEvents - - _Im_ProcessTerminate_MD4IoT + - _Im_ProcessTerminate_MD4IoT + - _Im_ProcessTerminate_SentinelOne diff --git a/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml b/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml index ac2cfed3479..198f51b8cb0 100644 --- a/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml +++ b/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml @@ -1,6 +1,6 @@ Parser: Title: Process Create ASIM parser for SentinelOne - Version: '0.1.1' + Version: '0.1.0' LastUpdated: Jul 24, 2023 Product: Name: SentinelOne @@ -100,9 +100,8 @@ ParserQuery: | TargetProcessCommandLine = targetProcessInfo_tgtProcCmdLine_s, TargetProcessId = targetProcessInfo_tgtProcPid_s, TargetProcessName = targetProcessInfo_tgtProcName_s, - EventUid = _ResourceId, + EventUid = _ItemId, TargetProcessCreationTime = targetProcessInfo_tgtProcessStartTime_t, - DvcHostname = agentDetectionInfo_name_s, ActingProcessName = sourceProcessInfo_name_s, ParentProcessName = sourceParentProcessInfo_name_s, ActingProcessCommandLine = sourceProcessInfo_commandline_s, @@ -112,25 +111,28 @@ ParserQuery: | ActingProcessSHA256 = sourceProcessInfo_fileHashSha256_s, ParentProcessSHA256 = sourceParentProcessInfo_fileHashSha256_s, DvcOs = agentDetectionInfo_osName_s, - DvcOsVersion = agentDetectionInfo_version_s, + DvcOsVersion = agentDetectionInfo_osRevision_s, TargetProcessIntegrityLevel = targetProcessInfo_tgtProcIntegrityLevel_s, EventOriginalType = alertInfo_eventType_s, + EventOriginalSeverity = ruleInfo_severity_s, EventOriginalUid = alertInfo_dvEventId_s + | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s') | extend ActingProcessId = sourceProcessInfo_pid_s, - ActorUsername = coalesce(sourceProcessInfo_user_s, 'N/A'), - TargetUsername = coalesce(sourceProcessInfo_user_s, 'N/A'), + ActorUsername = sourceProcessInfo_user_s, + TargetUsername = sourceProcessInfo_user_s, Hash = coalesce(targetProcessInfo_tgtFileHashSha256_s, targetProcessInfo_tgtFileHashSha1_s), ParentProcessId = sourceProcessInfo_pid_s, TargetProcessSHA1 = targetProcessInfo_tgtFileHashSha1_s, TargetProcessSHA256 = targetProcessInfo_tgtFileHashSha256_s, ParentProcessMD5 = replace_string(sourceParentProcessInfo_fileHashMd5_g, "-", ""), ActingProcessMD5 = replace_string(sourceProcessInfo_fileHashMd5_g, "-", ""), - EventSeverity = iff(ruleInfo_severity_s == "Critical", "High", ruleInfo_severity_s) + EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity) | extend EventCount = int(1), EventProduct = "SentinelOne", EventResult = "Success", + DvcAction = "Allowed", EventSchemaVersion = "0.1.4", EventType = "ProcessCreated", EventVendor = "SentinelOne", @@ -145,20 +147,23 @@ ParserQuery: | | extend HashType = case( isnotempty(Hash) and isnotempty(TargetProcessSHA256), - "SHA256", + "TargetProcessSHA256", isnotempty(Hash) and isnotempty(TargetProcessSHA1), - "SHA1", + "TargetProcessSHA1", "" ), TargetUsernameType = _ASIM_GetUsernameType(TargetUsername), + TargetUserType = _ASIM_GetUserType(TargetUsername, ""), DvcIdType = iff(isnotempty(DvcId), "Other", ""), - ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) + ActorUsernameType = _ASIM_GetUsernameType(ActorUsername), + ActorUserType = _ASIM_GetUserType(ActorUsername, "") | project-away *_d, *_s, *_g, *_t, *_b, + _ResourceId, TenantId, RawData, Computer, diff --git a/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_DataTest.csv b/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_DataTest.csv index 5d2a5911362..88a92faa256 100644 --- a/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_DataTest.csv +++ b/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_DataTest.csv @@ -1,20 +1,23 @@ Result -"(0) Error: 1 invalid value(s) (up to 10 listed) in 1625 records (32.22%) for field [DvcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:ProcessEvent)" -"(0) Error: 1 invalid value(s) (up to 10 listed) in 5043 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:ProcessEvent)" -"(0) Error: 1 invalid value(s) (up to 10 listed) in 5043 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:ProcessEvent)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 5185 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:ProcessEvent)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 5185 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:ProcessEvent)" "(1) Warning: Empty value in 2 records (0.04%) in mandatory field [TargetProcessName] (Schema:ProcessEvent)" +"(1) Warning: Empty value in 4849 records (93.52%) in mandatory field [ActorUsername] (Schema:ProcessEvent)" +"(1) Warning: Empty value in 4849 records (93.52%) in mandatory field [TargetUsername] (Schema:ProcessEvent)" "(1) Warning: Empty value in 6 records (0.12%) in mandatory field [TargetProcessCommandLine] (Schema:ProcessEvent)" -"(2) Info: Empty value in 140 records (2.78%) in optional field [ActingProcessCommandLine] (Schema:ProcessEvent)" -"(2) Info: Empty value in 140 records (2.78%) in optional field [ActingProcessName] (Schema:ProcessEvent)" -"(2) Info: Empty value in 194 records (3.85%) in optional field [ActingProcessGuid] (Schema:ProcessEvent)" -"(2) Info: Empty value in 3125 records (61.97%) in optional field [ParentProcessSHA1] (Schema:ProcessEvent)" -"(2) Info: Empty value in 469 records (9.3%) in optional field [ParentProcessName] (Schema:ProcessEvent)" -"(2) Info: Empty value in 4849 records (96.15%) in optional field [ActingProcessMD5] (Schema:ProcessEvent)" -"(2) Info: Empty value in 4849 records (96.15%) in optional field [ActingProcessSHA256] (Schema:ProcessEvent)" -"(2) Info: Empty value in 4850 records (96.17%) in optional field [ParentProcessMD5] (Schema:ProcessEvent)" -"(2) Info: Empty value in 4850 records (96.17%) in optional field [ParentProcessSHA256] (Schema:ProcessEvent)" -"(2) Info: Empty value in 5043 records (100.0%) in optional field [TargetProcessSHA1] (Schema:ProcessEvent)" -"(2) Info: Empty value in 5043 records (100.0%) in optional field [TargetProcessSHA256] (Schema:ProcessEvent)" -"(2) Info: Empty value in 5043 records (100.0%) in recommended field [EventUid] (Schema:ProcessEvent)" -"(2) Info: Empty value in 5043 records (100.0%) in recommended field [Hash] (Schema:ProcessEvent)" -"(2) Info: Empty value in 962 records (19.08%) in optional field [ActingProcessSHA1] (Schema:ProcessEvent)" +"(2) Info: Empty value in 140 records (2.7%) in optional field [ActingProcessCommandLine] (Schema:ProcessEvent)" +"(2) Info: Empty value in 140 records (2.7%) in optional field [ActingProcessName] (Schema:ProcessEvent)" +"(2) Info: Empty value in 3125 records (60.27%) in optional field [ParentProcessSHA1] (Schema:ProcessEvent)" +"(2) Info: Empty value in 336 records (6.48%) in optional field [ActingProcessGuid] (Schema:ProcessEvent)" +"(2) Info: Empty value in 3560 records (68.66%) in optional field [DvcFQDN] (Schema:ProcessEvent)" +"(2) Info: Empty value in 3560 records (68.66%) in recommended field [DvcDomain] (Schema:ProcessEvent)" +"(2) Info: Empty value in 469 records (9.05%) in optional field [ParentProcessName] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4849 records (93.52%) in optional field [ActingProcessMD5] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4849 records (93.52%) in optional field [ActingProcessSHA256] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4849 records (93.52%) in optional field [ActorUserType] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4849 records (93.52%) in optional field [TargetUserType] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4851 records (93.56%) in optional field [ParentProcessMD5] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4851 records (93.56%) in optional field [ParentProcessSHA256] (Schema:ProcessEvent)" +"(2) Info: Empty value in 5185 records (100.0%) in optional field [TargetProcessSHA1] (Schema:ProcessEvent)" +"(2) Info: Empty value in 5185 records (100.0%) in optional field [TargetProcessSHA256] (Schema:ProcessEvent)" +"(2) Info: Empty value in 962 records (18.55%) in optional field [ActingProcessSHA1] (Schema:ProcessEvent)" diff --git a/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_SchemaTest.csv b/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_SchemaTest.csv index ff523a3ed7f..69c8944d396 100644 --- a/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_SchemaTest.csv +++ b/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_SchemaTest.csv @@ -1,7 +1,5 @@ Result "(1) Warning: Missing recommended field [ActorUserId]" -"(1) Warning: Missing recommended field [DvcDomainType]" -"(1) Warning: Missing recommended field [DvcDomain]" "(1) Warning: Missing recommended field [DvcIpAddr]" "(1) Warning: Missing recommended field [TargetUserId]" "(2) Info: Missing optional field [ActingProcessFileCompany]" @@ -24,12 +22,9 @@ "(2) Info: Missing optional field [ActorSessionId]" "(2) Info: Missing optional field [ActorUserAadId]" "(2) Info: Missing optional field [ActorUserSid]" -"(2) Info: Missing optional field [ActorUserType]" "(2) Info: Missing optional field [ActorUserUpn]" "(2) Info: Missing optional field [AdditionalFields]" -"(2) Info: Missing optional field [DvcAction]" "(2) Info: Missing optional field [DvcDescription]" -"(2) Info: Missing optional field [DvcFQDN]" "(2) Info: Missing optional field [DvcInterface]" "(2) Info: Missing optional field [DvcMacAddr]" "(2) Info: Missing optional field [DvcOriginalAction]" @@ -38,7 +33,6 @@ "(2) Info: Missing optional field [DvcZone]" "(2) Info: Missing optional field [EventMessage]" "(2) Info: Missing optional field [EventOriginalResultDetails]" -"(2) Info: Missing optional field [EventOriginalSeverity]" "(2) Info: Missing optional field [EventOriginalSubType]" "(2) Info: Missing optional field [EventOwner]" "(2) Info: Missing optional field [EventProductVersion]" @@ -81,5 +75,4 @@ "(2) Info: Missing optional field [TargetUserSessionGuid]" "(2) Info: Missing optional field [TargetUserSessionId]" "(2) Info: Missing optional field [TargetUserSid]" -"(2) Info: Missing optional field [TargetUserType]" "(2) Info: Missing optional field [TargetUserUpn]" diff --git a/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_DataTest.csv b/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_DataTest.csv index 5d2a5911362..88a92faa256 100644 --- a/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_DataTest.csv +++ b/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_DataTest.csv @@ -1,20 +1,23 @@ Result -"(0) Error: 1 invalid value(s) (up to 10 listed) in 1625 records (32.22%) for field [DvcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:ProcessEvent)" -"(0) Error: 1 invalid value(s) (up to 10 listed) in 5043 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:ProcessEvent)" -"(0) Error: 1 invalid value(s) (up to 10 listed) in 5043 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:ProcessEvent)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 5185 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:ProcessEvent)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 5185 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:ProcessEvent)" "(1) Warning: Empty value in 2 records (0.04%) in mandatory field [TargetProcessName] (Schema:ProcessEvent)" +"(1) Warning: Empty value in 4849 records (93.52%) in mandatory field [ActorUsername] (Schema:ProcessEvent)" +"(1) Warning: Empty value in 4849 records (93.52%) in mandatory field [TargetUsername] (Schema:ProcessEvent)" "(1) Warning: Empty value in 6 records (0.12%) in mandatory field [TargetProcessCommandLine] (Schema:ProcessEvent)" -"(2) Info: Empty value in 140 records (2.78%) in optional field [ActingProcessCommandLine] (Schema:ProcessEvent)" -"(2) Info: Empty value in 140 records (2.78%) in optional field [ActingProcessName] (Schema:ProcessEvent)" -"(2) Info: Empty value in 194 records (3.85%) in optional field [ActingProcessGuid] (Schema:ProcessEvent)" -"(2) Info: Empty value in 3125 records (61.97%) in optional field [ParentProcessSHA1] (Schema:ProcessEvent)" -"(2) Info: Empty value in 469 records (9.3%) in optional field [ParentProcessName] (Schema:ProcessEvent)" -"(2) Info: Empty value in 4849 records (96.15%) in optional field [ActingProcessMD5] (Schema:ProcessEvent)" -"(2) Info: Empty value in 4849 records (96.15%) in optional field [ActingProcessSHA256] (Schema:ProcessEvent)" -"(2) Info: Empty value in 4850 records (96.17%) in optional field [ParentProcessMD5] (Schema:ProcessEvent)" -"(2) Info: Empty value in 4850 records (96.17%) in optional field [ParentProcessSHA256] (Schema:ProcessEvent)" -"(2) Info: Empty value in 5043 records (100.0%) in optional field [TargetProcessSHA1] (Schema:ProcessEvent)" -"(2) Info: Empty value in 5043 records (100.0%) in optional field [TargetProcessSHA256] (Schema:ProcessEvent)" -"(2) Info: Empty value in 5043 records (100.0%) in recommended field [EventUid] (Schema:ProcessEvent)" -"(2) Info: Empty value in 5043 records (100.0%) in recommended field [Hash] (Schema:ProcessEvent)" -"(2) Info: Empty value in 962 records (19.08%) in optional field [ActingProcessSHA1] (Schema:ProcessEvent)" +"(2) Info: Empty value in 140 records (2.7%) in optional field [ActingProcessCommandLine] (Schema:ProcessEvent)" +"(2) Info: Empty value in 140 records (2.7%) in optional field [ActingProcessName] (Schema:ProcessEvent)" +"(2) Info: Empty value in 3125 records (60.27%) in optional field [ParentProcessSHA1] (Schema:ProcessEvent)" +"(2) Info: Empty value in 336 records (6.48%) in optional field [ActingProcessGuid] (Schema:ProcessEvent)" +"(2) Info: Empty value in 3560 records (68.66%) in optional field [DvcFQDN] (Schema:ProcessEvent)" +"(2) Info: Empty value in 3560 records (68.66%) in recommended field [DvcDomain] (Schema:ProcessEvent)" +"(2) Info: Empty value in 469 records (9.05%) in optional field [ParentProcessName] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4849 records (93.52%) in optional field [ActingProcessMD5] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4849 records (93.52%) in optional field [ActingProcessSHA256] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4849 records (93.52%) in optional field [ActorUserType] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4849 records (93.52%) in optional field [TargetUserType] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4851 records (93.56%) in optional field [ParentProcessMD5] (Schema:ProcessEvent)" +"(2) Info: Empty value in 4851 records (93.56%) in optional field [ParentProcessSHA256] (Schema:ProcessEvent)" +"(2) Info: Empty value in 5185 records (100.0%) in optional field [TargetProcessSHA1] (Schema:ProcessEvent)" +"(2) Info: Empty value in 5185 records (100.0%) in optional field [TargetProcessSHA256] (Schema:ProcessEvent)" +"(2) Info: Empty value in 962 records (18.55%) in optional field [ActingProcessSHA1] (Schema:ProcessEvent)" diff --git a/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_SchemaTest.csv b/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_SchemaTest.csv index ff523a3ed7f..69c8944d396 100644 --- a/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_SchemaTest.csv +++ b/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_SchemaTest.csv @@ -1,7 +1,5 @@ Result "(1) Warning: Missing recommended field [ActorUserId]" -"(1) Warning: Missing recommended field [DvcDomainType]" -"(1) Warning: Missing recommended field [DvcDomain]" "(1) Warning: Missing recommended field [DvcIpAddr]" "(1) Warning: Missing recommended field [TargetUserId]" "(2) Info: Missing optional field [ActingProcessFileCompany]" @@ -24,12 +22,9 @@ "(2) Info: Missing optional field [ActorSessionId]" "(2) Info: Missing optional field [ActorUserAadId]" "(2) Info: Missing optional field [ActorUserSid]" -"(2) Info: Missing optional field [ActorUserType]" "(2) Info: Missing optional field [ActorUserUpn]" "(2) Info: Missing optional field [AdditionalFields]" -"(2) Info: Missing optional field [DvcAction]" "(2) Info: Missing optional field [DvcDescription]" -"(2) Info: Missing optional field [DvcFQDN]" "(2) Info: Missing optional field [DvcInterface]" "(2) Info: Missing optional field [DvcMacAddr]" "(2) Info: Missing optional field [DvcOriginalAction]" @@ -38,7 +33,6 @@ "(2) Info: Missing optional field [DvcZone]" "(2) Info: Missing optional field [EventMessage]" "(2) Info: Missing optional field [EventOriginalResultDetails]" -"(2) Info: Missing optional field [EventOriginalSeverity]" "(2) Info: Missing optional field [EventOriginalSubType]" "(2) Info: Missing optional field [EventOwner]" "(2) Info: Missing optional field [EventProductVersion]" @@ -81,5 +75,4 @@ "(2) Info: Missing optional field [TargetUserSessionGuid]" "(2) Info: Missing optional field [TargetUserSessionId]" "(2) Info: Missing optional field [TargetUserSid]" -"(2) Info: Missing optional field [TargetUserType]" "(2) Info: Missing optional field [TargetUserUpn]" diff --git a/Sample Data/ASIM/SentinelOne_ASimFileEvent_IngestedLogs.csv b/Sample Data/ASIM/SentinelOne_ASimFileEvent_IngestedLogs.csv deleted file mode 100644 index 976eb23f6c8..00000000000 --- a/Sample Data/ASIM/SentinelOne_ASimFileEvent_IngestedLogs.csv +++ /dev/null @@ -1,17 +0,0 @@ -TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,alertInfo_indicatorDescription_s,alertInfo_indicatorName_s,targetProcessInfo_tgtFileOldPath_s,alertInfo_indicatorCategory_s,alertInfo_registryOldValue_g,alertInfo_dstIp_s,alertInfo_dstPort_s,alertInfo_netEventDirection_s,alertInfo_srcIp_s,alertInfo_srcPort_s,containerInfo_id_s,targetProcessInfo_tgtFileId_g,alertInfo_registryOldValue_s,alertInfo_registryOldValueType_s,alertInfo_dnsRequest_s,alertInfo_dnsResponse_s,alertInfo_registryKeyPath_s,alertInfo_registryPath_s,alertInfo_registryValue_g,ruleInfo_description_s,alertInfo_registryValue_s,alertInfo_loginAccountDomain_s,alertInfo_loginAccountSid_s,alertInfo_loginIsAdministratorEquivalent_s,alertInfo_loginIsSuccessful_s,alertInfo_loginType_s,alertInfo_loginsUserName_s,alertInfo_srcMachineIp_s,targetProcessInfo_tgtProcCmdLine_s,targetProcessInfo_tgtProcImagePath_s,targetProcessInfo_tgtProcName_s,targetProcessInfo_tgtProcPid_s,targetProcessInfo_tgtProcSignedStatus_s,targetProcessInfo_tgtProcStorylineId_s,targetProcessInfo_tgtProcUid_s,sourceParentProcessInfo_storyline_g,sourceParentProcessInfo_uniqueId_g,sourceProcessInfo_storyline_g,sourceProcessInfo_uniqueId_g,targetProcessInfo_tgtProcStorylineId_g,targetProcessInfo_tgtProcUid_g,agentDetectionInfo_machineType_s,agentDetectionInfo_name_s,agentDetectionInfo_osFamily_s,agentDetectionInfo_osName_s,agentDetectionInfo_osRevision_s,agentDetectionInfo_uuid_g,agentDetectionInfo_version_s,agentRealtimeInfo_id_s,agentRealtimeInfo_infected_b,agentRealtimeInfo_isActive_b,agentRealtimeInfo_isDecommissioned_b,agentRealtimeInfo_machineType_s,agentRealtimeInfo_name_s,agentRealtimeInfo_os_s,agentRealtimeInfo_uuid_g,alertInfo_alertId_s,alertInfo_analystVerdict_s,alertInfo_createdAt_t [UTC],alertInfo_dvEventId_s,alertInfo_eventType_s,alertInfo_hitType_s,alertInfo_incidentStatus_s,alertInfo_isEdr_b,alertInfo_reportedAt_t [UTC],alertInfo_source_s,alertInfo_updatedAt_t [UTC],ruleInfo_id_s,ruleInfo_name_s,ruleInfo_queryLang_s,ruleInfo_queryType_s,ruleInfo_s1ql_s,ruleInfo_scopeLevel_s,ruleInfo_severity_s,ruleInfo_treatAsThreat_s,sourceParentProcessInfo_commandline_s,sourceParentProcessInfo_fileHashMd5_g,sourceParentProcessInfo_fileHashSha1_s,sourceParentProcessInfo_fileHashSha256_s,sourceParentProcessInfo_filePath_s,sourceParentProcessInfo_fileSignerIdentity_s,sourceParentProcessInfo_integrityLevel_s,sourceParentProcessInfo_name_s,sourceParentProcessInfo_pid_s,sourceParentProcessInfo_pidStarttime_t [UTC],sourceParentProcessInfo_storyline_s,sourceParentProcessInfo_subsystem_s,sourceParentProcessInfo_uniqueId_s,sourceParentProcessInfo_user_s,sourceProcessInfo_commandline_s,sourceProcessInfo_fileHashMd5_g,sourceProcessInfo_fileHashSha1_s,sourceProcessInfo_fileHashSha256_s,sourceProcessInfo_filePath_s,sourceProcessInfo_fileSignerIdentity_s,sourceProcessInfo_integrityLevel_s,sourceProcessInfo_name_s,sourceProcessInfo_pid_s,sourceProcessInfo_pidStarttime_t [UTC],sourceProcessInfo_storyline_s,sourceProcessInfo_subsystem_s,sourceProcessInfo_uniqueId_s,sourceProcessInfo_user_s,targetProcessInfo_tgtFileCreatedAt_t [UTC],targetProcessInfo_tgtFileHashSha1_s,targetProcessInfo_tgtFileHashSha256_s,targetProcessInfo_tgtFileId_s,targetProcessInfo_tgtFileIsSigned_s,targetProcessInfo_tgtFileModifiedAt_t [UTC],targetProcessInfo_tgtFilePath_s,targetProcessInfo_tgtProcIntegrityLevel_s,targetProcessInfo_tgtProcessStartTime_t [UTC],agentUpdatedVersion_s,agentId_s,hash_s,osFamily_s,threatId_s,creator_s,creatorId_s,inherits_b,isDefault_b,name_s,registrationToken_s,totalAgents_d,type_s,agentDetectionInfo_accountId_s,agentDetectionInfo_accountName_s,agentDetectionInfo_agentDetectionState_s,agentDetectionInfo_agentDomain_s,agentDetectionInfo_agentIpV4_s,agentDetectionInfo_agentIpV6_s,agentDetectionInfo_agentLastLoggedInUserName_s,agentDetectionInfo_agentMitigationMode_s,agentDetectionInfo_agentOsName_s,agentDetectionInfo_agentOsRevision_s,agentDetectionInfo_agentRegisteredAt_t [UTC],agentDetectionInfo_agentUuid_g,agentDetectionInfo_agentVersion_s,agentDetectionInfo_externalIp_s,agentDetectionInfo_groupId_s,agentDetectionInfo_groupName_s,agentDetectionInfo_siteId_s,agentDetectionInfo_siteName_s,agentRealtimeInfo_accountId_s,agentRealtimeInfo_accountName_s,agentRealtimeInfo_activeThreats_d,agentRealtimeInfo_agentComputerName_s,agentRealtimeInfo_agentDomain_s,agentRealtimeInfo_agentId_s,agentRealtimeInfo_agentInfected_b,agentRealtimeInfo_agentIsActive_b,agentRealtimeInfo_agentIsDecommissioned_b,agentRealtimeInfo_agentMachineType_s,agentRealtimeInfo_agentMitigationMode_s,agentRealtimeInfo_agentNetworkStatus_s,agentRealtimeInfo_agentOsName_s,agentRealtimeInfo_agentOsRevision_s,agentRealtimeInfo_agentOsType_s,agentRealtimeInfo_agentUuid_g,agentRealtimeInfo_agentVersion_s,agentRealtimeInfo_groupId_s,agentRealtimeInfo_groupName_s,agentRealtimeInfo_networkInterfaces_s,agentRealtimeInfo_operationalState_s,agentRealtimeInfo_rebootRequired_b,agentRealtimeInfo_scanFinishedAt_t [UTC],agentRealtimeInfo_scanStartedAt_t [UTC],agentRealtimeInfo_scanStatus_s,agentRealtimeInfo_siteId_s,agentRealtimeInfo_siteName_s,agentRealtimeInfo_userActionsNeeded_s,indicators_s,mitigationStatus_s,threatInfo_analystVerdict_s,threatInfo_analystVerdictDescription_s,threatInfo_automaticallyResolved_b,threatInfo_certificateId_s,threatInfo_classification_s,threatInfo_classificationSource_s,threatInfo_cloudFilesHashVerdict_s,threatInfo_collectionId_s,threatInfo_confidenceLevel_s,threatInfo_createdAt_t [UTC],threatInfo_detectionEngines_s,threatInfo_detectionType_s,threatInfo_engines_s,threatInfo_externalTicketExists_b,threatInfo_failedActions_b,threatInfo_fileExtension_s,threatInfo_fileExtensionType_s,threatInfo_filePath_s,threatInfo_fileSize_d,threatInfo_fileVerificationType_s,threatInfo_identifiedAt_t [UTC],threatInfo_incidentStatus_s,threatInfo_incidentStatusDescription_s,threatInfo_initiatedBy_s,threatInfo_initiatedByDescription_s,threatInfo_isFileless_b,threatInfo_isValidCertificate_b,threatInfo_mitigatedPreemptively_b,threatInfo_mitigationStatus_s,threatInfo_mitigationStatusDescription_s,threatInfo_originatorProcess_s,threatInfo_pendingActions_b,threatInfo_processUser_s,threatInfo_publisherName_s,threatInfo_reachedEventsLimit_b,threatInfo_rebootRequired_b,threatInfo_sha1_s,threatInfo_storyline_s,threatInfo_threatId_s,threatInfo_threatName_s,threatInfo_updatedAt_t [UTC],whiteningOptions_s,threatInfo_maliciousProcessArguments_s,threatInfo_fileExtension_g,threatInfo_threatName_g,threatInfo_storyline_g,accountId_s,accountName_s,activityType_d,activityUuid_g,createdAt_t [UTC],id_s,primaryDescription_s,secondaryDescription_s,siteId_s,siteName_s,updatedAt_t [UTC],userId_s,event_name_s,DataFields_s,description_s,comments_s,activeDirectory_computerMemberOf_s,activeDirectory_lastUserMemberOf_s,activeThreats_d,agentVersion_s,allowRemoteShell_b,appsVulnerabilityStatus_s,computerName_s,consoleMigrationStatus_s,coreCount_d,cpuCount_d,cpuId_s,detectionState_s,domain_s,encryptedApplications_b,externalId_s,externalIp_s,firewallEnabled_b,firstFullModeTime_t [UTC],fullDiskScanLastUpdatedAt_t [UTC],groupId_s,groupIp_s,groupName_s,inRemoteShellSession_b,infected_b,installerType_s,isActive_b,isDecommissioned_b,isPendingUninstall_b,isUninstalled_b,isUpToDate_b,lastActiveDate_t [UTC],lastIpToMgmt_s,lastLoggedInUserName_s,licenseKey_s,locationEnabled_b,locationType_s,locations_s,machineType_s,mitigationMode_s,mitigationModeSuspicious_s,modelName_s,networkInterfaces_s,networkQuarantineEnabled_b,networkStatus_s,operationalState_s,osArch_s,osName_s,osRevision_s,osStartTime_t [UTC],osType_s,rangerStatus_s,rangerVersion_s,registeredAt_t [UTC],remoteProfilingState_s,scanFinishedAt_t [UTC],scanStartedAt_t [UTC],scanStatus_s,serialNumber_s,showAlertIcon_b,tags_sentinelone_s,threatRebootRequired_b,totalMemory_d,userActionsNeeded_s,uuid_g,osUsername_s,scanAbortedAt_t [UTC],activeDirectory_computerDistinguishedName_s,activeDirectory_lastUserDistinguishedName_s,Type,_ResourceId -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 1:30:05.042 PM",,,,,/var/log/demisto/d1_Test2/d1.log,,,,,,,,,73a7707e-7bab-e79f-9c49-510c60321972,,,,,,,,,,,,,,,,,,,,,,,,727f2a7d-3997-199c-b5d9-e962c2389980,727f2a79-b96b-79ca-c3f2-3f8bf533b533,727f2ab1-dc50-82a1-cf98-4ad46daede5f,727f2ab1-681c-2167-fda1-df29915f20c9,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,false,true,false,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733340103401284845,Undefined,"7/20/2023, 1:17:11.900 PM",01H5SQ4NMCXWHAQ5FDZVZD1DZD_21,FILERENAME,Events,Unresolved,true,"7/20/2023, 1:17:22.275 PM",STAR,"7/20/2023, 1:17:22.275 PM",1733331490875496472,File Activity,1.0,events,"EventType = ""File Creation"" OR EventType = ""File Deletion"" OR EventType = ""File Modification"" OR EventType = ""File Rename"" OR EventType = ""File Scan""",account,Low,UNDEFINED, /usr/lib/systemd/systemd --switched-root --system --deserialize 22,,d00e622d514a3351de5cede74496dd50c65fbabb,,/usr/lib/systemd/systemd,,unknown,systemd,1,"7/18/2023, 8:55:41.180 AM",,unknown,,, /usr/local/demisto/d1_Test2/d1,,f69e54850b3774d38769e4c401496f88c003d3c8,,/usr/local/demisto/d1_Test2/d1,,unknown,d1,1137,"7/18/2023, 8:56:10.270 AM",,unknown,,,"7/20/2023, 12:55:20.831 PM",,,,unsigned,"1/1/1970, 12:00:00.000 AM",/var/log/demisto/d1_Test2/d1-2023-07-20T13-16-51.917.log,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/27/2023, 6:50:07.211 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,DESKTOP-AB1CD,windows,Windows 11 Pro,22621,20ee9f81-027b-432f-b6c5-d549705f3419,23.1.2.400,1713023112770967412,true,true,false,laptop,DESKTOP-AB1CD,windows,20ee9f81-027b-432f-b6c5-d549705f3419,1738210213570412146,Undefined,"7/27/2023, 6:33:13.641 AM",01H6B0WXM7A30GV66B9RRTPAJK_413,FILEMODIFICATION,Events,Unresolved,true,"7/27/2023, 6:33:24.648 AM",STAR,"7/27/2023, 6:33:24.648 AM",1726010588144703192,Windows-KB2670838.msu.exe,1.0,events,"TgtFileSha1 = ""ccb7898c509c3a1de96d2010d638f6a719f6f400""",account,Critical,Malicious,C:\Windows\system32\userinit.exe,8592ae60-a986-7d35-cb19-8309a342ce1a,3eb1d07db5a6c7912db39ba92928f04db00cc5c1,3c8c6bf586dc8be65789b1186f27ba8ab26d61ccaf51f2ac6a23eaba5126b0bb,C:\Windows\System32\userinit.exe,MICROSOFT WINDOWS,medium,userinit.exe,8884,"7/27/2023, 5:59:32.132 AM",2DED9BC6A067F7A0,sys_win32,2CED9BC6A067F7A0,DESKTOP-AB1CD\Crest,C:\Windows\Explorer.EXE,5c780589-4b39-ba7a-aa9c-53d013ae92c2,b4f089ec1627b1333078df2bafb3b4e9c77dcf88,e89840322edaf4a7855ab296bc298add055c6d6910edc6c93ac866eb264e74a3,C:\Windows\explorer.exe,MICROSOFT WINDOWS,medium,explorer.exe,9032,"7/27/2023, 5:59:32.209 AM",30ED9BC6A067F7A0,sys_win32,2FED9BC6A067F7A0,DESKTOP-AB1CD\Crest,"7/27/2023, 6:34:19.435 AM",ccb7898c509c3a1de96d2010d638f6a719f6f400,f91f02fd27ada64f36f6df59a611fef106ff7734833dea825d0612e73bdfb621,72A59CC6A067F7A0,unsigned,"7/27/2023, 6:34:19.435 AM",C:\Users\Crest\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Windows-KB2670838.msu.exe,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/27/2023, 6:50:07.211 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,DESKTOP-AB1CD,windows,Windows 11 Pro,22621,20ee9f81-027b-432f-b6c5-d549705f3419,23.1.2.400,1713023112770967412,true,true,false,laptop,DESKTOP-AB1CD,windows,20ee9f81-027b-432f-b6c5-d549705f3419,1738210225264132788,Undefined,"7/27/2023, 6:33:13.649 AM",01H6B0WXM7A30GV66B9RRTPAJK_519,FILECREATION,Events,Unresolved,true,"7/27/2023, 6:33:26.041 AM",STAR,"7/27/2023, 6:33:26.041 AM",1725975030124192555,CrimsonRAT.exe,1.0,events,"TgtFileSha1 = ""ec0efbe8fd2fa5300164e9e4eded0d40da549c60""",account,Critical,Malicious,C:\Windows\system32\userinit.exe,8592ae60-a986-7d35-cb19-8309a342ce1a,3eb1d07db5a6c7912db39ba92928f04db00cc5c1,3c8c6bf586dc8be65789b1186f27ba8ab26d61ccaf51f2ac6a23eaba5126b0bb,C:\Windows\System32\userinit.exe,MICROSOFT WINDOWS,medium,userinit.exe,8884,"7/27/2023, 5:59:32.132 AM",2DED9BC6A067F7A0,sys_win32,2CED9BC6A067F7A0,DESKTOP-AB1CD\Crest,C:\Windows\Explorer.EXE,5c780589-4b39-ba7a-aa9c-53d013ae92c2,b4f089ec1627b1333078df2bafb3b4e9c77dcf88,e89840322edaf4a7855ab296bc298add055c6d6910edc6c93ac866eb264e74a3,C:\Windows\explorer.exe,MICROSOFT WINDOWS,medium,explorer.exe,9032,"7/27/2023, 5:59:32.209 AM",30ED9BC6A067F7A0,sys_win32,2FED9BC6A067F7A0,DESKTOP-AB1CD\Crest,"7/27/2023, 6:34:20.505 AM",ec0efbe8fd2fa5300164e9e4eded0d40da549c60,dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba,A9A59CC6A067F7A0,,"7/27/2023, 6:34:20.505 AM",C:\Users\Crest\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/27/2023, 6:50:07.211 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,DESKTOP-AB1CD,windows,Windows 11 Pro,22621,20ee9f81-027b-432f-b6c5-d549705f3419,23.1.2.400,1713023112770967412,true,true,false,laptop,DESKTOP-AB1CD,windows,20ee9f81-027b-432f-b6c5-d549705f3419,1738210244927031908,Undefined,"7/27/2023, 6:33:13.624 AM",01H6B0WXM7A30GV66B9RRTPAJK_67,FILECREATION,Events,Unresolved,true,"7/27/2023, 6:33:28.385 AM",STAR,"7/27/2023, 6:33:28.385 AM",1726067642318496051,Emotet.zip (,1.0,events,"TgtFileSha1 = ""acb5bc4b83a7d383c161917d2de137fd6358aabd""",account,Critical,Malicious,C:\Windows\system32\userinit.exe,8592ae60-a986-7d35-cb19-8309a342ce1a,3eb1d07db5a6c7912db39ba92928f04db00cc5c1,3c8c6bf586dc8be65789b1186f27ba8ab26d61ccaf51f2ac6a23eaba5126b0bb,C:\Windows\System32\userinit.exe,MICROSOFT WINDOWS,medium,userinit.exe,8884,"7/27/2023, 5:59:32.132 AM",2DED9BC6A067F7A0,sys_win32,2CED9BC6A067F7A0,DESKTOP-AB1CD\Crest,C:\Windows\Explorer.EXE,5c780589-4b39-ba7a-aa9c-53d013ae92c2,b4f089ec1627b1333078df2bafb3b4e9c77dcf88,e89840322edaf4a7855ab296bc298add055c6d6910edc6c93ac866eb264e74a3,C:\Windows\explorer.exe,MICROSOFT WINDOWS,medium,explorer.exe,9032,"7/27/2023, 5:59:32.209 AM",30ED9BC6A067F7A0,sys_win32,2FED9BC6A067F7A0,DESKTOP-AB1CD\Crest,"7/27/2023, 6:34:17.094 AM",acb5bc4b83a7d383c161917d2de137fd6358aabd,f62125428644746f081ca587ffa9449513dd786d793e83003c1f9607ca741c89,B3A49CC6A067F7A0,,"7/27/2023, 6:34:17.094 AM",Anonymized Data,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/21/2023, 10:10:03.752 AM",,,,,/run/NetworkManager/resolv.conf.tmp,,,,,,,,,7365cb43-e8a5-6056-ad37-b8eb60de75a2,,,,,,,,,,,,,,,,,,,,,,,,73c80b06-1061-e164-bdde-acf15170e205,73c80b04-5237-eb0f-0727-54a158641580,73c80b24-6ec0-90ed-1d5c-19bda9503b05,73c80b24-0395-912e-2db7-d931a51e0955,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,false,true,false,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733963468448059912,Undefined,"7/21/2023, 9:55:35.864 AM",01H5VY0D3160GH2Y9EJRN156NV_63,FILERENAME,Events,Unresolved,true,"7/21/2023, 9:55:53.178 AM",STAR,"7/21/2023, 9:55:53.178 AM",1733175396878455794,File Activity Test,1.0,events,"EventType = ""File Creation"" OR EventType = ""File Deletion"" OR EventType = ""File Modification"" OR EventType = ""File Rename"" OR EventType = ""File Scan""",site,Low,UNDEFINED, /usr/lib/systemd/systemd --switched-root --system --deserialize 22,,d00e622d514a3351de5cede74496dd50c65fbabb,,/usr/lib/systemd/systemd,,unknown,systemd,1,"7/21/2023, 6:39:14.230 AM",,unknown,,, /usr/sbin/NetworkManager --no-daemon,,1cfe129a867e17e356ddc6d5036d8f031669844d,,/usr/sbin/NetworkManager,,unknown,NetworkManager,764,"7/21/2023, 6:39:40.910 AM",,unknown,,,"7/21/2023, 9:55:15.954 AM",,,,unsigned,"1/1/1970, 12:00:00.000 AM",/run/NetworkManager/resolv.conf,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/21/2023, 10:10:03.752 AM",,,,,/run/NetworkManager/resolv.conf.tmp,,,,,,,,,7365cb43-e8a5-6056-ad37-b8eb60de75a2,,,,,,,,,,,,,,,,,,,,,,,,73c80b06-1061-e164-bdde-acf15170e205,73c80b04-5237-eb0f-0727-54a158641580,73c80b24-6ec0-90ed-1d5c-19bda9503b05,73c80b24-0395-912e-2db7-d931a51e0955,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,false,true,false,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733963482071160962,Undefined,"7/21/2023, 9:55:35.865 AM",01H5VY0D3160GH2Y9EJRN156NV_63,FILERENAME,Events,Unresolved,true,"7/21/2023, 9:55:54.803 AM",STAR,"7/21/2023, 9:55:54.803 AM",1733331490875496472,File Activity,1.0,events,"EventType = ""File Creation"" OR EventType = ""File Deletion"" OR EventType = ""File Modification"" OR EventType = ""File Rename"" OR EventType = ""File Scan""",account,Low,UNDEFINED, /usr/lib/systemd/systemd --switched-root --system --deserialize 22,,d00e622d514a3351de5cede74496dd50c65fbabb,,/usr/lib/systemd/systemd,,unknown,systemd,1,"7/21/2023, 6:39:14.230 AM",,unknown,,, /usr/sbin/NetworkManager --no-daemon,,1cfe129a867e17e356ddc6d5036d8f031669844d,,/usr/sbin/NetworkManager,,unknown,NetworkManager,764,"7/21/2023, 6:39:40.910 AM",,unknown,,,"7/21/2023, 9:55:15.954 AM",,,,unsigned,"1/1/1970, 12:00:00.000 AM",/run/NetworkManager/resolv.conf,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/21/2023, 6:00:15.610 AM",,,,,/var/lib/net-snmp/snmpd.conf,,,,,,,,,73bff444-0620-5aee-9e8c-0f5ea67bfefb,,,,,,,,,,,,,,,,,,,,,,,,727f2a7d-3997-199c-b5d9-e962c2389980,727f2a79-b96b-79ca-c3f2-3f8bf533b533,73bff5ea-3e85-27cf-caeb-92d05aaa3fe4,73bff73b-5235-2b64-bf6d-c204633f03e5,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,false,true,false,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733837854154317394,Undefined,"7/21/2023, 5:46:06.516 AM",01H5VFQJVC21222HX0VDG1D0KZ_57,FILERENAME,Events,Unresolved,true,"7/21/2023, 5:46:18.788 AM",STAR,"7/21/2023, 5:46:18.788 AM",1733331490875496472,File Activity,1.0,events,"EventType = ""File Creation"" OR EventType = ""File Deletion"" OR EventType = ""File Modification"" OR EventType = ""File Rename"" OR EventType = ""File Scan""",account,Low,UNDEFINED, /usr/lib/systemd/systemd --switched-root --system --deserialize 22,,d00e622d514a3351de5cede74496dd50c65fbabb,,/usr/lib/systemd/systemd,,unknown,systemd,1,"7/18/2023, 8:55:41.180 AM",,unknown,,, /usr/sbin/snmpd -LS0-6d -f,,f33063ea7de94571a4434561e1a25e98c5190513,,/usr/sbin/snmpd,,unknown,snmpd,59923,"7/21/2023, 5:45:09.970 AM",,unknown,,,"7/21/2023, 5:44:55.045 AM",,,,unsigned,"1/1/1970, 12:00:00.000 AM",/var/lib/net-snmp/snmpd.0.conf,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:30:04.449 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO07,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,false,true,false,laptop,CLO07,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736752240802854154,Undefined,"7/25/2023, 6:16:26.266 AM",01H65V20HBQGX37555XC4A34RQ_222,FILEMODIFICATION,Events,Unresolved,true,"7/25/2023, 6:16:40.750 AM",STAR,"7/25/2023, 6:16:40.750 AM",1736743171400115521,CWL547,1.0,events,"EndpointName = ""CLO07""",account,Medium,UNDEFINED,"""C:\Windows\uus\AMD64\wuaucltcore.exe"" /DeploymentHandlerFullPath \\?\C:\Windows\UUS\AMD64\UpdateDeploy.dll /ClassId a6a6d102-c473-4702-bc7f-3e1e37137816 /RunHandlerComServer",2d56afae-0889-13ee-6eba-53cfc5b32f01,fd6f764c7308d5fd33afbc1d0fc44616976dc7ad,26626c962f11296b599166c0ba57ce0919909c316531425a542874838516392d,C:\Windows\UUS\amd64\wuaucltcore.exe,MICROSOFT WINDOWS,system,wuaucltcore.exe,8616,"7/25/2023, 6:15:48.228 AM",26D712F580778F51,sys_win32,25D712F580778F51,NT AUTHORITY\SYSTEM,"""C:\Windows\SoftwareDistribution\Download\Install\UpdatePlatform.amd64fre.exe""",dbacc2da-d34e-574b-da86-f4c54cd709a5,aa7e29ece94fbaacd94a7f34896b3f9671a18d18,6985f93749efde6ec7e228f87d0b14a4f61aecd04ba7889a5a25a2ae7244b775,C:\Windows\SoftwareDistribution\Download\Install\UpdatePlatform.amd64fre.exe,MICROSOFT WINDOWS PUBLISHER,system,UpdatePlatform.amd64fre.exe,15544,"7/25/2023, 6:15:48.825 AM",26D712F580778F51,sys_win32,28D712F580778F51,NT AUTHORITY\SYSTEM,"7/21/2185, 11:34:33.709 PM",a6fcade03347ac64bdefabe64e25cebdbefe3498,b48cd4860107c7b5ad8fa80cb78b67dfff63796e99a237c4405660f9235e4de6,5CD812F580778F51,,"7/21/2185, 11:34:33.709 PM",C:\Windows\SystemTemp\CDF02ABE-F59C-4A41-AC3F-F104625D635E\Powershell\MSFT_MpPerformanceRecording.psm1,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:30:04.449 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO07,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,false,true,false,laptop,CLO07,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736752270305590149,Undefined,"7/25/2023, 6:16:26.308 AM",01H65V20HBQGX37555XC4A34RQ_431,FILEMODIFICATION,Events,Unresolved,true,"7/25/2023, 6:16:44.267 AM",STAR,"7/25/2023, 6:16:44.267 AM",1736743171400115521,CWL547,1.0,events,"EndpointName = ""CLO07""",account,Medium,UNDEFINED,"""C:\Windows\SoftwareDistribution\Download\Install\UpdatePlatform.amd64fre.exe""",dbacc2da-d34e-574b-da86-f4c54cd709a5,aa7e29ece94fbaacd94a7f34896b3f9671a18d18,6985f93749efde6ec7e228f87d0b14a4f61aecd04ba7889a5a25a2ae7244b775,C:\Windows\SoftwareDistribution\Download\Install\UpdatePlatform.amd64fre.exe,MICROSOFT WINDOWS PUBLISHER,system,UpdatePlatform.amd64fre.exe,15544,"7/25/2023, 6:15:48.825 AM",26D712F580778F51,sys_win32,28D712F580778F51,NT AUTHORITY\SYSTEM,C:\Windows\SystemTemp\CDF02ABE-F59C-4A41-AC3F-F104625D635E\MpSigStub.exe /stub 1.1.20300.1 /payload 4.18.23050.9 /program C:\Windows\SoftwareDistribution\Download\Install\UpdatePlatform.amd64fre.exe,d00d22fc-9d25-6ead-476f-0afd7e69ddae,a7e6f93498811cdfe189b3e036d864735fbf91e4,03410cb89092b20188e30aae345a92ab1efa4f21b5229e3b1a7c57b424e976f0,C:\Windows\SystemTemp\CDF02ABE-F59C-4A41-AC3F-F104625D635E\MpSigStub.exe,MICROSOFT CORPORATION,system,MpSigStub.exe,16296,"7/25/2023, 6:15:50.959 AM",26D712F580778F51,sys_win32,64D812F580778F51,NT AUTHORITY\SYSTEM,"7/21/2185, 11:34:33.709 PM",aec3290fd5e3bd7e2502cc845f18265f813eb870,159e76a4a4077222b3c201f07401f3f97b293738511e0fd97b2ce18536de461b,ABD912F580778F51,signed,"7/21/2185, 11:34:33.709 PM",C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23050.9-0\mpextms.exe,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:30:04.449 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO07,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,false,true,false,laptop,CLO07,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736752758036066424,Undefined,"7/25/2023, 6:17:24.096 AM",01H65V3V1DZ8YA39PZ5EWX1NJ3_41,FILEDELETION,Events,Unresolved,true,"7/25/2023, 6:17:42.409 AM",STAR,"7/25/2023, 6:17:42.409 AM",1736743171400115521,CWL547,1.0,events,"EndpointName = ""CLO07""",account,Medium,UNDEFINED,"""C:\Windows\SystemTemp\mpam-db6b0d9f.exe"" /q WD",ffc35934-b31a-0d62-eeb0-8f8aa40b5982,1013c718063b124fb306b245c183ed094430d374,3a79ba90f0acef5f3fbfc0b654381eef938acbea0814ed1e375f9cdbccf63e78,C:\Windows\SystemTemp\mpam-db6b0d9f.exe,MICROSOFT CORPORATION,system,mpam-db6b0d9f.exe,16380,"7/25/2023, 6:16:33.761 AM",F83C0EF580778F51,sys_win32,65DA12F580778F51,NT AUTHORITY\SYSTEM,C:\Windows\SystemTemp\E0D919E5-665D-4048-8C24-3DEF4B640D1E\MpSigStub.exe /stub 1.1.23060.3001 /payload 1.393.1315.0 /program C:\Windows\SystemTemp\mpam-db6b0d9f.exe /q WD,8b6eac30-eab7-9e24-df5e-43d8bec9e243,5ce942034143949709b779de297bbb355102e050,dbb282f630dc503b55b37da93abc67212795beb046335f1166a935ce07b16086,C:\Windows\SystemTemp\E0D919E5-665D-4048-8C24-3DEF4B640D1E\MpSigStub.exe,MICROSOFT CORPORATION,system,MpSigStub.exe,12528,"7/25/2023, 6:16:34.479 AM",F83C0EF580778F51,sys_win32,6ADA12F580778F51,NT AUTHORITY\SYSTEM,"7/21/2185, 11:34:33.709 PM",acd087a51035cafe4a68181deede8ae260ea92ca,a8e1aeb9c2684628125c0aef8fdcbe4e6894c3842f59c4eeee7bb12e9e1fa944,CC4B0EF580778F51,,"7/21/2185, 11:34:33.709 PM",C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B7471214-A63A-4C99-B4C3-17663864BCB8}\mpengine.dll,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:30:04.449 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO07,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,false,true,false,laptop,CLO07,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736752762683355536,Undefined,"7/25/2023, 6:17:24.098 AM",01H65V3V1DZ8YA39PZ5EWX1NJ3_51,FILEDELETION,Events,Unresolved,true,"7/25/2023, 6:17:42.962 AM",STAR,"7/25/2023, 6:17:42.962 AM",1736743171400115521,CWL547,1.0,events,"EndpointName = ""CLO07""",account,Medium,UNDEFINED,"""C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23050.5-0\MpCmdRun.exe"" SignatureUpdate -ScheduleJob -RestrictPrivileges",94e52781-2df3-b448-e18f-5cb7b38e0216,808c44d9accddd45b0c86ffe8acc533dda1c07ff,b370f2d32704cd1bdea8f1836f68a3af72cb9385eb8719dd84be9a6b3018d17a,C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23050.5-0\MpCmdRun.exe,MICROSOFT WINDOWS,system,MpCmdRun.exe,17220,"7/25/2023, 6:05:35.311 AM",F83C0EF580778F51,sys_win32,25D612F580778F51,NT AUTHORITY\SYSTEM,"""C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23050.9-0\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob -HttpDownload -RestrictPrivileges",86dc797f-060f-9739-842e-13b668079be2,b95ff405a0dd527fd8ffa8916b26108692ac28da,a43bf3d7f0991a3aac1bc93e7f7ea49e21737b3915367b9d12a3d27702212704,C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23050.9-0\MpCmdRun.exe,MICROSOFT WINDOWS,system,MpCmdRun.exe,13172,"7/25/2023, 6:16:29.189 AM",F83C0EF580778F51,sys_win32,4ADA12F580778F51,NT AUTHORITY\SYSTEM,"7/25/2023, 6:16:29.323 AM",1013c718063b124fb306b245c183ed094430d374,3a79ba90f0acef5f3fbfc0b654381eef938acbea0814ed1e375f9cdbccf63e78,4CDA12F580778F51,signed,"7/25/2023, 6:16:29.323 AM",C:\Windows\SystemTemp\mpam-db6b0d9f.exe,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:30:04.449 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO07,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,false,true,false,laptop,CLO07,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736752765501927943,Undefined,"7/25/2023, 6:17:24.098 AM",01H65V3V1DZ8YA39PZ5EWX1NJ3_48,FILEDELETION,Events,Unresolved,true,"7/25/2023, 6:17:43.299 AM",STAR,"7/25/2023, 6:17:43.299 AM",1736743171400115521,CWL547,1.0,events,"EndpointName = ""CLO07""",account,Medium,UNDEFINED,"""C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23050.9-0\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob -HttpDownload -RestrictPrivileges",86dc797f-060f-9739-842e-13b668079be2,b95ff405a0dd527fd8ffa8916b26108692ac28da,a43bf3d7f0991a3aac1bc93e7f7ea49e21737b3915367b9d12a3d27702212704,C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23050.9-0\MpCmdRun.exe,MICROSOFT WINDOWS,system,MpCmdRun.exe,13172,"7/25/2023, 6:16:29.189 AM",F83C0EF580778F51,sys_win32,4ADA12F580778F51,NT AUTHORITY\SYSTEM,"""C:\Windows\SystemTemp\mpam-db6b0d9f.exe"" /q WD",ffc35934-b31a-0d62-eeb0-8f8aa40b5982,1013c718063b124fb306b245c183ed094430d374,3a79ba90f0acef5f3fbfc0b654381eef938acbea0814ed1e375f9cdbccf63e78,C:\Windows\SystemTemp\mpam-db6b0d9f.exe,MICROSOFT CORPORATION,system,mpam-db6b0d9f.exe,16380,"7/25/2023, 6:16:33.761 AM",F83C0EF580778F51,sys_win32,65DA12F580778F51,NT AUTHORITY\SYSTEM,"7/25/2023, 6:16:34.290 AM",5f1403aeba45dbc96d89c4dd16b2b02c1acd3b58,24e14fd2287f14dc27336fa4bb0edf77823f8a63979f76c1b754f1a958ed17d9,69DA12F580778F51,signed,"7/25/2023, 6:16:34.291 AM",C:\Windows\SystemTemp\E0D919E5-665D-4048-8C24-3DEF4B640D1E\mpavdlta.vdm,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/26/2023, 5:10:04.255 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO07,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,false,true,true,laptop,CLO07,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1737433999490006774,Undefined,"7/26/2023, 4:50:56.094 AM",01H688J6CXA4PKEDVB5RE122AT_35,FILEDELETION,Events,Unresolved,true,"7/26/2023, 4:51:12.719 AM",STAR,"7/26/2023, 4:51:12.719 AM",1736743171400115521,CWL547,1.0,events,"EndpointName = ""CLO07""",account,Medium,UNDEFINED,Anonymized Data,c574c38d-9c6c-b239-6115-ee765103ccf9,1d136ade3825e5995863522a3893c7cd03576aa8,4c874b8ff8493be0f3fd9363fb7bb59e7b36ff6b98d37e9bb5c42158ed5f867b,C:\Program Files\LibreOffice\program\soffice.exe,THE DOCUMENT FOUNDATION,medium,soffice.exe,16528,"7/26/2023, 4:49:56.421 AM",840614F580778F51,sys_win32,830614F580778F51,CLO07\Crest,Anonymized Data,ad6bf6b4-a972-64fd-c147-e01208cef496,0d6bd79e1270fcca6d6281ae85c45641b98ac330,f32600df28791670ebc171516bce954c6a7dfb3068eb163cebf86f5137700c2c,C:\Program Files\LibreOffice\program\soffice.bin,THE DOCUMENT FOUNDATION,medium,soffice.bin,11392,"7/26/2023, 4:49:56.456 AM",860614F580778F51,sys_win32,850614F580778F51,CLO07\Crest,"7/26/2023, 4:49:57.276 AM",356a192b7913b04c54574d18c28d46e6395428ab,6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b,8A0614F580778F51,,"7/26/2023, 4:49:57.276 AM",C:\Users\Crest\AppData\Roaming\LibreOffice\4\user\extensions\tmp\stamp.sys,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/26/2023, 5:10:04.255 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO07,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,false,true,true,laptop,CLO07,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1737434458179132195,Undefined,"7/26/2023, 4:51:56.257 AM",01H688M11R9VGSZ6SCGEF72BC8_307,FILEMODIFICATION,Events,Unresolved,true,"7/26/2023, 4:52:07.399 AM",STAR,"7/26/2023, 4:52:07.399 AM",1736743171400115521,CWL547,1.0,events,"EndpointName = ""CLO07""",account,Medium,UNDEFINED,C:\Windows\Explorer.EXE,357b678c-68d3-d5ee-86e1-b706fbfd994b,a4e4e2bc502e4ab249b219da357d1aad163ab175,8375581b32e510a1ddf90b1ff8ffb8a756d71e1d5572b1c7c027e9b7393ccd3b,C:\Windows\explorer.exe,MICROSOFT WINDOWS,medium,explorer.exe,2184,"7/26/2023, 4:43:13.069 AM",20EC12F580778F51,sys_win32,1FEC12F580778F51,CLO07\Crest,"C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding",357b678c-68d3-d5ee-86e1-b706fbfd994b,a4e4e2bc502e4ab249b219da357d1aad163ab175,8375581b32e510a1ddf90b1ff8ffb8a756d71e1d5572b1c7c027e9b7393ccd3b,C:\Windows\explorer.exe,MICROSOFT WINDOWS,medium,explorer.exe,3752,"7/26/2023, 4:51:18.156 AM",240814F580778F51,sys_win32,230814F580778F51,CLO07\Crest,"7/26/2023, 4:51:40.873 AM",e6b4c40c98eb9023ad522ef8664f6a8256c65a64,a36ba35cf5b5386e7c76e5b9673b999c7bf4e2a30e6408b85102aa61f3be4523,7A0814F580778F51,signed,"7/26/2023, 4:51:40.874 AM",C:\Windows\Installer\MSI62BC.tmp,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/26/2023, 5:10:04.255 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO07,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,false,true,true,laptop,CLO07,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1737436495713459493,Undefined,"7/26/2023, 4:55:56.747 AM",01H688VBDBEK7BMHE6RB25DPQ7_41,FILEMODIFICATION,Events,Unresolved,true,"7/26/2023, 4:56:10.292 AM",STAR,"7/26/2023, 4:56:10.292 AM",1736743171400115521,CWL547,1.0,events,"EndpointName = ""CLO07""",account,Medium,UNDEFINED,"C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding",357b678c-68d3-d5ee-86e1-b706fbfd994b,a4e4e2bc502e4ab249b219da357d1aad163ab175,8375581b32e510a1ddf90b1ff8ffb8a756d71e1d5572b1c7c027e9b7393ccd3b,C:\Windows\explorer.exe,MICROSOFT WINDOWS,medium,explorer.exe,3752,"7/26/2023, 4:51:18.156 AM",240814F580778F51,sys_win32,230814F580778F51,CLO07\Crest,C:\Windows\System32\MsiExec.exe -Embedding A970964D09FC76D0369C3F0735F8F6CB A,302be4b7-434e-6797-6902-9c8570825cc0,f3d7fee4ced78e37f49ce4e38ac681f07bca6ae0,5a31ea6a517a065166fafa01a0ac6a350d0e2dcba1b6dd4fdb41ae59109568e1,C:\Windows\System32\msiexec.exe,MICROSOFT WINDOWS,high,msiexec.exe,1524,"7/26/2023, 4:54:54.008 AM",3F0C14F580778F51,sys_win32,3E0C14F580778F51,CLO07\Crest,"7/21/2185, 11:34:33.709 PM",b85d02ba0e8de4aeded1a2f5679505cd403bd201,f6fb39a8578f19616570d5a3dc7212c84a9da232b30a03376bbf08f4264fedf2,480C14F580778F51,signed,"7/21/2185, 11:34:33.709 PM",C:\Users\Crest\AppData\Local\Temp\sen617C.tmp,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/26/2023, 5:00:31.604 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO07,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,false,true,true,laptop,CLO07,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1737430320011352678,Undefined,"7/26/2023, 4:43:33.000 AM",01H6884MR8FZHK9TYD68PC12V2_59,FILEDELETION,Events,Unresolved,true,"7/26/2023, 4:43:54.090 AM",STAR,"7/26/2023, 4:43:54.090 AM",1736743171400115521,CWL547,1.0,events,"EndpointName = ""CLO07""",account,Medium,UNDEFINED,"""C:\Program Files\WindowsApps\MicrosoftTeams_23119.303.2080.2726_x64__8wekyb3d8bbwe\msteams.exe"" ms-teams:system-initiated",1626f236-c0dc-28d5-92a1-0a359ebe3460,0fc1714b93869441cba7d44368ec411bac434e68,8cca5e46f6e9dfe566795c4e76aae4d44de8885f43bed759ef6bcad2516ac285,C:\Program Files\WindowsApps\MicrosoftTeams_23119.303.2080.2726_x64__8wekyb3d8bbwe\msteams.exe,MICROSOFT CORPORATION,medium,msteams.exe,12792,"7/25/2023, 5:42:29.630 AM",38BD12F580778F51,sys_win32,3EBD12F580778F51,CLO07\Crest,"""C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.82\msedgewebview2.exe"" --embedded-browser-webview=1 --webview-exe-name=msteams.exe --webview-exe-version=23119.303.2080.2726 --user-data-dir=""C:\Users\Crest\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView"" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --edge-webview-custom-scheme --disable-features=MojoIpcz,msWebOOUI --edge-webview-is-background --enable-features=msSingleSignOnOSForPrimaryAccountIsShared,msEdgeFluentOverlayScrollbar,msWebView2CodeCache,msWebView2EnableDraggableRegions --mojo-named-platform-channel-pipe=12792.17304.14378710367050045082 /pfhostedapp:e7e952ed836442a682dca713cb7c4d91d21a087a",0f259745-8e7a-c81b-049d-45ef5b291246,bbd88a2a41c94d4140ccaef71bfb771e0ccc5c32,0ce0ef234aba4bf60f1c48a058ce764d52e91078e95312de4db4b0911f4cc7d4,C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.82\msedgewebview2.exe,MICROSOFT CORPORATION,medium,msedgewebview2.exe,3316,"7/25/2023, 5:42:30.143 AM",38BD12F580778F51,sys_win32,48BD12F580778F51,CLO07\Crest,"7/25/2023, 5:42:30.637 AM",,,81BD12F580778F51,,"7/25/2023, 5:43:42.536 AM",C:\Users\Crest\AppData\Local\Temp\48d577fd-6e2f-441b-af70-03ea7c1fe9b5.tmp,unknown,"1/1/1970, 12:00:00.000 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, \ No newline at end of file diff --git a/Sample Data/ASIM/SentinelOne_ASimProcessEvent_IngestedLogs.csv b/Sample Data/ASIM/SentinelOne_ASimProcessEvent_IngestedLogs.csv new file mode 100644 index 00000000000..459d530851e --- /dev/null +++ b/Sample Data/ASIM/SentinelOne_ASimProcessEvent_IngestedLogs.csv @@ -0,0 +1,21 @@ +TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,alertInfo_indicatorDescription_s,alertInfo_indicatorName_s,targetProcessInfo_tgtFileOldPath_s,alertInfo_indicatorCategory_s,alertInfo_registryOldValue_g,alertInfo_dstIp_s,alertInfo_dstPort_s,alertInfo_netEventDirection_s,alertInfo_srcIp_s,alertInfo_srcPort_s,containerInfo_id_s,targetProcessInfo_tgtFileId_g,alertInfo_registryOldValue_s,alertInfo_registryOldValueType_s,alertInfo_dnsRequest_s,alertInfo_dnsResponse_s,alertInfo_registryKeyPath_s,alertInfo_registryPath_s,alertInfo_registryValue_g,ruleInfo_description_s,alertInfo_registryValue_s,alertInfo_loginAccountDomain_s,alertInfo_loginAccountSid_s,alertInfo_loginIsAdministratorEquivalent_s,alertInfo_loginIsSuccessful_s,alertInfo_loginType_s,alertInfo_loginsUserName_s,alertInfo_srcMachineIp_s,targetProcessInfo_tgtProcCmdLine_s,targetProcessInfo_tgtProcImagePath_s,targetProcessInfo_tgtProcName_s,targetProcessInfo_tgtProcPid_s,targetProcessInfo_tgtProcSignedStatus_s,targetProcessInfo_tgtProcStorylineId_s,targetProcessInfo_tgtProcUid_s,sourceParentProcessInfo_storyline_g,sourceParentProcessInfo_uniqueId_g,sourceProcessInfo_storyline_g,sourceProcessInfo_uniqueId_g,targetProcessInfo_tgtProcStorylineId_g,targetProcessInfo_tgtProcUid_g,agentDetectionInfo_machineType_s,agentDetectionInfo_name_s,agentDetectionInfo_osFamily_s,agentDetectionInfo_osName_s,agentDetectionInfo_osRevision_s,agentDetectionInfo_uuid_g,agentDetectionInfo_version_s,agentRealtimeInfo_id_s,agentRealtimeInfo_infected_b,agentRealtimeInfo_isActive_b,agentRealtimeInfo_isDecommissioned_b,agentRealtimeInfo_machineType_s,agentRealtimeInfo_name_s,agentRealtimeInfo_os_s,agentRealtimeInfo_uuid_g,alertInfo_alertId_s,alertInfo_analystVerdict_s,alertInfo_createdAt_t [UTC],alertInfo_dvEventId_s,alertInfo_eventType_s,alertInfo_hitType_s,alertInfo_incidentStatus_s,alertInfo_isEdr_b,alertInfo_reportedAt_t [UTC],alertInfo_source_s,alertInfo_updatedAt_t [UTC],ruleInfo_id_s,ruleInfo_name_s,ruleInfo_queryLang_s,ruleInfo_queryType_s,ruleInfo_s1ql_s,ruleInfo_scopeLevel_s,ruleInfo_severity_s,ruleInfo_treatAsThreat_s,sourceParentProcessInfo_commandline_s,sourceParentProcessInfo_fileHashMd5_g,sourceParentProcessInfo_fileHashSha1_s,sourceParentProcessInfo_fileHashSha256_s,sourceParentProcessInfo_filePath_s,sourceParentProcessInfo_fileSignerIdentity_s,sourceParentProcessInfo_integrityLevel_s,sourceParentProcessInfo_name_s,sourceParentProcessInfo_pid_s,sourceParentProcessInfo_pidStarttime_t [UTC],sourceParentProcessInfo_storyline_s,sourceParentProcessInfo_subsystem_s,sourceParentProcessInfo_uniqueId_s,sourceParentProcessInfo_user_s,sourceProcessInfo_commandline_s,sourceProcessInfo_fileHashMd5_g,sourceProcessInfo_fileHashSha1_s,sourceProcessInfo_fileHashSha256_s,sourceProcessInfo_filePath_s,sourceProcessInfo_fileSignerIdentity_s,sourceProcessInfo_integrityLevel_s,sourceProcessInfo_name_s,sourceProcessInfo_pid_s,sourceProcessInfo_pidStarttime_t [UTC],sourceProcessInfo_storyline_s,sourceProcessInfo_subsystem_s,sourceProcessInfo_uniqueId_s,sourceProcessInfo_user_s,targetProcessInfo_tgtFileCreatedAt_t [UTC],targetProcessInfo_tgtFileHashSha1_s,targetProcessInfo_tgtFileHashSha256_s,targetProcessInfo_tgtFileId_s,targetProcessInfo_tgtFileIsSigned_s,targetProcessInfo_tgtFileModifiedAt_t [UTC],targetProcessInfo_tgtFilePath_s,targetProcessInfo_tgtProcIntegrityLevel_s,targetProcessInfo_tgtProcessStartTime_t [UTC],agentUpdatedVersion_s,agentId_s,hash_s,osFamily_s,threatId_s,creator_s,creatorId_s,inherits_b,isDefault_b,name_s,registrationToken_s,totalAgents_d,type_s,agentDetectionInfo_accountId_s,agentDetectionInfo_accountName_s,agentDetectionInfo_agentDetectionState_s,agentDetectionInfo_agentDomain_s,agentDetectionInfo_agentIpV4_s,agentDetectionInfo_agentIpV6_s,agentDetectionInfo_agentLastLoggedInUserName_s,agentDetectionInfo_agentMitigationMode_s,agentDetectionInfo_agentOsName_s,agentDetectionInfo_agentOsRevision_s,agentDetectionInfo_agentRegisteredAt_t [UTC],agentDetectionInfo_agentUuid_g,agentDetectionInfo_agentVersion_s,agentDetectionInfo_externalIp_s,agentDetectionInfo_groupId_s,agentDetectionInfo_groupName_s,agentDetectionInfo_siteId_s,agentDetectionInfo_siteName_s,agentRealtimeInfo_accountId_s,agentRealtimeInfo_accountName_s,agentRealtimeInfo_activeThreats_d,agentRealtimeInfo_agentComputerName_s,agentRealtimeInfo_agentDomain_s,agentRealtimeInfo_agentId_s,agentRealtimeInfo_agentInfected_b,agentRealtimeInfo_agentIsActive_b,agentRealtimeInfo_agentIsDecommissioned_b,agentRealtimeInfo_agentMachineType_s,agentRealtimeInfo_agentMitigationMode_s,agentRealtimeInfo_agentNetworkStatus_s,agentRealtimeInfo_agentOsName_s,agentRealtimeInfo_agentOsRevision_s,agentRealtimeInfo_agentOsType_s,agentRealtimeInfo_agentUuid_g,agentRealtimeInfo_agentVersion_s,agentRealtimeInfo_groupId_s,agentRealtimeInfo_groupName_s,agentRealtimeInfo_networkInterfaces_s,agentRealtimeInfo_operationalState_s,agentRealtimeInfo_rebootRequired_b,agentRealtimeInfo_scanFinishedAt_t [UTC],agentRealtimeInfo_scanStartedAt_t [UTC],agentRealtimeInfo_scanStatus_s,agentRealtimeInfo_siteId_s,agentRealtimeInfo_siteName_s,agentRealtimeInfo_userActionsNeeded_s,indicators_s,mitigationStatus_s,threatInfo_analystVerdict_s,threatInfo_analystVerdictDescription_s,threatInfo_automaticallyResolved_b,threatInfo_certificateId_s,threatInfo_classification_s,threatInfo_classificationSource_s,threatInfo_cloudFilesHashVerdict_s,threatInfo_collectionId_s,threatInfo_confidenceLevel_s,threatInfo_createdAt_t [UTC],threatInfo_detectionEngines_s,threatInfo_detectionType_s,threatInfo_engines_s,threatInfo_externalTicketExists_b,threatInfo_failedActions_b,threatInfo_fileExtension_s,threatInfo_fileExtensionType_s,threatInfo_filePath_s,threatInfo_fileSize_d,threatInfo_fileVerificationType_s,threatInfo_identifiedAt_t [UTC],threatInfo_incidentStatus_s,threatInfo_incidentStatusDescription_s,threatInfo_initiatedBy_s,threatInfo_initiatedByDescription_s,threatInfo_isFileless_b,threatInfo_isValidCertificate_b,threatInfo_mitigatedPreemptively_b,threatInfo_mitigationStatus_s,threatInfo_mitigationStatusDescription_s,threatInfo_originatorProcess_s,threatInfo_pendingActions_b,threatInfo_processUser_s,threatInfo_publisherName_s,threatInfo_reachedEventsLimit_b,threatInfo_rebootRequired_b,threatInfo_sha1_s,threatInfo_storyline_s,threatInfo_threatId_s,threatInfo_threatName_s,threatInfo_updatedAt_t [UTC],whiteningOptions_s,threatInfo_maliciousProcessArguments_s,threatInfo_fileExtension_g,threatInfo_threatName_g,threatInfo_storyline_g,accountId_s,accountName_s,activityType_d,activityUuid_g,createdAt_t [UTC],id_s,primaryDescription_s,secondaryDescription_s,siteId_s,siteName_s,updatedAt_t [UTC],userId_s,event_name_s,DataFields_s,description_s,comments_s,activeDirectory_computerMemberOf_s,activeDirectory_lastUserMemberOf_s,activeThreats_d,agentVersion_s,allowRemoteShell_b,appsVulnerabilityStatus_s,computerName_s,consoleMigrationStatus_s,coreCount_d,cpuCount_d,cpuId_s,detectionState_s,domain_s,encryptedApplications_b,externalId_s,externalIp_s,firewallEnabled_b,firstFullModeTime_t [UTC],fullDiskScanLastUpdatedAt_t [UTC],groupId_s,groupIp_s,groupName_s,inRemoteShellSession_b,infected_b,installerType_s,isActive_b,isDecommissioned_b,isPendingUninstall_b,isUninstalled_b,isUpToDate_b,lastActiveDate_t [UTC],lastIpToMgmt_s,lastLoggedInUserName_s,licenseKey_s,locationEnabled_b,locationType_s,locations_s,machineType_s,mitigationMode_s,mitigationModeSuspicious_s,modelName_s,networkInterfaces_s,networkQuarantineEnabled_b,networkStatus_s,operationalState_s,osArch_s,osName_s,osRevision_s,osStartTime_t [UTC],osType_s,rangerStatus_s,rangerVersion_s,registeredAt_t [UTC],remoteProfilingState_s,scanFinishedAt_t [UTC],scanStartedAt_t [UTC],scanStatus_s,serialNumber_s,showAlertIcon_b,tags_sentinelone_s,threatRebootRequired_b,totalMemory_d,userActionsNeeded_s,uuid_g,osUsername_s,scanAbortedAt_t [UTC],activeDirectory_computerDistinguishedName_s,activeDirectory_lastUserDistinguishedName_s,Type,_ResourceId +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,/usr/sbin/sendmail.postfix,sendmail.postfix,44031,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,73fb37d5-cf36-ab66-cc74-edb26cd47d93,727f2aad-3209-c937-7a56-8e04d9b72a60,73fb41c2-2d0e-fbde-7534-9b3fb198f4a0,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733148765679480423,Undefined,"7/20/2023, 6:57:02 AM",01H5S1B1DE1FQ1GQAM9BXQ29RT_3,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:57:13 AM",STAR,"7/20/2023, 6:57:13 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44027,"7/20/2023, 6:55:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:55:01 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44032,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,73fb37d5-cf36-ab66-cc74-edb26cd47d93,727f2aad-3209-c937-7a56-8e04d9b72a60,73fb41c2-2d0e-fbde-7534-9b3fb198f4a0,727f2aad-3209-c937-7a56-8e04d9b72a60,73fb420c-d665-d3f6-59dd-0a5d1d0e71f2,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733148770502930615,Undefined,"7/20/2023, 6:57:02 AM",01H5S1B1DE1FQ1GQAM9BXQ29RT_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:57:14 AM",STAR,"7/20/2023, 6:57:14 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44027,"7/20/2023, 6:55:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44031,"7/20/2023, 6:55:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:55:01 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,/usr/sbin/sendmail.postfix,sendmail.postfix,44042,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,730930f9-359e-ed7b-6a03-319b08f7fe76,727f2aad-3209-c937-7a56-8e04d9b72a60,73093e27-8ead-6ead-9311-613babbbf6ce,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733148924400348839,Undefined,"7/20/2023, 6:57:20 AM",01H5S1CW09T3Y9PJPD6M1BR9W6_3,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:57:32 AM",STAR,"7/20/2023, 6:57:32 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44038,"7/20/2023, 6:56:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:56:02 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44043,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,730930f9-359e-ed7b-6a03-319b08f7fe76,727f2aad-3209-c937-7a56-8e04d9b72a60,73093e27-8ead-6ead-9311-613babbbf6ce,727f2aad-3209-c937-7a56-8e04d9b72a60,73093eac-5267-0e8d-984e-89194dce2324,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733148925750914908,Undefined,"7/20/2023, 6:57:20 AM",01H5S1CW09T3Y9PJPD6M1BR9W6_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:57:32 AM",STAR,"7/20/2023, 6:57:32 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44038,"7/20/2023, 6:56:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44042,"7/20/2023, 6:56:02 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:56:02 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,/usr/sbin/sendmail.postfix,sendmail.postfix,44054,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,73175795-3d2f-91c7-bdb1-9a00c3b4e6f9,727f2aad-3209-c937-7a56-8e04d9b72a60,7317600a-da57-51e1-f547-19c0f33270a9,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733149316643306388,Undefined,"7/20/2023, 6:58:08 AM",01H5S1EPKA5T8SG6SJ2PFAKNQF_3,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:58:19 AM",STAR,"7/20/2023, 6:58:19 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44050,"7/20/2023, 6:57:02 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:57:02 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44055,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,73175795-3d2f-91c7-bdb1-9a00c3b4e6f9,727f2aad-3209-c937-7a56-8e04d9b72a60,7317600a-da57-51e1-f547-19c0f33270a9,727f2aad-3209-c937-7a56-8e04d9b72a60,731760e0-a8a1-0e25-fb68-c809b79a0fcd,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733149346213152017,Undefined,"7/20/2023, 6:58:08 AM",01H5S1EPKA5T8SG6SJ2PFAKNQF_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:58:22 AM",STAR,"7/20/2023, 6:58:22 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44050,"7/20/2023, 6:57:02 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44054,"7/20/2023, 6:57:02 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:57:02 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,/usr/sbin/sendmail.postfix,sendmail.postfix,44065,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,73252052-1f72-a515-eb0b-f5620305688a,727f2aad-3209-c937-7a56-8e04d9b72a60,73252e29-0db9-6ca2-c3de-049bfeac30ff,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733149846878878571,Undefined,"7/20/2023, 6:59:07 AM",01H5S1GH6B620AGDRX5MF9M52M_3,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:59:22 AM",STAR,"7/20/2023, 6:59:22 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44061,"7/20/2023, 6:58:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:58:01 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44066,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,73252052-1f72-a515-eb0b-f5620305688a,727f2aad-3209-c937-7a56-8e04d9b72a60,73252e29-0db9-6ca2-c3de-049bfeac30ff,727f2aad-3209-c937-7a56-8e04d9b72a60,73252ed6-aff1-c3f8-48c2-765f7b668d7c,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733149885760080787,Undefined,"7/20/2023, 6:59:07 AM",01H5S1GH6B620AGDRX5MF9M52M_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:59:27 AM",STAR,"7/20/2023, 6:59:27 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44061,"7/20/2023, 6:58:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44065,"7/20/2023, 6:58:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:58:01 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /bin/sh -c /usr/local/demisto/d1_Test2/upgrade_engine.sh >> /tmp/d1_Test2/demisto_install.log,/usr/bin/bash,bash,44075,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,7333194b-17ac-0f64-4f1c-59ba42bb7da6,727f2aad-3209-c937-7a56-8e04d9b72a60,733322a5-11bb-42e8-c701-7a97051c8a5b,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733150283338197007,Undefined,"7/20/2023, 7:00:06 AM",01H5S1JBSA1YTHPHEXZY2S2G0T_2,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:00:14 AM",STAR,"7/20/2023, 7:00:14 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44073,"7/20/2023, 6:59:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:59:01 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44078,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,7333194b-17ac-0f64-4f1c-59ba42bb7da6,727f2aad-3209-c937-7a56-8e04d9b72a60,733322de-7b5c-6a26-b302-869f3832cbed,727f2aad-3209-c937-7a56-8e04d9b72a60,73332352-8023-8eb1-c3a3-410efe8eeb38,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733150304594931242,Undefined,"7/20/2023, 7:00:06 AM",01H5S1JBSA1YTHPHEXZY2S2G0T_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:00:16 AM",STAR,"7/20/2023, 7:00:16 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44073,"7/20/2023, 6:59:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44077,"7/20/2023, 6:59:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:59:01 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44088,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,73411224-c58f-479c-e68d-2bc957ae28d3,727f2aad-3209-c937-7a56-8e04d9b72a60,73414081-5469-2510-07c3-5b74509a4475,727f2aad-3209-c937-7a56-8e04d9b72a60,734140eb-56bf-9270-ae70-d0582e8de351,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733150821383560341,Undefined,"7/20/2023, 7:01:07 AM",01H5S1M6C8NJZ7KGNVCFBHK3VP_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:01:18 AM",STAR,"7/20/2023, 7:01:18 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44083,"7/20/2023, 7:00:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44087,"7/20/2023, 7:00:02 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:00:02 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,/usr/sbin/sendmail.postfix,sendmail.postfix,44087,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,73411224-c58f-479c-e68d-2bc957ae28d3,727f2aad-3209-c937-7a56-8e04d9b72a60,73414081-5469-2510-07c3-5b74509a4475,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733150886101677643,Undefined,"7/20/2023, 7:01:07 AM",01H5S1M6C8NJZ7KGNVCFBHK3VP_3,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:01:26 AM",STAR,"7/20/2023, 7:01:26 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44083,"7/20/2023, 7:00:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:00:02 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/unix_chkpwd root chkexpiry,/usr/sbin/unix_chkpwd,unix_chkpwd,44098,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,734f38fd-17b6-7142-0580-c5bd4a6fd003,727f2aad-3209-c937-7a56-8e04d9b72a60,734f3932-0c7f-4e05-bfff-063d6b0c92eb,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733151254411937804,Undefined,"7/20/2023, 7:02:07 AM",01H5S1P0Z9027WQRD3PNDF55V0_1,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:02:10 AM",STAR,"7/20/2023, 7:02:10 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44097,"7/20/2023, 7:01:02 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:01:02 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44102,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,734f38fd-17b6-7142-0580-c5bd4a6fd003,727f2aad-3209-c937-7a56-8e04d9b72a60,734f42ea-ba31-4ac2-1273-59fe44124624,727f2aad-3209-c937-7a56-8e04d9b72a60,734f4380-8299-a345-7dd9-8723e4b66bec,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733151315011247472,Undefined,"7/20/2023, 7:02:07 AM",01H5S1P0Z9027WQRD3PNDF55V0_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:02:17 AM",STAR,"7/20/2023, 7:02:17 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44097,"7/20/2023, 7:01:02 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44101,"7/20/2023, 7:01:02 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:01:02 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /bin/sh -c /usr/local/demisto/d1_Test2/upgrade_engine.sh >> /tmp/d1_Test2/demisto_install.log,/usr/bin/bash,bash,44109,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,735d01e8-402b-affb-12de-4741599ea560,727f2aad-3209-c937-7a56-8e04d9b72a60,735d0a85-074c-1c9d-7ba8-49901518524b,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733151796769051638,Undefined,"7/20/2023, 7:03:07 AM",01H5S1QVJCZMW7ZPZR8JGBQBND_2,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:03:14 AM",STAR,"7/20/2023, 7:03:14 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44107,"7/20/2023, 7:02:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:02:01 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44112,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,735d01e8-402b-affb-12de-4741599ea560,727f2aad-3209-c937-7a56-8e04d9b72a60,735d0a9e-eef8-6094-bc77-c95b9a8c2b34,727f2aad-3209-c937-7a56-8e04d9b72a60,735d0b74-844c-af22-aa4a-433abde9c7a9,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733151817899957892,Undefined,"7/20/2023, 7:03:07 AM",01H5S1QVJCZMW7ZPZR8JGBQBND_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:03:17 AM",STAR,"7/20/2023, 7:03:17 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44107,"7/20/2023, 7:02:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44111,"7/20/2023, 7:02:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:02:01 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44124,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,736afa1a-7181-0a1c-b160-6d7da000a15d,727f2aad-3209-c937-7a56-8e04d9b72a60,736b0393-0386-ba70-5da1-2c09cf3433f6,727f2aad-3209-c937-7a56-8e04d9b72a60,736b0422-db47-f377-3d29-85f017d9f67f,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733152335980434987,Undefined,"7/20/2023, 7:04:07 AM",01H5S1SP59R24VZ5C4YRRQVRH7_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:04:19 AM",STAR,"7/20/2023, 7:04:19 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44119,"7/20/2023, 7:03:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44123,"7/20/2023, 7:03:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:03:01 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/unix_chkpwd root chkexpiry,/usr/sbin/unix_chkpwd,unix_chkpwd,44120,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,736afa1a-7181-0a1c-b160-6d7da000a15d,727f2aad-3209-c937-7a56-8e04d9b72a60,736afa63-ed30-cc33-824b-b8dadff8a989,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733152339512039369,Undefined,"7/20/2023, 7:04:07 AM",01H5S1SP59R24VZ5C4YRRQVRH7_1,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:04:19 AM",STAR,"7/20/2023, 7:04:19 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44119,"7/20/2023, 7:03:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:03:01 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /bin/sh -c /usr/local/demisto/d1_Test2/upgrade_engine.sh >> /tmp/d1_Test2/demisto_install.log,/usr/bin/bash,bash,44132,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,7378f36b-3f84-3586-8482-9d904ea960df,727f2aad-3209-c937-7a56-8e04d9b72a60,73792846-4f61-1bc2-4505-aa7291b30f42,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733152872348083087,Undefined,"7/20/2023, 7:05:07 AM",01H5S1VGR81T56G4ZCKR5V7N29_2,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:05:23 AM",STAR,"7/20/2023, 7:05:23 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44130,"7/20/2023, 7:04:02 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:04:02 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44135,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,7378f36b-3f84-3586-8482-9d904ea960df,727f2aad-3209-c937-7a56-8e04d9b72a60,73792885-f06d-ebe3-9fd2-16c6bbeeb4f6,727f2aad-3209-c937-7a56-8e04d9b72a60,73792a93-b3f1-a4a6-2706-a764c17d214e,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733152884981327901,Undefined,"7/20/2023, 7:05:07 AM",01H5S1VGR81T56G4ZCKR5V7N29_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:05:24 AM",STAR,"7/20/2023, 7:05:24 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44130,"7/20/2023, 7:04:02 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44134,"7/20/2023, 7:04:02 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:04:02 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, \ No newline at end of file diff --git a/Sample Data/ASIM/SentinelOne_ASimProcessEvent_RawLogs.json b/Sample Data/ASIM/SentinelOne_ASimProcessEvent_RawLogs.json new file mode 100644 index 00000000000..b6d927c4ca4 --- /dev/null +++ b/Sample Data/ASIM/SentinelOne_ASimProcessEvent_RawLogs.json @@ -0,0 +1,6042 @@ +[ + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:10:09 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "0f81ec00-9e52-48e6-b899-eb3bbeede741", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "FB4511F580778F51", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "78d7744d-2837-40d2-aff4-bede5877836e", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/sendmail.postfix", + "targetProcessInfo_tgtProcName": "sendmail.postfix", + "targetProcessInfo_tgtProcPid": 44031, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "73fb41c2-2d0e-fbde-7534-9b3fb198f4a0", + "sourceParentProcessInfo_storyline": "73ffdf8e-0a44-5079-fd74-243fc15cbe7c", + "sourceParentProcessInfo_uniqueId": "73ffdf8e-0a44-5079-fd74-243fc15cbe7d", + "sourceProcessInfo_storyline": "73ffdf8e-0a33-5079-fd74-243fc15cbe7c", + "sourceProcessInfo_uniqueId": "73ffdf8e-0a22-5079-fd74-243fc15cbe7c", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733148765679480300, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 6:57:02 AM", + "alertInfo_dvEventId": "01H5S1B1DE1FQ1GQAM9BXQ29RT_3", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 6:57:13 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 6:57:13 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 889, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/18/2023, 8:56:05 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/crond", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "crond", + "sourceProcessInfo_pid": 44027, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:55:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 6:55:01 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:10:09 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "AC644457DCBAD901", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/postdrop -r", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/postdrop", + "targetProcessInfo_tgtProcName": "postdrop", + "targetProcessInfo_tgtProcPid": 44032, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "433C0EF580778F52", + "targetProcessInfo_tgtProcUid": "433C0EF580778F53", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "553D0EF580778F51", + "sourceProcessInfo_uniqueId": "543D0EF580778F51", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733148770502930700, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 6:57:02 AM", + "alertInfo_dvEventId": "01H5S1B1DE1FQ1GQAM9BXQ29RT_4", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 6:57:14 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 6:57:14 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 44027, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:55:01 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "090f9f343c64158f5590276eade3bc120ca19b1a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/sendmail.postfix", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sendmail.postfix", + "sourceProcessInfo_pid": 44031, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:55:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 6:55:01 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:10:09 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/sendmail.postfix", + "targetProcessInfo_tgtProcName": "sendmail.postfix", + "targetProcessInfo_tgtProcPid": 44042, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "73093e27-8ead-6ead-9311-613babbbf6ce", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733148924400349000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 6:57:20 AM", + "alertInfo_dvEventId": "01H5S1CW09T3Y9PJPD6M1BR9W6_3", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 6:57:32 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 6:57:32 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 889, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/18/2023, 8:56:05 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/crond", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "crond", + "sourceProcessInfo_pid": 44038, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:56:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 6:56:02 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:10:09 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/postdrop -r", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/postdrop", + "targetProcessInfo_tgtProcName": "postdrop", + "targetProcessInfo_tgtProcPid": 44043, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "73093eac-5267-0e8d-984e-89194dce2324", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733148925750914800, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 6:57:20 AM", + "alertInfo_dvEventId": "01H5S1CW09T3Y9PJPD6M1BR9W6_4", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 6:57:32 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 6:57:32 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 44038, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:56:01 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "090f9f343c64158f5590276eade3bc120ca19b1a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/sendmail.postfix", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sendmail.postfix", + "sourceProcessInfo_pid": 44042, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:56:02 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 6:56:02 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:10:09 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/sendmail.postfix", + "targetProcessInfo_tgtProcName": "sendmail.postfix", + "targetProcessInfo_tgtProcPid": 44054, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "7317600a-da57-51e1-f547-19c0f33270a9", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733149316643306500, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 6:58:08 AM", + "alertInfo_dvEventId": "01H5S1EPKA5T8SG6SJ2PFAKNQF_3", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 6:58:19 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 6:58:19 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 889, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/18/2023, 8:56:05 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/crond", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "crond", + "sourceProcessInfo_pid": 44050, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:57:02 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 6:57:02 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:10:09 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/postdrop -r", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/postdrop", + "targetProcessInfo_tgtProcName": "postdrop", + "targetProcessInfo_tgtProcPid": 44055, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "731760e0-a8a1-0e25-fb68-c809b79a0fcd", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733149346213152000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 6:58:08 AM", + "alertInfo_dvEventId": "01H5S1EPKA5T8SG6SJ2PFAKNQF_4", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 6:58:22 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 6:58:22 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 44050, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:57:02 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "090f9f343c64158f5590276eade3bc120ca19b1a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/sendmail.postfix", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sendmail.postfix", + "sourceProcessInfo_pid": 44054, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:57:02 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 6:57:02 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:10:09 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/sendmail.postfix", + "targetProcessInfo_tgtProcName": "sendmail.postfix", + "targetProcessInfo_tgtProcPid": 44065, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "73252e29-0db9-6ca2-c3de-049bfeac30ff", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733149846878878500, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 6:59:07 AM", + "alertInfo_dvEventId": "01H5S1GH6B620AGDRX5MF9M52M_3", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 6:59:22 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 6:59:22 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 889, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/18/2023, 8:56:05 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/crond", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "crond", + "sourceProcessInfo_pid": 44061, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:58:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 6:58:01 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:10:09 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/postdrop -r", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/postdrop", + "targetProcessInfo_tgtProcName": "postdrop", + "targetProcessInfo_tgtProcPid": 44066, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "73252ed6-aff1-c3f8-48c2-765f7b668d7c", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733149885760081000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 6:59:07 AM", + "alertInfo_dvEventId": "01H5S1GH6B620AGDRX5MF9M52M_4", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 6:59:27 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 6:59:27 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 44061, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:58:01 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "090f9f343c64158f5590276eade3bc120ca19b1a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/sendmail.postfix", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sendmail.postfix", + "sourceProcessInfo_pid": 44065, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:58:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 6:58:01 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/bin/sh -c /usr/local/demisto/d1_Test2/upgrade_engine.sh >> /tmp/d1_Test2/demisto_install.log", + "targetProcessInfo_tgtProcImagePath": "/usr/bin/bash", + "targetProcessInfo_tgtProcName": "bash", + "targetProcessInfo_tgtProcPid": 44075, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "733322a5-11bb-42e8-c701-7a97051c8a5b", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733150283338197000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:00:06 AM", + "alertInfo_dvEventId": "01H5S1JBSA1YTHPHEXZY2S2G0T_2", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:00:14 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:00:14 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 889, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/18/2023, 8:56:05 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/crond", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "crond", + "sourceProcessInfo_pid": 44073, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:59:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 6:59:01 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/postdrop -r", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/postdrop", + "targetProcessInfo_tgtProcName": "postdrop", + "targetProcessInfo_tgtProcPid": 44078, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "73332352-8023-8eb1-c3a3-410efe8eeb38", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733150304594931200, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:00:06 AM", + "alertInfo_dvEventId": "01H5S1JBSA1YTHPHEXZY2S2G0T_4", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:00:16 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:00:16 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 44073, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:59:01 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "090f9f343c64158f5590276eade3bc120ca19b1a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/sendmail.postfix", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sendmail.postfix", + "sourceProcessInfo_pid": 44077, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:59:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 6:59:01 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/postdrop -r", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/postdrop", + "targetProcessInfo_tgtProcName": "postdrop", + "targetProcessInfo_tgtProcPid": 44088, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "734140eb-56bf-9270-ae70-d0582e8de351", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733150821383560400, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:01:07 AM", + "alertInfo_dvEventId": "01H5S1M6C8NJZ7KGNVCFBHK3VP_4", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:01:18 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:01:18 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 44083, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:00:01 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "090f9f343c64158f5590276eade3bc120ca19b1a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/sendmail.postfix", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sendmail.postfix", + "sourceProcessInfo_pid": 44087, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:00:02 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 7:00:02 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/sendmail.postfix", + "targetProcessInfo_tgtProcName": "sendmail.postfix", + "targetProcessInfo_tgtProcPid": 44087, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "73414081-5469-2510-07c3-5b74509a4475", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733150886101677600, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:01:07 AM", + "alertInfo_dvEventId": "01H5S1M6C8NJZ7KGNVCFBHK3VP_3", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:01:26 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:01:26 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 889, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/18/2023, 8:56:05 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/crond", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "crond", + "sourceProcessInfo_pid": 44083, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:00:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 7:00:02 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/unix_chkpwd root chkexpiry", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/unix_chkpwd", + "targetProcessInfo_tgtProcName": "unix_chkpwd", + "targetProcessInfo_tgtProcPid": 44098, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "734f3932-0c7f-4e05-bfff-063d6b0c92eb", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733151254411937800, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:02:07 AM", + "alertInfo_dvEventId": "01H5S1P0Z9027WQRD3PNDF55V0_1", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:02:10 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:02:10 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 889, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/18/2023, 8:56:05 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/crond", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "crond", + "sourceProcessInfo_pid": 44097, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:01:02 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 7:01:02 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/postdrop -r", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/postdrop", + "targetProcessInfo_tgtProcName": "postdrop", + "targetProcessInfo_tgtProcPid": 44102, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "734f4380-8299-a345-7dd9-8723e4b66bec", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733151315011247400, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:02:07 AM", + "alertInfo_dvEventId": "01H5S1P0Z9027WQRD3PNDF55V0_4", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:02:17 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:02:17 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 44097, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:01:02 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "090f9f343c64158f5590276eade3bc120ca19b1a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/sendmail.postfix", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sendmail.postfix", + "sourceProcessInfo_pid": 44101, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:01:02 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 7:01:02 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/bin/sh -c /usr/local/demisto/d1_Test2/upgrade_engine.sh >> /tmp/d1_Test2/demisto_install.log", + "targetProcessInfo_tgtProcImagePath": "/usr/bin/bash", + "targetProcessInfo_tgtProcName": "bash", + "targetProcessInfo_tgtProcPid": 44109, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "735d0a85-074c-1c9d-7ba8-49901518524b", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733151796769051600, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:03:07 AM", + "alertInfo_dvEventId": "01H5S1QVJCZMW7ZPZR8JGBQBND_2", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:03:14 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:03:14 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 889, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/18/2023, 8:56:05 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/crond", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "crond", + "sourceProcessInfo_pid": 44107, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:02:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 7:02:01 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/postdrop -r", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/postdrop", + "targetProcessInfo_tgtProcName": "postdrop", + "targetProcessInfo_tgtProcPid": 44112, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "735d0b74-844c-af22-aa4a-433abde9c7a9", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733151817899958000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:03:07 AM", + "alertInfo_dvEventId": "01H5S1QVJCZMW7ZPZR8JGBQBND_4", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:03:17 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:03:17 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 44107, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:02:01 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "090f9f343c64158f5590276eade3bc120ca19b1a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/sendmail.postfix", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sendmail.postfix", + "sourceProcessInfo_pid": 44111, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:02:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 7:02:01 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/postdrop -r", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/postdrop", + "targetProcessInfo_tgtProcName": "postdrop", + "targetProcessInfo_tgtProcPid": 44124, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "736b0422-db47-f377-3d29-85f017d9f67f", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733152335980435000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:04:07 AM", + "alertInfo_dvEventId": "01H5S1SP59R24VZ5C4YRRQVRH7_4", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:04:19 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:04:19 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 44119, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:03:01 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "090f9f343c64158f5590276eade3bc120ca19b1a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/sendmail.postfix", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sendmail.postfix", + "sourceProcessInfo_pid": 44123, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:03:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 7:03:01 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/unix_chkpwd root chkexpiry", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/unix_chkpwd", + "targetProcessInfo_tgtProcName": "unix_chkpwd", + "targetProcessInfo_tgtProcPid": 44120, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "736afa63-ed30-cc33-824b-b8dadff8a989", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733152339512039400, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:04:07 AM", + "alertInfo_dvEventId": "01H5S1SP59R24VZ5C4YRRQVRH7_1", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:04:19 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:04:19 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 889, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/18/2023, 8:56:05 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/crond", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "crond", + "sourceProcessInfo_pid": 44119, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:03:01 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 7:03:01 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/bin/sh -c /usr/local/demisto/d1_Test2/upgrade_engine.sh >> /tmp/d1_Test2/demisto_install.log", + "targetProcessInfo_tgtProcImagePath": "/usr/bin/bash", + "targetProcessInfo_tgtProcName": "bash", + "targetProcessInfo_tgtProcPid": 44132, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "73792846-4f61-1bc2-4505-aa7291b30f42", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733152872348083200, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:05:07 AM", + "alertInfo_dvEventId": "01H5S1VGR81T56G4ZCKR5V7N29_2", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:05:23 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:05:23 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 889, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/18/2023, 8:56:05 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/crond", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "crond", + "sourceProcessInfo_pid": 44130, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:04:02 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 7:04:02 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 7:20:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "/usr/sbin/postdrop -r", + "targetProcessInfo_tgtProcImagePath": "/usr/sbin/postdrop", + "targetProcessInfo_tgtProcName": "postdrop", + "targetProcessInfo_tgtProcPid": 44135, + "targetProcessInfo_tgtProcSignedStatus": "unsigned", + "targetProcessInfo_tgtProcStorylineId": "727f2aad-3209-c937-7a56-8e04d9b72a60", + "targetProcessInfo_tgtProcUid": "73792a93-b3f1-a4a6-2706-a764c17d214e", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733152884981328000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 7:05:07 AM", + "alertInfo_dvEventId": "01H5S1VGR81T56G4ZCKR5V7N29_4", + "alertInfo_eventType": "PROCESSCREATION", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/20/2023, 7:05:24 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 7:05:24 AM", + "ruleInfo_id": 1733129064452659700, + "ruleInfo_name": "Process Creation Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Process Creation", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/crond -n", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "1c79e793d46d7867699807a3657a2b909f2071f9", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/crond", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "crond", + "sourceParentProcessInfo_pid": 44130, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:04:02 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "090f9f343c64158f5590276eade3bc120ca19b1a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/sendmail.postfix", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sendmail.postfix", + "sourceProcessInfo_pid": 44134, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:04:02 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "7/20/2023, 7:04:02 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + } +] \ No newline at end of file diff --git a/Sample Data/ASIM/SentinelOne_CL_Schema.csv b/Sample Data/ASIM/SentinelOne_CL_Schema.csv index 7432410acb8..ff16136c833 100644 --- a/Sample Data/ASIM/SentinelOne_CL_Schema.csv +++ b/Sample Data/ASIM/SentinelOne_CL_Schema.csv @@ -311,3 +311,4 @@ RawData,6,"System.String",string "activeDirectory_lastUserDistinguishedName_s",309,"System.String",string Type,310,"System.String",string "_ResourceId",311,"System.String",string +"_ItemId",312,"System.String",string From 28dd22a6f2ccf22943048c526ab78a4c232f5089 Mon Sep 17 00:00:00 2001 From: Jayesh Prajapati Date: Fri, 25 Aug 2023 16:06:45 +0530 Subject: [PATCH 4/9] Fixed the Unifying parser relateed issue. --- .../Parsers/ASimProcessCreateSentinelOne.yaml | 2 +- Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml | 4 +--- .../ASimProcessEvent/Parsers/ASimProcessEventCreate.yaml | 2 +- .../ASimProcessEvent/Parsers/ASimProcessEventTerminate.yaml | 4 +--- Parsers/ASimProcessEvent/Parsers/imProcess.yaml | 3 +-- Parsers/ASimProcessEvent/Parsers/imProcessTerminate.yaml | 6 ++---- 6 files changed, 7 insertions(+), 14 deletions(-) diff --git a/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml b/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml index 287ee023f81..934bd3018a7 100644 --- a/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml +++ b/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml @@ -17,7 +17,7 @@ References: Description: | This ASIM parser supports normalizing SentinelOne logs to the ASIM Process Event normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. ParserName: ASimProcessCreateSentinelOne -EquivalentBuiltInParser: _ASim_ProcessCreate_SentinelOne +EquivalentBuiltInParser: _ASim_ProcessEvent_CreateSentinelOne ParserParams: - Name: disabled Type: bool diff --git a/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml b/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml index 91e55b4b07d..ac046f66988 100644 --- a/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml +++ b/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml @@ -29,7 +29,6 @@ Parsers: - _ASim_ProcessEvent_TerminateMicrosoftWindowsEvents - _ASim_ProcessEvent_CreateMicrosoftWindowsEvents - _ASim_ProcessEvent_MD4IoT - - _ASim_ProcessEvent_TerminateSentinelOne - _ASim_ProcessEvent_CreateSentinelOne ParserQuery: | @@ -47,5 +46,4 @@ ParserQuery: | ASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )), ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )), ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) )),, - ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )), - ASimProcessTerminateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateSentinelOne' in (DisabledParsers) )) + ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )) diff --git a/Parsers/ASimProcessEvent/Parsers/ASimProcessEventCreate.yaml b/Parsers/ASimProcessEvent/Parsers/ASimProcessEventCreate.yaml index f2a716a2890..31a0f16c50f 100644 --- a/Parsers/ASimProcessEvent/Parsers/ASimProcessEventCreate.yaml +++ b/Parsers/ASimProcessEvent/Parsers/ASimProcessEventCreate.yaml @@ -24,7 +24,7 @@ Parsers: - _ASim_ProcessEvent_CreateLinuxSysmon - _ASim_ProcessEvent_CreateMicrosoftWindowsEvents - _ASim_ProcessEvent_MD4IoT - - _ASim_ProcessEvent_SentinelOne + - _ASim_ProcessEvent_CreateSentinelOne ParserQuery: | let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcessEventCreate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); diff --git a/Parsers/ASimProcessEvent/Parsers/ASimProcessEventTerminate.yaml b/Parsers/ASimProcessEvent/Parsers/ASimProcessEventTerminate.yaml index ead0f00fd8c..fd756d2612a 100644 --- a/Parsers/ASimProcessEvent/Parsers/ASimProcessEventTerminate.yaml +++ b/Parsers/ASimProcessEvent/Parsers/ASimProcessEventTerminate.yaml @@ -24,7 +24,6 @@ Parsers: - _ASim_ProcessEvent_TerminateLinuxSysmon - _ASim_ProcessEvent_TerminateMicrosoftWindowsEvents - _ASim_ProcessEvent_MD4IoT - - _ASim_ProcessEvent_TerminateSentinelOne ParserQuery: | let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); let imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); @@ -35,6 +34,5 @@ ParserQuery: | ASimProcessTerminateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) )), ASimProcessTerminateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )), ASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )), - ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )), - ASimProcessEventTerminateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateSentinelOne' in (DisabledParsers) )) + ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )) diff --git a/Parsers/ASimProcessEvent/Parsers/imProcess.yaml b/Parsers/ASimProcessEvent/Parsers/imProcess.yaml index 41ac0323f82..5e7de130877 100644 --- a/Parsers/ASimProcessEvent/Parsers/imProcess.yaml +++ b/Parsers/ASimProcessEvent/Parsers/imProcess.yaml @@ -29,5 +29,4 @@ ParserQuery: | vimProcessTerminateMicrosoftWindowsEvents, vimProcessCreateMicrosoftWindowsEvents, vimProcessEventMD4IoT, - vimProcessCreateSentinelOne, - vimProcessTerminateSentinelOne + vimProcessCreateSentinelOne diff --git a/Parsers/ASimProcessEvent/Parsers/imProcessTerminate.yaml b/Parsers/ASimProcessEvent/Parsers/imProcessTerminate.yaml index 64031db5771..ecb303f9f0f 100644 --- a/Parsers/ASimProcessEvent/Parsers/imProcessTerminate.yaml +++ b/Parsers/ASimProcessEvent/Parsers/imProcessTerminate.yaml @@ -63,8 +63,7 @@ ParserQuery: | vimProcessTerminateMicrosoftSecurityEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) ))), vimProcessTerminateMicrosoftWindowsEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) ))), vimProcessTerminateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateLinuxSysmon' in (DisabledParsers) ))), - vimProcessTerminateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))), - vimProcessTerminateSentinelOne (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateSentinelOne' in (DisabledParsers) ))) + vimProcessTerminateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))) }; Generic(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype) @@ -75,5 +74,4 @@ Parsers: - _Im_ProcessTerminate_MicrosoftSecurityEvents - _Im_ProcessTerminate_LinuxSysmon - _Im_ProcessTerminate_MicrosoftWindowsEvents - - _Im_ProcessTerminate_MD4IoT - - _Im_ProcessTerminate_SentinelOne + - _Im_ProcessTerminate_MD4IoT From e94a8d928ad832a2b85e3865af4e844b6009fff9 Mon Sep 17 00:00:00 2001 From: Jayesh Prajapati Date: Mon, 28 Aug 2023 13:12:30 +0530 Subject: [PATCH 5/9] Updated imProcess.yaml file by following same structure as imDns and updated parameter name in vimProcessSentinelOne as per unifying parser. --- .../ASimProcessEvent/Parsers/imProcess.yaml | 90 ++++++++++++++++--- .../Parsers/imProcessCreate.yaml | 2 +- .../Parsers/vimProcessCreateSentinelOne.yaml | 8 +- 3 files changed, 81 insertions(+), 19 deletions(-) diff --git a/Parsers/ASimProcessEvent/Parsers/imProcess.yaml b/Parsers/ASimProcessEvent/Parsers/imProcess.yaml index 5e7de130877..3a7953ccca8 100644 --- a/Parsers/ASimProcessEvent/Parsers/imProcess.yaml +++ b/Parsers/ASimProcessEvent/Parsers/imProcess.yaml @@ -1,7 +1,7 @@ Parser: Title: Process Event ASIM parser Version: '0.1.1' - LastUpdated: Feb 23, 2022 + LastUpdated: Aug 28, 2023 Product: Name: Source Agnostic Normalization: @@ -15,18 +15,80 @@ References: Description: | This ASIM parser supports normalizing process event logs from all supported sources to the ASIM ProcessEvent normalized schema. ParserName: imProcess -EquivalentBuiltInParser: _Im_Process +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: commandline_has_any + Type: dynamic + Default: dynamic([]) + - Name: commandline_has_all + Type: dynamic + Default: dynamic([]) + - Name: commandline_has_any_ip_prefix + Type: dynamic + Default: dynamic([]) + - Name: actingprocess_has_any + Type: dynamic + Default: dynamic([]) + - Name: targetprocess_has_any + Type: dynamic + Default: dynamic([]) + - Name: parentprocess_has_any + Type: dynamic + Default: dynamic([]) + - Name: targetusername_has + Type: string + Default: '*' + - Name: actorusername_has + Type: string + Default: '*' + - Name: dvcipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: dvchostname_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventtype + Type: string + Default: '*' + - Name: hashes_has_any + Type: dynamic + Default: dynamic([]) ParserQuery: | + let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), targetusername_has:string='*', actorusername_has:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvchostname_has_any:dynamic=dynamic([]), eventtype:string='*', hashes_has_any:dynamic=dynamic([])){ + let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); + let imProcessBuiltInDisabled=toscalar('ExcludeimProcessBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union isfuzzy=true - vimProcessEmpty, - vimProcessEventMicrosoft365D, - vimProcessCreateMicrosoftSysmon, - vimProcessTerminateMicrosoftSysmon, - vimProcessCreateMicrosoftSecurityEvents, - vimProcessTerminateMicrosoftSecurityEvents, - vimProcessCreateLinuxSysmon, - vimProcessTerminateLinuxSysmon, - vimProcessTerminateMicrosoftWindowsEvents, - vimProcessCreateMicrosoftWindowsEvents, - vimProcessEventMD4IoT, - vimProcessCreateSentinelOne + vimProcessEmpty + , vimProcessEventMicrosoft365D ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessEventMicrosoft365D' in (DisabledParsers) ))) + , vimProcessCreateMicrosoftSysmon ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSysmon' in (DisabledParsers) ))) + , vimProcessTerminateMicrosoftSysmon ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSysmon' in (DisabledParsers) ))) + , vimProcessCreateMicrosoftSecurityEvents ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) ))) + , vimProcessTerminateMicrosoftSecurityEvents ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername=actorusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) ))) + , vimProcessCreateLinuxSysmon ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon' in (DisabledParsers) ))) + , vimProcessTerminateLinuxSysmon ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername=actorusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessTerminateLinuxSysmon' in (DisabledParsers) ))) + , vimProcessTerminateMicrosoftWindowsEvents ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) ))) + , vimProcessCreateMicrosoftWindowsEvents ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) ))) + , vimProcessEventMD4IoT ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))) + , vimProcessCreateSentinelOne ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))) + }; + Generic(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any) + +EquivalentBuiltInParser: _Im_Process +Parsers: + - _Im_Process_Empty + - _Im_ProcessEvent_Microsoft365D + - _Im_ProcessCreate_MicrosoftSysmon + - _Im_ProcessTerminate_MicrosoftSysmon + - _Im_ProcessCreate_MicrosoftSecurityEvents + - _Im_ProcessTerminate_MicrosoftSecurityEvents + - _Im_ProcessCreate_LinuxSysmon + - _Im_ProcessTerminate_LinuxSysmon + - _Im_ProcessTerminate_MicrosoftWindowsEvents + - _Im_ProcessCreate_MicrosoftWindowsEvents + - _Im_ProcessCreate_MD4IoT + - _Im_ProcessCreate_SentinelOne diff --git a/Parsers/ASimProcessEvent/Parsers/imProcessCreate.yaml b/Parsers/ASimProcessEvent/Parsers/imProcessCreate.yaml index e58ca399f7f..23bea1323aa 100644 --- a/Parsers/ASimProcessEvent/Parsers/imProcessCreate.yaml +++ b/Parsers/ASimProcessEvent/Parsers/imProcessCreate.yaml @@ -67,7 +67,7 @@ ParserQuery: | vimProcessCreateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon' in (DisabledParsers) ))), vimProcessCreateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) ))), vimProcessCreateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))), - vimProcessCreateSentinelOne (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))) + vimProcessCreateSentinelOne (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))) }; Generic(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcipaddr_has_any_prefix, hashes_has_any=hashes_has_any, eventtype=eventtype) diff --git a/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml b/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml index 198f51b8cb0..3b2c4f8c073 100644 --- a/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml +++ b/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml @@ -49,7 +49,7 @@ ParserParams: - Name: dvcipaddr_has_any_prefix Type: dynamic Default: dynamic([]) - - Name: dvcname_has_any + - Name: dvchostname_has_any Type: dynamic Default: dynamic([]) - Name: hashes_has_any @@ -73,7 +73,7 @@ ParserQuery: | parentprocess_has_any: dynamic=dynamic([]), targetusername_has: string='*', dvcipaddr_has_any_prefix: dynamic=dynamic([]), - dvcname_has_any: dynamic=dynamic([]), + dvchostname_has_any: dynamic=dynamic([]), eventtype: string='*', hashes_has_any: dynamic=dynamic([]), disabled: bool=false) { @@ -92,7 +92,7 @@ ParserQuery: | and (array_length(actingprocess_has_any) == 0 or sourceProcessInfo_name_s has_any (actingprocess_has_any)) and (array_length(targetprocess_has_any) == 0 or targetProcessInfo_tgtProcName_s has_any (targetprocess_has_any)) and (array_length(parentprocess_has_any) == 0 or sourceParentProcessInfo_name_s has_any (parentprocess_has_any)) - and (array_length(dvcname_has_any) == 0 or agentDetectionInfo_name_s has_any (dvcname_has_any)) + and (array_length(dvchostname_has_any) == 0 or agentDetectionInfo_name_s has_any (dvchostname_has_any)) and array_length(hashes_has_any) == 0 or targetProcessInfo_tgtFileHashSha1_s has_any (hashes_has_any) or targetProcessInfo_tgtFileHashSha256_s has_any (hashes_has_any) | project-rename DvcId = agentDetectionInfo_uuid_g, @@ -182,7 +182,7 @@ ParserQuery: | parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, - dvcname_has_any=dvcname_has_any, + dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=disabled From 8fc7a449869ba0c95fb3aa3ec6e303e0e51875b7 Mon Sep 17 00:00:00 2001 From: Jayesh Prajapati Date: Tue, 29 Aug 2023 15:37:49 +0530 Subject: [PATCH 6/9] Fixed the validation error by removing extra comma. --- Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml b/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml index ac046f66988..9a91d9e418f 100644 --- a/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml +++ b/Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml @@ -45,5 +45,5 @@ ParserQuery: | ASimProcessTerminateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )), ASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )), ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )), - ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) )),, + ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) )), ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )) From b4fddc17e2df3dee9a6d33ea69c65f649b733728 Mon Sep 17 00:00:00 2001 From: Jayesh Prajapati Date: Thu, 31 Aug 2023 16:45:48 +0530 Subject: [PATCH 7/9] Fixed the KqlValidation error by correcting the ASIM parser name in unifying. --- Parsers/ASimProcessEvent/Parsers/ASimProcessEventCreate.yaml | 2 +- Parsers/ASimProcessEvent/Parsers/imProcess.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Parsers/ASimProcessEvent/Parsers/ASimProcessEventCreate.yaml b/Parsers/ASimProcessEvent/Parsers/ASimProcessEventCreate.yaml index 31a0f16c50f..d65bef4de40 100644 --- a/Parsers/ASimProcessEvent/Parsers/ASimProcessEventCreate.yaml +++ b/Parsers/ASimProcessEvent/Parsers/ASimProcessEventCreate.yaml @@ -37,4 +37,4 @@ ParserQuery: | ASimProcessCreateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateLinuxSysmon' in (DisabledParsers) )), ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )), ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )), - ASimProcessEventCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )) + ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )) diff --git a/Parsers/ASimProcessEvent/Parsers/imProcess.yaml b/Parsers/ASimProcessEvent/Parsers/imProcess.yaml index 3a7953ccca8..ba5161b191d 100644 --- a/Parsers/ASimProcessEvent/Parsers/imProcess.yaml +++ b/Parsers/ASimProcessEvent/Parsers/imProcess.yaml @@ -76,7 +76,7 @@ ParserQuery: | , vimProcessEventMD4IoT ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))) , vimProcessCreateSentinelOne ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))) }; - Generic(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any) + Generic(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any) EquivalentBuiltInParser: _Im_Process Parsers: From 8b6a62bd1c131510e152c8b1fd7eb0442d0c3f8a Mon Sep 17 00:00:00 2001 From: Jayesh Prajapati Date: Mon, 18 Sep 2023 20:07:32 +0530 Subject: [PATCH 8/9] Updated parser by adding inspection fields, added EventProduct and Event Vender in tester file and updated sample data as per change. --- ASIM/dev/ASimTester/ASimTester.csv | 4 +- .../Parsers/ASimProcessCreateSentinelOne.yaml | 65 ++++++++++-- .../Parsers/vimProcessCreateSentinelOne.yaml | 99 ++++++++++++++----- ...ntinelOne_ASimProcessCreate_SchemaTest.csv | 4 + ...entinelOne_vimProcessCreate_SchemaTest.csv | 4 + ...tinelOne_ASimProcessEvent_IngestedLogs.csv | 40 ++++---- .../SentinelOne_ASimProcessEvent_RawLogs.json | 26 ++--- 7 files changed, 170 insertions(+), 72 deletions(-) diff --git a/ASIM/dev/ASimTester/ASimTester.csv b/ASIM/dev/ASimTester/ASimTester.csv index fb245622fbd..e5c1bfb2fb6 100644 --- a/ASIM/dev/ASimTester/ASimTester.csv +++ b/ASIM/dev/ASimTester/ASimTester.csv @@ -806,7 +806,7 @@ EventOriginalSubType,string,Optional,ProcessEvent,,, EventOriginalType,string,Optional,ProcessEvent,,, EventOriginalUid,string,Optional,ProcessEvent,,, EventOwner,string,Optional,ProcessEvent,,, -EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events, +EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events|SentinelOne, EventProductVersion,string,Optional,ProcessEvent,,, EventReportUrl,string,Optional,ProcessEvent,URL,, EventResult,string,Mandatory,ProcessEvent,Enumerated,Success|Failure|Partial|NA, @@ -818,7 +818,7 @@ EventStartTime,datetime,Mandatory,ProcessEvent,,, EventSubType,string,Optional,ProcessEvent,,, EventType,string,Mandatory,ProcessEvent,Enumerated,ProcessCreated|ProcessTerminated, EventUid,string,Recommended,ProcessEvent,,, -EventVendor,string,Mandatory,ProcessEvent,Enumerated,Microsoft, +EventVendor,string,Mandatory,ProcessEvent,Enumerated,Microsoft|SentinelOne, Hash,string,Recommended,ProcessEvent,,, HashType,string,Conditional,ProcessEvent,Enumerated,MD5|SHA1|SHA256|SHA512|IMPHASH,Hash ParentProcessCreationTime,datetime,Optional,ProcessEvent,,, diff --git a/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml b/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml index 934bd3018a7..b95d4f15137 100644 --- a/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml +++ b/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml @@ -1,7 +1,7 @@ Parser: Title: Process Create ASIM parser for SentinelOne Version: '0.1.0' - LastUpdated: Jul 24, 2023 + LastUpdated: Sep 18, 2023 Product: Name: SentinelOne Normalization: @@ -17,17 +17,58 @@ References: Description: | This ASIM parser supports normalizing SentinelOne logs to the ASIM Process Event normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. ParserName: ASimProcessCreateSentinelOne -EquivalentBuiltInParser: _ASim_ProcessEvent_CreateSentinelOne +EquivalentBuiltInParser: _ASim_ProcessCreate_SentinelOne ParserParams: - Name: disabled Type: bool Default: false ParserQuery: | + let ThreatConfidenceLookup_undefined = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_undefined: int + ) + [ + "FALSE_POSITIVE", 5, + "Undefined", 15, + "SUSPICIOUS", 25, + "TRUE_POSITIVE", 33 + ]; + let ThreatConfidenceLookup_suspicious = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_suspicious: int + ) + [ + "FALSE_POSITIVE", 40, + "Undefined", 50, + "SUSPICIOUS", 60, + "TRUE_POSITIVE", 67 + ]; + let ThreatConfidenceLookup_malicious = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_malicious: int + ) + [ + "FALSE_POSITIVE", 75, + "Undefined", 80, + "SUSPICIOUS", 90, + "TRUE_POSITIVE", 100 + ]; let parser = (disabled: bool=false) { - SentinelOne_CL - | where not(disabled) - and event_name_s == "Alerts." - and alertInfo_eventType_s == "PROCESSCREATION" + let alldata = SentinelOne_CL + | where not(disabled) + and event_name_s == "Alerts." + and alertInfo_eventType_s == "PROCESSCREATION"; + let undefineddata = alldata + | where ruleInfo_treatAsThreat_s == "UNDEFINED" + | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s; + let suspiciousdata = alldata + | where ruleInfo_treatAsThreat_s == "Suspicious" + | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s; + let maaliciousdata = alldata + | where ruleInfo_treatAsThreat_s == "Malicious" + | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s; + union undefineddata, suspiciousdata, maaliciousdata + | extend ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious) | project-rename DvcId = agentDetectionInfo_uuid_g, EventStartTime = sourceProcessInfo_pidStarttime_t, @@ -49,7 +90,9 @@ ParserQuery: | TargetProcessIntegrityLevel = targetProcessInfo_tgtProcIntegrityLevel_s, EventOriginalType = alertInfo_eventType_s, EventOriginalSeverity = ruleInfo_severity_s, - EventOriginalUid = alertInfo_dvEventId_s + EventOriginalUid = alertInfo_dvEventId_s, + RuleName = ruleInfo_name_s, + ThreatOriginalConfidence = ruleInfo_treatAsThreat_s | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s') | extend ActingProcessId = sourceProcessInfo_pid_s, @@ -61,7 +104,7 @@ ParserQuery: | TargetProcessSHA256 = targetProcessInfo_tgtFileHashSha256_s, ParentProcessMD5 = replace_string(sourceParentProcessInfo_fileHashMd5_g, "-", ""), ActingProcessMD5 = replace_string(sourceProcessInfo_fileHashMd5_g, "-", ""), - EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity) + EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity) | extend EventCount = int(1), EventProduct = "SentinelOne", @@ -77,7 +120,8 @@ ParserQuery: | User = TargetUsername, ActingProcessCreationTime = EventStartTime, CommandLine = TargetProcessCommandLine, - Process = TargetProcessName + Process = TargetProcessName, + Rule = RuleName | extend HashType = case( isnotempty(Hash) and isnotempty(TargetProcessSHA256), @@ -103,6 +147,7 @@ ParserQuery: | Computer, MG, ManagementGroupName, - SourceSystem + SourceSystem, + ThreatConfidence_* }; parser(disabled=disabled) \ No newline at end of file diff --git a/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml b/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml index 3b2c4f8c073..8e56287e1c5 100644 --- a/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml +++ b/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml @@ -1,7 +1,7 @@ Parser: Title: Process Create ASIM parser for SentinelOne Version: '0.1.0' - LastUpdated: Jul 24, 2023 + LastUpdated: Sep 18, 2023 Product: Name: SentinelOne Normalization: @@ -62,6 +62,36 @@ ParserParams: Type: bool Default: false ParserQuery: | + let ThreatConfidenceLookup_undefined = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_undefined: int + ) + [ + "FALSE_POSITIVE", 5, + "Undefined", 15, + "SUSPICIOUS", 25, + "TRUE_POSITIVE", 33 + ]; + let ThreatConfidenceLookup_suspicious = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_suspicious: int + ) + [ + "FALSE_POSITIVE", 40, + "Undefined", 50, + "SUSPICIOUS", 60, + "TRUE_POSITIVE", 67 + ]; + let ThreatConfidenceLookup_malicious = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_malicious: int + ) + [ + "FALSE_POSITIVE", 75, + "Undefined", 80, + "SUSPICIOUS", 90, + "TRUE_POSITIVE", 100 + ]; let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null), @@ -77,23 +107,34 @@ ParserQuery: | eventtype: string='*', hashes_has_any: dynamic=dynamic([]), disabled: bool=false) { - SentinelOne_CL - | where not(disabled) - and (isnull(starttime) or TimeGenerated >= starttime) - and (isnull(endtime) or TimeGenerated <= endtime) - and event_name_s == "Alerts." - and alertInfo_eventType_s == "PROCESSCREATION" - and (eventtype == '*' or eventtype == 'PROCESSCREATION') - and array_length(dvcipaddr_has_any_prefix) == 0 - and (targetusername_has == '*' or sourceProcessInfo_user_s has targetusername_has) - and (array_length(commandline_has_all) == 0 or targetProcessInfo_tgtProcCmdLine_s has_all (commandline_has_all)) - and (array_length(commandline_has_any) == 0 or targetProcessInfo_tgtProcCmdLine_s has_any (commandline_has_any)) - and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(targetProcessInfo_tgtProcCmdLine_s, commandline_has_any_ip_prefix)) - and (array_length(actingprocess_has_any) == 0 or sourceProcessInfo_name_s has_any (actingprocess_has_any)) - and (array_length(targetprocess_has_any) == 0 or targetProcessInfo_tgtProcName_s has_any (targetprocess_has_any)) - and (array_length(parentprocess_has_any) == 0 or sourceParentProcessInfo_name_s has_any (parentprocess_has_any)) - and (array_length(dvchostname_has_any) == 0 or agentDetectionInfo_name_s has_any (dvchostname_has_any)) - and array_length(hashes_has_any) == 0 or targetProcessInfo_tgtFileHashSha1_s has_any (hashes_has_any) or targetProcessInfo_tgtFileHashSha256_s has_any (hashes_has_any) + let alldata = SentinelOne_CL + | where not(disabled) + and (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and event_name_s == "Alerts." + and alertInfo_eventType_s == "PROCESSCREATION" + and (eventtype == '*' or eventtype == 'ProcessCreated') + and array_length(dvcipaddr_has_any_prefix) == 0 + and (targetusername_has == '*' or sourceProcessInfo_user_s has targetusername_has) + and (array_length(commandline_has_all) == 0 or targetProcessInfo_tgtProcCmdLine_s has_all (commandline_has_all)) + and (array_length(commandline_has_any) == 0 or targetProcessInfo_tgtProcCmdLine_s has_any (commandline_has_any)) + and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(targetProcessInfo_tgtProcCmdLine_s, commandline_has_any_ip_prefix)) + and (array_length(actingprocess_has_any) == 0 or sourceProcessInfo_name_s has_any (actingprocess_has_any)) + and (array_length(targetprocess_has_any) == 0 or targetProcessInfo_tgtProcName_s has_any (targetprocess_has_any)) + and (array_length(parentprocess_has_any) == 0 or sourceParentProcessInfo_name_s has_any (parentprocess_has_any)) + and (array_length(dvchostname_has_any) == 0 or agentDetectionInfo_name_s has_any (dvchostname_has_any)) + and (array_length(hashes_has_any) == 0 or targetProcessInfo_tgtFileHashSha1_s has_any (hashes_has_any) or targetProcessInfo_tgtFileHashSha256_s has_any (hashes_has_any)); + let undefineddata = alldata + | where ruleInfo_treatAsThreat_s == "UNDEFINED" + | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s; + let suspiciousdata = alldata + | where ruleInfo_treatAsThreat_s == "Suspicious" + | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s; + let maaliciousdata = alldata + | where ruleInfo_treatAsThreat_s == "Malicious" + | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s; + union undefineddata, suspiciousdata, maaliciousdata + | extend ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious) | project-rename DvcId = agentDetectionInfo_uuid_g, EventStartTime = sourceProcessInfo_pidStarttime_t, @@ -115,7 +156,9 @@ ParserQuery: | TargetProcessIntegrityLevel = targetProcessInfo_tgtProcIntegrityLevel_s, EventOriginalType = alertInfo_eventType_s, EventOriginalSeverity = ruleInfo_severity_s, - EventOriginalUid = alertInfo_dvEventId_s + EventOriginalUid = alertInfo_dvEventId_s, + RuleName = ruleInfo_name_s, + ThreatOriginalConfidence = ruleInfo_treatAsThreat_s | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s') | extend ActingProcessId = sourceProcessInfo_pid_s, @@ -127,7 +170,7 @@ ParserQuery: | TargetProcessSHA256 = targetProcessInfo_tgtFileHashSha256_s, ParentProcessMD5 = replace_string(sourceParentProcessInfo_fileHashMd5_g, "-", ""), ActingProcessMD5 = replace_string(sourceProcessInfo_fileHashMd5_g, "-", ""), - EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity) + EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity) | extend EventCount = int(1), EventProduct = "SentinelOne", @@ -137,14 +180,15 @@ ParserQuery: | EventType = "ProcessCreated", EventVendor = "SentinelOne", EventSchema = "ProcessEvent" - | extend + | extend Dvc = DvcId, EventEndTime = EventStartTime, User = TargetUsername, ActingProcessCreationTime = EventStartTime, CommandLine = TargetProcessCommandLine, - Process = TargetProcessName - | extend + Process = TargetProcessName, + Rule = RuleName + | extend HashType = case( isnotempty(Hash) and isnotempty(TargetProcessSHA256), "TargetProcessSHA256", @@ -169,11 +213,12 @@ ParserQuery: | Computer, MG, ManagementGroupName, - SourceSystem + SourceSystem, + ThreatConfidence_* }; parser( - starttime=starttime, - endtime=endtime, + starttime=starttime, + endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, @@ -186,4 +231,4 @@ ParserQuery: | eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=disabled - ) + ) \ No newline at end of file diff --git a/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_SchemaTest.csv b/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_SchemaTest.csv index 69c8944d396..b9b65b4c8f4 100644 --- a/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_SchemaTest.csv +++ b/Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_SchemaTest.csv @@ -76,3 +76,7 @@ "(2) Info: Missing optional field [TargetUserSessionId]" "(2) Info: Missing optional field [TargetUserSid]" "(2) Info: Missing optional field [TargetUserUpn]" +"(2) Info: extra unnormalized column [RuleName]" +"(2) Info: extra unnormalized column [Rule]" +"(2) Info: extra unnormalized column [ThreatConfidence]" +"(2) Info: extra unnormalized column [ThreatOriginalConfidence]" diff --git a/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_SchemaTest.csv b/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_SchemaTest.csv index 69c8944d396..b9b65b4c8f4 100644 --- a/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_SchemaTest.csv +++ b/Parsers/ASimProcessEvent/test/SentinelOne_vimProcessCreate_SchemaTest.csv @@ -76,3 +76,7 @@ "(2) Info: Missing optional field [TargetUserSessionId]" "(2) Info: Missing optional field [TargetUserSid]" "(2) Info: Missing optional field [TargetUserUpn]" +"(2) Info: extra unnormalized column [RuleName]" +"(2) Info: extra unnormalized column [Rule]" +"(2) Info: extra unnormalized column [ThreatConfidence]" +"(2) Info: extra unnormalized column [ThreatOriginalConfidence]" diff --git a/Sample Data/ASIM/SentinelOne_ASimProcessEvent_IngestedLogs.csv b/Sample Data/ASIM/SentinelOne_ASimProcessEvent_IngestedLogs.csv index 459d530851e..3109e1011cc 100644 --- a/Sample Data/ASIM/SentinelOne_ASimProcessEvent_IngestedLogs.csv +++ b/Sample Data/ASIM/SentinelOne_ASimProcessEvent_IngestedLogs.csv @@ -1,21 +1,21 @@ TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,alertInfo_indicatorDescription_s,alertInfo_indicatorName_s,targetProcessInfo_tgtFileOldPath_s,alertInfo_indicatorCategory_s,alertInfo_registryOldValue_g,alertInfo_dstIp_s,alertInfo_dstPort_s,alertInfo_netEventDirection_s,alertInfo_srcIp_s,alertInfo_srcPort_s,containerInfo_id_s,targetProcessInfo_tgtFileId_g,alertInfo_registryOldValue_s,alertInfo_registryOldValueType_s,alertInfo_dnsRequest_s,alertInfo_dnsResponse_s,alertInfo_registryKeyPath_s,alertInfo_registryPath_s,alertInfo_registryValue_g,ruleInfo_description_s,alertInfo_registryValue_s,alertInfo_loginAccountDomain_s,alertInfo_loginAccountSid_s,alertInfo_loginIsAdministratorEquivalent_s,alertInfo_loginIsSuccessful_s,alertInfo_loginType_s,alertInfo_loginsUserName_s,alertInfo_srcMachineIp_s,targetProcessInfo_tgtProcCmdLine_s,targetProcessInfo_tgtProcImagePath_s,targetProcessInfo_tgtProcName_s,targetProcessInfo_tgtProcPid_s,targetProcessInfo_tgtProcSignedStatus_s,targetProcessInfo_tgtProcStorylineId_s,targetProcessInfo_tgtProcUid_s,sourceParentProcessInfo_storyline_g,sourceParentProcessInfo_uniqueId_g,sourceProcessInfo_storyline_g,sourceProcessInfo_uniqueId_g,targetProcessInfo_tgtProcStorylineId_g,targetProcessInfo_tgtProcUid_g,agentDetectionInfo_machineType_s,agentDetectionInfo_name_s,agentDetectionInfo_osFamily_s,agentDetectionInfo_osName_s,agentDetectionInfo_osRevision_s,agentDetectionInfo_uuid_g,agentDetectionInfo_version_s,agentRealtimeInfo_id_s,agentRealtimeInfo_infected_b,agentRealtimeInfo_isActive_b,agentRealtimeInfo_isDecommissioned_b,agentRealtimeInfo_machineType_s,agentRealtimeInfo_name_s,agentRealtimeInfo_os_s,agentRealtimeInfo_uuid_g,alertInfo_alertId_s,alertInfo_analystVerdict_s,alertInfo_createdAt_t [UTC],alertInfo_dvEventId_s,alertInfo_eventType_s,alertInfo_hitType_s,alertInfo_incidentStatus_s,alertInfo_isEdr_b,alertInfo_reportedAt_t [UTC],alertInfo_source_s,alertInfo_updatedAt_t [UTC],ruleInfo_id_s,ruleInfo_name_s,ruleInfo_queryLang_s,ruleInfo_queryType_s,ruleInfo_s1ql_s,ruleInfo_scopeLevel_s,ruleInfo_severity_s,ruleInfo_treatAsThreat_s,sourceParentProcessInfo_commandline_s,sourceParentProcessInfo_fileHashMd5_g,sourceParentProcessInfo_fileHashSha1_s,sourceParentProcessInfo_fileHashSha256_s,sourceParentProcessInfo_filePath_s,sourceParentProcessInfo_fileSignerIdentity_s,sourceParentProcessInfo_integrityLevel_s,sourceParentProcessInfo_name_s,sourceParentProcessInfo_pid_s,sourceParentProcessInfo_pidStarttime_t [UTC],sourceParentProcessInfo_storyline_s,sourceParentProcessInfo_subsystem_s,sourceParentProcessInfo_uniqueId_s,sourceParentProcessInfo_user_s,sourceProcessInfo_commandline_s,sourceProcessInfo_fileHashMd5_g,sourceProcessInfo_fileHashSha1_s,sourceProcessInfo_fileHashSha256_s,sourceProcessInfo_filePath_s,sourceProcessInfo_fileSignerIdentity_s,sourceProcessInfo_integrityLevel_s,sourceProcessInfo_name_s,sourceProcessInfo_pid_s,sourceProcessInfo_pidStarttime_t [UTC],sourceProcessInfo_storyline_s,sourceProcessInfo_subsystem_s,sourceProcessInfo_uniqueId_s,sourceProcessInfo_user_s,targetProcessInfo_tgtFileCreatedAt_t [UTC],targetProcessInfo_tgtFileHashSha1_s,targetProcessInfo_tgtFileHashSha256_s,targetProcessInfo_tgtFileId_s,targetProcessInfo_tgtFileIsSigned_s,targetProcessInfo_tgtFileModifiedAt_t [UTC],targetProcessInfo_tgtFilePath_s,targetProcessInfo_tgtProcIntegrityLevel_s,targetProcessInfo_tgtProcessStartTime_t [UTC],agentUpdatedVersion_s,agentId_s,hash_s,osFamily_s,threatId_s,creator_s,creatorId_s,inherits_b,isDefault_b,name_s,registrationToken_s,totalAgents_d,type_s,agentDetectionInfo_accountId_s,agentDetectionInfo_accountName_s,agentDetectionInfo_agentDetectionState_s,agentDetectionInfo_agentDomain_s,agentDetectionInfo_agentIpV4_s,agentDetectionInfo_agentIpV6_s,agentDetectionInfo_agentLastLoggedInUserName_s,agentDetectionInfo_agentMitigationMode_s,agentDetectionInfo_agentOsName_s,agentDetectionInfo_agentOsRevision_s,agentDetectionInfo_agentRegisteredAt_t [UTC],agentDetectionInfo_agentUuid_g,agentDetectionInfo_agentVersion_s,agentDetectionInfo_externalIp_s,agentDetectionInfo_groupId_s,agentDetectionInfo_groupName_s,agentDetectionInfo_siteId_s,agentDetectionInfo_siteName_s,agentRealtimeInfo_accountId_s,agentRealtimeInfo_accountName_s,agentRealtimeInfo_activeThreats_d,agentRealtimeInfo_agentComputerName_s,agentRealtimeInfo_agentDomain_s,agentRealtimeInfo_agentId_s,agentRealtimeInfo_agentInfected_b,agentRealtimeInfo_agentIsActive_b,agentRealtimeInfo_agentIsDecommissioned_b,agentRealtimeInfo_agentMachineType_s,agentRealtimeInfo_agentMitigationMode_s,agentRealtimeInfo_agentNetworkStatus_s,agentRealtimeInfo_agentOsName_s,agentRealtimeInfo_agentOsRevision_s,agentRealtimeInfo_agentOsType_s,agentRealtimeInfo_agentUuid_g,agentRealtimeInfo_agentVersion_s,agentRealtimeInfo_groupId_s,agentRealtimeInfo_groupName_s,agentRealtimeInfo_networkInterfaces_s,agentRealtimeInfo_operationalState_s,agentRealtimeInfo_rebootRequired_b,agentRealtimeInfo_scanFinishedAt_t [UTC],agentRealtimeInfo_scanStartedAt_t [UTC],agentRealtimeInfo_scanStatus_s,agentRealtimeInfo_siteId_s,agentRealtimeInfo_siteName_s,agentRealtimeInfo_userActionsNeeded_s,indicators_s,mitigationStatus_s,threatInfo_analystVerdict_s,threatInfo_analystVerdictDescription_s,threatInfo_automaticallyResolved_b,threatInfo_certificateId_s,threatInfo_classification_s,threatInfo_classificationSource_s,threatInfo_cloudFilesHashVerdict_s,threatInfo_collectionId_s,threatInfo_confidenceLevel_s,threatInfo_createdAt_t [UTC],threatInfo_detectionEngines_s,threatInfo_detectionType_s,threatInfo_engines_s,threatInfo_externalTicketExists_b,threatInfo_failedActions_b,threatInfo_fileExtension_s,threatInfo_fileExtensionType_s,threatInfo_filePath_s,threatInfo_fileSize_d,threatInfo_fileVerificationType_s,threatInfo_identifiedAt_t [UTC],threatInfo_incidentStatus_s,threatInfo_incidentStatusDescription_s,threatInfo_initiatedBy_s,threatInfo_initiatedByDescription_s,threatInfo_isFileless_b,threatInfo_isValidCertificate_b,threatInfo_mitigatedPreemptively_b,threatInfo_mitigationStatus_s,threatInfo_mitigationStatusDescription_s,threatInfo_originatorProcess_s,threatInfo_pendingActions_b,threatInfo_processUser_s,threatInfo_publisherName_s,threatInfo_reachedEventsLimit_b,threatInfo_rebootRequired_b,threatInfo_sha1_s,threatInfo_storyline_s,threatInfo_threatId_s,threatInfo_threatName_s,threatInfo_updatedAt_t [UTC],whiteningOptions_s,threatInfo_maliciousProcessArguments_s,threatInfo_fileExtension_g,threatInfo_threatName_g,threatInfo_storyline_g,accountId_s,accountName_s,activityType_d,activityUuid_g,createdAt_t [UTC],id_s,primaryDescription_s,secondaryDescription_s,siteId_s,siteName_s,updatedAt_t [UTC],userId_s,event_name_s,DataFields_s,description_s,comments_s,activeDirectory_computerMemberOf_s,activeDirectory_lastUserMemberOf_s,activeThreats_d,agentVersion_s,allowRemoteShell_b,appsVulnerabilityStatus_s,computerName_s,consoleMigrationStatus_s,coreCount_d,cpuCount_d,cpuId_s,detectionState_s,domain_s,encryptedApplications_b,externalId_s,externalIp_s,firewallEnabled_b,firstFullModeTime_t [UTC],fullDiskScanLastUpdatedAt_t [UTC],groupId_s,groupIp_s,groupName_s,inRemoteShellSession_b,infected_b,installerType_s,isActive_b,isDecommissioned_b,isPendingUninstall_b,isUninstalled_b,isUpToDate_b,lastActiveDate_t [UTC],lastIpToMgmt_s,lastLoggedInUserName_s,licenseKey_s,locationEnabled_b,locationType_s,locations_s,machineType_s,mitigationMode_s,mitigationModeSuspicious_s,modelName_s,networkInterfaces_s,networkQuarantineEnabled_b,networkStatus_s,operationalState_s,osArch_s,osName_s,osRevision_s,osStartTime_t [UTC],osType_s,rangerStatus_s,rangerVersion_s,registeredAt_t [UTC],remoteProfilingState_s,scanFinishedAt_t [UTC],scanStartedAt_t [UTC],scanStatus_s,serialNumber_s,showAlertIcon_b,tags_sentinelone_s,threatRebootRequired_b,totalMemory_d,userActionsNeeded_s,uuid_g,osUsername_s,scanAbortedAt_t [UTC],activeDirectory_computerDistinguishedName_s,activeDirectory_lastUserDistinguishedName_s,Type,_ResourceId -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,/usr/sbin/sendmail.postfix,sendmail.postfix,44031,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,73fb37d5-cf36-ab66-cc74-edb26cd47d93,727f2aad-3209-c937-7a56-8e04d9b72a60,73fb41c2-2d0e-fbde-7534-9b3fb198f4a0,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733148765679480423,Undefined,"7/20/2023, 6:57:02 AM",01H5S1B1DE1FQ1GQAM9BXQ29RT_3,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:57:13 AM",STAR,"7/20/2023, 6:57:13 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44027,"7/20/2023, 6:55:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:55:01 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44032,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,73fb37d5-cf36-ab66-cc74-edb26cd47d93,727f2aad-3209-c937-7a56-8e04d9b72a60,73fb41c2-2d0e-fbde-7534-9b3fb198f4a0,727f2aad-3209-c937-7a56-8e04d9b72a60,73fb420c-d665-d3f6-59dd-0a5d1d0e71f2,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733148770502930615,Undefined,"7/20/2023, 6:57:02 AM",01H5S1B1DE1FQ1GQAM9BXQ29RT_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:57:14 AM",STAR,"7/20/2023, 6:57:14 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44027,"7/20/2023, 6:55:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44031,"7/20/2023, 6:55:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:55:01 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,/usr/sbin/sendmail.postfix,sendmail.postfix,44042,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,730930f9-359e-ed7b-6a03-319b08f7fe76,727f2aad-3209-c937-7a56-8e04d9b72a60,73093e27-8ead-6ead-9311-613babbbf6ce,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733148924400348839,Undefined,"7/20/2023, 6:57:20 AM",01H5S1CW09T3Y9PJPD6M1BR9W6_3,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:57:32 AM",STAR,"7/20/2023, 6:57:32 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44038,"7/20/2023, 6:56:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:56:02 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44043,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,730930f9-359e-ed7b-6a03-319b08f7fe76,727f2aad-3209-c937-7a56-8e04d9b72a60,73093e27-8ead-6ead-9311-613babbbf6ce,727f2aad-3209-c937-7a56-8e04d9b72a60,73093eac-5267-0e8d-984e-89194dce2324,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733148925750914908,Undefined,"7/20/2023, 6:57:20 AM",01H5S1CW09T3Y9PJPD6M1BR9W6_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:57:32 AM",STAR,"7/20/2023, 6:57:32 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44038,"7/20/2023, 6:56:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44042,"7/20/2023, 6:56:02 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:56:02 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,/usr/sbin/sendmail.postfix,sendmail.postfix,44054,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,73175795-3d2f-91c7-bdb1-9a00c3b4e6f9,727f2aad-3209-c937-7a56-8e04d9b72a60,7317600a-da57-51e1-f547-19c0f33270a9,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733149316643306388,Undefined,"7/20/2023, 6:58:08 AM",01H5S1EPKA5T8SG6SJ2PFAKNQF_3,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:58:19 AM",STAR,"7/20/2023, 6:58:19 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44050,"7/20/2023, 6:57:02 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:57:02 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44055,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,73175795-3d2f-91c7-bdb1-9a00c3b4e6f9,727f2aad-3209-c937-7a56-8e04d9b72a60,7317600a-da57-51e1-f547-19c0f33270a9,727f2aad-3209-c937-7a56-8e04d9b72a60,731760e0-a8a1-0e25-fb68-c809b79a0fcd,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733149346213152017,Undefined,"7/20/2023, 6:58:08 AM",01H5S1EPKA5T8SG6SJ2PFAKNQF_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:58:22 AM",STAR,"7/20/2023, 6:58:22 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44050,"7/20/2023, 6:57:02 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44054,"7/20/2023, 6:57:02 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:57:02 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,/usr/sbin/sendmail.postfix,sendmail.postfix,44065,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,73252052-1f72-a515-eb0b-f5620305688a,727f2aad-3209-c937-7a56-8e04d9b72a60,73252e29-0db9-6ca2-c3de-049bfeac30ff,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733149846878878571,Undefined,"7/20/2023, 6:59:07 AM",01H5S1GH6B620AGDRX5MF9M52M_3,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:59:22 AM",STAR,"7/20/2023, 6:59:22 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44061,"7/20/2023, 6:58:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:58:01 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44066,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,73252052-1f72-a515-eb0b-f5620305688a,727f2aad-3209-c937-7a56-8e04d9b72a60,73252e29-0db9-6ca2-c3de-049bfeac30ff,727f2aad-3209-c937-7a56-8e04d9b72a60,73252ed6-aff1-c3f8-48c2-765f7b668d7c,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733149885760080787,Undefined,"7/20/2023, 6:59:07 AM",01H5S1GH6B620AGDRX5MF9M52M_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:59:27 AM",STAR,"7/20/2023, 6:59:27 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44061,"7/20/2023, 6:58:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44065,"7/20/2023, 6:58:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:58:01 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /bin/sh -c /usr/local/demisto/d1_Test2/upgrade_engine.sh >> /tmp/d1_Test2/demisto_install.log,/usr/bin/bash,bash,44075,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,7333194b-17ac-0f64-4f1c-59ba42bb7da6,727f2aad-3209-c937-7a56-8e04d9b72a60,733322a5-11bb-42e8-c701-7a97051c8a5b,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733150283338197007,Undefined,"7/20/2023, 7:00:06 AM",01H5S1JBSA1YTHPHEXZY2S2G0T_2,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:00:14 AM",STAR,"7/20/2023, 7:00:14 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44073,"7/20/2023, 6:59:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:59:01 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44078,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,7333194b-17ac-0f64-4f1c-59ba42bb7da6,727f2aad-3209-c937-7a56-8e04d9b72a60,733322de-7b5c-6a26-b302-869f3832cbed,727f2aad-3209-c937-7a56-8e04d9b72a60,73332352-8023-8eb1-c3a3-410efe8eeb38,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733150304594931242,Undefined,"7/20/2023, 7:00:06 AM",01H5S1JBSA1YTHPHEXZY2S2G0T_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:00:16 AM",STAR,"7/20/2023, 7:00:16 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44073,"7/20/2023, 6:59:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44077,"7/20/2023, 6:59:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:59:01 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44088,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,73411224-c58f-479c-e68d-2bc957ae28d3,727f2aad-3209-c937-7a56-8e04d9b72a60,73414081-5469-2510-07c3-5b74509a4475,727f2aad-3209-c937-7a56-8e04d9b72a60,734140eb-56bf-9270-ae70-d0582e8de351,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733150821383560341,Undefined,"7/20/2023, 7:01:07 AM",01H5S1M6C8NJZ7KGNVCFBHK3VP_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:01:18 AM",STAR,"7/20/2023, 7:01:18 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44083,"7/20/2023, 7:00:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44087,"7/20/2023, 7:00:02 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:00:02 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,/usr/sbin/sendmail.postfix,sendmail.postfix,44087,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,73411224-c58f-479c-e68d-2bc957ae28d3,727f2aad-3209-c937-7a56-8e04d9b72a60,73414081-5469-2510-07c3-5b74509a4475,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733150886101677643,Undefined,"7/20/2023, 7:01:07 AM",01H5S1M6C8NJZ7KGNVCFBHK3VP_3,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:01:26 AM",STAR,"7/20/2023, 7:01:26 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44083,"7/20/2023, 7:00:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:00:02 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/unix_chkpwd root chkexpiry,/usr/sbin/unix_chkpwd,unix_chkpwd,44098,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,734f38fd-17b6-7142-0580-c5bd4a6fd003,727f2aad-3209-c937-7a56-8e04d9b72a60,734f3932-0c7f-4e05-bfff-063d6b0c92eb,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733151254411937804,Undefined,"7/20/2023, 7:02:07 AM",01H5S1P0Z9027WQRD3PNDF55V0_1,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:02:10 AM",STAR,"7/20/2023, 7:02:10 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44097,"7/20/2023, 7:01:02 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:01:02 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44102,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,734f38fd-17b6-7142-0580-c5bd4a6fd003,727f2aad-3209-c937-7a56-8e04d9b72a60,734f42ea-ba31-4ac2-1273-59fe44124624,727f2aad-3209-c937-7a56-8e04d9b72a60,734f4380-8299-a345-7dd9-8723e4b66bec,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733151315011247472,Undefined,"7/20/2023, 7:02:07 AM",01H5S1P0Z9027WQRD3PNDF55V0_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:02:17 AM",STAR,"7/20/2023, 7:02:17 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44097,"7/20/2023, 7:01:02 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44101,"7/20/2023, 7:01:02 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:01:02 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /bin/sh -c /usr/local/demisto/d1_Test2/upgrade_engine.sh >> /tmp/d1_Test2/demisto_install.log,/usr/bin/bash,bash,44109,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,735d01e8-402b-affb-12de-4741599ea560,727f2aad-3209-c937-7a56-8e04d9b72a60,735d0a85-074c-1c9d-7ba8-49901518524b,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733151796769051638,Undefined,"7/20/2023, 7:03:07 AM",01H5S1QVJCZMW7ZPZR8JGBQBND_2,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:03:14 AM",STAR,"7/20/2023, 7:03:14 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44107,"7/20/2023, 7:02:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:02:01 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44112,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,735d01e8-402b-affb-12de-4741599ea560,727f2aad-3209-c937-7a56-8e04d9b72a60,735d0a9e-eef8-6094-bc77-c95b9a8c2b34,727f2aad-3209-c937-7a56-8e04d9b72a60,735d0b74-844c-af22-aa4a-433abde9c7a9,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733151817899957892,Undefined,"7/20/2023, 7:03:07 AM",01H5S1QVJCZMW7ZPZR8JGBQBND_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:03:17 AM",STAR,"7/20/2023, 7:03:17 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44107,"7/20/2023, 7:02:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44111,"7/20/2023, 7:02:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:02:01 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44124,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,736afa1a-7181-0a1c-b160-6d7da000a15d,727f2aad-3209-c937-7a56-8e04d9b72a60,736b0393-0386-ba70-5da1-2c09cf3433f6,727f2aad-3209-c937-7a56-8e04d9b72a60,736b0422-db47-f377-3d29-85f017d9f67f,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733152335980434987,Undefined,"7/20/2023, 7:04:07 AM",01H5S1SP59R24VZ5C4YRRQVRH7_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:04:19 AM",STAR,"7/20/2023, 7:04:19 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44119,"7/20/2023, 7:03:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44123,"7/20/2023, 7:03:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:03:01 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/unix_chkpwd root chkexpiry,/usr/sbin/unix_chkpwd,unix_chkpwd,44120,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,736afa1a-7181-0a1c-b160-6d7da000a15d,727f2aad-3209-c937-7a56-8e04d9b72a60,736afa63-ed30-cc33-824b-b8dadff8a989,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733152339512039369,Undefined,"7/20/2023, 7:04:07 AM",01H5S1SP59R24VZ5C4YRRQVRH7_1,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:04:19 AM",STAR,"7/20/2023, 7:04:19 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44119,"7/20/2023, 7:03:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:03:01 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /bin/sh -c /usr/local/demisto/d1_Test2/upgrade_engine.sh >> /tmp/d1_Test2/demisto_install.log,/usr/bin/bash,bash,44132,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,7378f36b-3f84-3586-8482-9d904ea960df,727f2aad-3209-c937-7a56-8e04d9b72a60,73792846-4f61-1bc2-4505-aa7291b30f42,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733152872348083087,Undefined,"7/20/2023, 7:05:07 AM",01H5S1VGR81T56G4ZCKR5V7N29_2,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:05:23 AM",STAR,"7/20/2023, 7:05:23 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44130,"7/20/2023, 7:04:02 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:04:02 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44135,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,7378f36b-3f84-3586-8482-9d904ea960df,727f2aad-3209-c937-7a56-8e04d9b72a60,73792885-f06d-ebe3-9fd2-16c6bbeeb4f6,727f2aad-3209-c937-7a56-8e04d9b72a60,73792a93-b3f1-a4a6-2706-a764c17d214e,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1733152884981327901,Undefined,"7/20/2023, 7:05:07 AM",01H5S1VGR81T56G4ZCKR5V7N29_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:05:24 AM",STAR,"7/20/2023, 7:05:24 AM",1733129064452659707,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44130,"7/20/2023, 7:04:02 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44134,"7/20/2023, 7:04:02 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:04:02 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, \ No newline at end of file +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,/usr/sbin/sendmail.postfix,sendmail.postfix,44031,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,73fb37d5-cf36-ab66-cc74-edb26cd47d93,727f2aad-3209-c937-7a56-8e04d9b72a60,73fb41c2-2d0e-fbde-7534-9b3fb198f4a0,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73314876567948E+018,Undefined,"7/20/2023, 6:57:02 AM",01H5S1B1DE1FQ1GQAM9BXQ29RT_3,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:57:13 AM",STAR,"7/20/2023, 6:57:13 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44027,"7/20/2023, 6:55:01 AM",,unknown,,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:55:01 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44032,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,73fb37d5-cf36-ab66-cc74-edb26cd47d93,727f2aad-3209-c937-7a56-8e04d9b72a60,73fb41c2-2d0e-fbde-7534-9b3fb198f4a0,727f2aad-3209-c937-7a56-8e04d9b72a60,73fb420c-d665-d3f6-59dd-0a5d1d0e71f2,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73314877050293E+018,Undefined,"7/20/2023, 6:57:02 AM",01H5S1B1DE1FQ1GQAM9BXQ29RT_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:57:14 AM",STAR,"7/20/2023, 6:57:14 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44027,"7/20/2023, 6:55:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44031,"7/20/2023, 6:55:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:55:01 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,/usr/sbin/sendmail.postfix,sendmail.postfix,44042,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,730930f9-359e-ed7b-6a03-319b08f7fe76,727f2aad-3209-c937-7a56-8e04d9b72a60,73093e27-8ead-6ead-9311-613babbbf6ce,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73314892440035E+018,Undefined,"7/20/2023, 6:57:20 AM",01H5S1CW09T3Y9PJPD6M1BR9W6_3,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:57:32 AM",STAR,"7/20/2023, 6:57:32 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44038,"7/20/2023, 6:56:01 AM",,unknown,,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:56:02 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44043,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,730930f9-359e-ed7b-6a03-319b08f7fe76,727f2aad-3209-c937-7a56-8e04d9b72a60,73093e27-8ead-6ead-9311-613babbbf6ce,727f2aad-3209-c937-7a56-8e04d9b72a60,73093eac-5267-0e8d-984e-89194dce2324,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73314892575091E+018,Undefined,"7/20/2023, 6:57:20 AM",01H5S1CW09T3Y9PJPD6M1BR9W6_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:57:32 AM",STAR,"7/20/2023, 6:57:32 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44038,"7/20/2023, 6:56:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44042,"7/20/2023, 6:56:02 AM",,unknown,,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:56:02 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,/usr/sbin/sendmail.postfix,sendmail.postfix,44054,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,73175795-3d2f-91c7-bdb1-9a00c3b4e6f9,727f2aad-3209-c937-7a56-8e04d9b72a60,7317600a-da57-51e1-f547-19c0f33270a9,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73314931664331E+018,Undefined,"7/20/2023, 6:58:08 AM",01H5S1EPKA5T8SG6SJ2PFAKNQF_3,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:58:19 AM",STAR,"7/20/2023, 6:58:19 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44050,"7/20/2023, 6:57:02 AM",,unknown,,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:57:02 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44055,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,73175795-3d2f-91c7-bdb1-9a00c3b4e6f9,727f2aad-3209-c937-7a56-8e04d9b72a60,7317600a-da57-51e1-f547-19c0f33270a9,727f2aad-3209-c937-7a56-8e04d9b72a60,731760e0-a8a1-0e25-fb68-c809b79a0fcd,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73314934621315E+018,Undefined,"7/20/2023, 6:58:08 AM",01H5S1EPKA5T8SG6SJ2PFAKNQF_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:58:22 AM",STAR,"7/20/2023, 6:58:22 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44050,"7/20/2023, 6:57:02 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44054,"7/20/2023, 6:57:02 AM",,unknown,,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:57:02 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,/usr/sbin/sendmail.postfix,sendmail.postfix,44065,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,73252052-1f72-a515-eb0b-f5620305688a,727f2aad-3209-c937-7a56-8e04d9b72a60,73252e29-0db9-6ca2-c3de-049bfeac30ff,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73314984687888E+018,Undefined,"7/20/2023, 6:59:07 AM",01H5S1GH6B620AGDRX5MF9M52M_3,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:59:22 AM",STAR,"7/20/2023, 6:59:22 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44061,"7/20/2023, 6:58:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:58:01 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:10:09 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44066,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,73252052-1f72-a515-eb0b-f5620305688a,727f2aad-3209-c937-7a56-8e04d9b72a60,73252e29-0db9-6ca2-c3de-049bfeac30ff,727f2aad-3209-c937-7a56-8e04d9b72a60,73252ed6-aff1-c3f8-48c2-765f7b668d7c,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73314988576008E+018,Undefined,"7/20/2023, 6:59:07 AM",01H5S1GH6B620AGDRX5MF9M52M_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 6:59:27 AM",STAR,"7/20/2023, 6:59:27 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44061,"7/20/2023, 6:58:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44065,"7/20/2023, 6:58:01 AM",,unknown,,CLW547-\Crest,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:58:01 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /bin/sh -c /usr/local/demisto/d1_Test2/upgrade_engine.sh >> /tmp/d1_Test2/demisto_install.log,/usr/bin/bash,bash,44075,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,7333194b-17ac-0f64-4f1c-59ba42bb7da6,727f2aad-3209-c937-7a56-8e04d9b72a60,733322a5-11bb-42e8-c701-7a97051c8a5b,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.7331502833382E+018,Undefined,"7/20/2023, 7:00:06 AM",01H5S1JBSA1YTHPHEXZY2S2G0T_2,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:00:14 AM",STAR,"7/20/2023, 7:00:14 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44073,"7/20/2023, 6:59:01 AM",,unknown,,CLW547-\Crest,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:59:01 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44078,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,7333194b-17ac-0f64-4f1c-59ba42bb7da6,727f2aad-3209-c937-7a56-8e04d9b72a60,733322de-7b5c-6a26-b302-869f3832cbed,727f2aad-3209-c937-7a56-8e04d9b72a60,73332352-8023-8eb1-c3a3-410efe8eeb38,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73315030459493E+018,Undefined,"7/20/2023, 7:00:06 AM",01H5S1JBSA1YTHPHEXZY2S2G0T_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:00:16 AM",STAR,"7/20/2023, 7:00:16 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44073,"7/20/2023, 6:59:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44077,"7/20/2023, 6:59:01 AM",,unknown,,CLW547-\Crest,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 6:59:01 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44088,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,73411224-c58f-479c-e68d-2bc957ae28d3,727f2aad-3209-c937-7a56-8e04d9b72a60,73414081-5469-2510-07c3-5b74509a4475,727f2aad-3209-c937-7a56-8e04d9b72a60,734140eb-56bf-9270-ae70-d0582e8de351,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73315082138356E+018,Undefined,"7/20/2023, 7:01:07 AM",01H5S1M6C8NJZ7KGNVCFBHK3VP_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:01:18 AM",STAR,"7/20/2023, 7:01:18 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44083,"7/20/2023, 7:00:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44087,"7/20/2023, 7:00:02 AM",,unknown,,CLW547-\Crest,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:00:02 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,/usr/sbin/sendmail.postfix,sendmail.postfix,44087,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,73411224-c58f-479c-e68d-2bc957ae28d3,727f2aad-3209-c937-7a56-8e04d9b72a60,73414081-5469-2510-07c3-5b74509a4475,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73315088610168E+018,Undefined,"7/20/2023, 7:01:07 AM",01H5S1M6C8NJZ7KGNVCFBHK3VP_3,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:01:26 AM",STAR,"7/20/2023, 7:01:26 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44083,"7/20/2023, 7:00:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:00:02 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/unix_chkpwd root chkexpiry,/usr/sbin/unix_chkpwd,unix_chkpwd,44098,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,734f38fd-17b6-7142-0580-c5bd4a6fd003,727f2aad-3209-c937-7a56-8e04d9b72a60,734f3932-0c7f-4e05-bfff-063d6b0c92eb,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73315125441194E+018,Undefined,"7/20/2023, 7:02:07 AM",01H5S1P0Z9027WQRD3PNDF55V0_1,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:02:10 AM",STAR,"7/20/2023, 7:02:10 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44097,"7/20/2023, 7:01:02 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:01:02 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44102,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,734f38fd-17b6-7142-0580-c5bd4a6fd003,727f2aad-3209-c937-7a56-8e04d9b72a60,734f42ea-ba31-4ac2-1273-59fe44124624,727f2aad-3209-c937-7a56-8e04d9b72a60,734f4380-8299-a345-7dd9-8723e4b66bec,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73315131501125E+018,Undefined,"7/20/2023, 7:02:07 AM",01H5S1P0Z9027WQRD3PNDF55V0_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:02:17 AM",STAR,"7/20/2023, 7:02:17 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44097,"7/20/2023, 7:01:02 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44101,"7/20/2023, 7:01:02 AM",,unknown,,NT AUTHORITY\NETWORK SERVICE,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:01:02 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /bin/sh -c /usr/local/demisto/d1_Test2/upgrade_engine.sh >> /tmp/d1_Test2/demisto_install.log,/usr/bin/bash,bash,44109,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,735d01e8-402b-affb-12de-4741599ea560,727f2aad-3209-c937-7a56-8e04d9b72a60,735d0a85-074c-1c9d-7ba8-49901518524b,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73315179676905E+018,Undefined,"7/20/2023, 7:03:07 AM",01H5S1QVJCZMW7ZPZR8JGBQBND_2,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:03:14 AM",STAR,"7/20/2023, 7:03:14 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44107,"7/20/2023, 7:02:01 AM",,unknown,,NT AUTHORITY\NETWORK SERVICE,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:02:01 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44112,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,735d01e8-402b-affb-12de-4741599ea560,727f2aad-3209-c937-7a56-8e04d9b72a60,735d0a9e-eef8-6094-bc77-c95b9a8c2b34,727f2aad-3209-c937-7a56-8e04d9b72a60,735d0b74-844c-af22-aa4a-433abde9c7a9,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73315181789996E+018,Undefined,"7/20/2023, 7:03:07 AM",01H5S1QVJCZMW7ZPZR8JGBQBND_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:03:17 AM",STAR,"7/20/2023, 7:03:17 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44107,"7/20/2023, 7:02:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44111,"7/20/2023, 7:02:01 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:02:01 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44124,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,736afa1a-7181-0a1c-b160-6d7da000a15d,727f2aad-3209-c937-7a56-8e04d9b72a60,736b0393-0386-ba70-5da1-2c09cf3433f6,727f2aad-3209-c937-7a56-8e04d9b72a60,736b0422-db47-f377-3d29-85f017d9f67f,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73315233598044E+018,Undefined,"7/20/2023, 7:04:07 AM",01H5S1SP59R24VZ5C4YRRQVRH7_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:04:19 AM",STAR,"7/20/2023, 7:04:19 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44119,"7/20/2023, 7:03:01 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44123,"7/20/2023, 7:03:01 AM",,unknown,,NT AUTHORITY\LOCAL SERVICE,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:03:01 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/unix_chkpwd root chkexpiry,/usr/sbin/unix_chkpwd,unix_chkpwd,44120,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,736afa1a-7181-0a1c-b160-6d7da000a15d,727f2aad-3209-c937-7a56-8e04d9b72a60,736afa63-ed30-cc33-824b-b8dadff8a989,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73315233951204E+018,Undefined,"7/20/2023, 7:04:07 AM",01H5S1SP59R24VZ5C4YRRQVRH7_1,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:04:19 AM",STAR,"7/20/2023, 7:04:19 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44119,"7/20/2023, 7:03:01 AM",,unknown,,NT AUTHORITY\LOCAL SERVICE,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:03:01 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /bin/sh -c /usr/local/demisto/d1_Test2/upgrade_engine.sh >> /tmp/d1_Test2/demisto_install.log,/usr/bin/bash,bash,44132,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,727f2aac-c251-14b8-04a2-5518c8c26679,727f2aad-3209-c937-7a56-8e04d9b72a60,7378f36b-3f84-3586-8482-9d904ea960df,727f2aad-3209-c937-7a56-8e04d9b72a60,73792846-4f61-1bc2-4505-aa7291b30f42,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73315287234808E+018,Undefined,"7/20/2023, 7:05:07 AM",01H5S1VGR81T56G4ZCKR5V7N29_2,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:05:23 AM",STAR,"7/20/2023, 7:05:23 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,889,"7/18/2023, 8:56:05 AM",,unknown,,, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44130,"7/20/2023, 7:04:02 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:04:02 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 7:20:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, /usr/sbin/postdrop -r,/usr/sbin/postdrop,postdrop,44135,unsigned,,,727f2aad-3209-c937-7a56-8e04d9b72a60,7378f36b-3f84-3586-8482-9d904ea960df,727f2aad-3209-c937-7a56-8e04d9b72a60,73792885-f06d-ebe3-9fd2-16c6bbeeb4f6,727f2aad-3209-c937-7a56-8e04d9b72a60,73792a93-b3f1-a4a6-2706-a764c17d214e,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1.71305969317274E+018,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1.73315288498133E+018,Undefined,"7/20/2023, 7:05:07 AM",01H5S1VGR81T56G4ZCKR5V7N29_4,PROCESSCREATION,Events,Unresolved,TRUE,"7/20/2023, 7:05:24 AM",STAR,"7/20/2023, 7:05:24 AM",1.73312906445266E+018,Process Creation Test,1,events,"EventType = ""Process Creation""",site,Low,UNDEFINED, /usr/sbin/crond -n,,1c79e793d46d7867699807a3657a2b909f2071f9,,/usr/sbin/crond,,unknown,crond,44130,"7/20/2023, 7:04:02 AM",,unknown,,, /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root,,090f9f343c64158f5590276eade3bc120ca19b1a,,/usr/sbin/sendmail.postfix,,unknown,sendmail.postfix,44134,"7/20/2023, 7:04:02 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"7/20/2023, 7:04:02 AM",,,,,,,,,,,,,,1.71250023793415E+018,,,,,,,,,,,,,,,,1.71250024242206E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, diff --git a/Sample Data/ASIM/SentinelOne_ASimProcessEvent_RawLogs.json b/Sample Data/ASIM/SentinelOne_ASimProcessEvent_RawLogs.json index b6d927c4ca4..2e40b94007c 100644 --- a/Sample Data/ASIM/SentinelOne_ASimProcessEvent_RawLogs.json +++ b/Sample Data/ASIM/SentinelOne_ASimProcessEvent_RawLogs.json @@ -101,7 +101,7 @@ "sourceProcessInfo_pid": 44027, "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:55:01 AM", "sourceProcessInfo_subsystem": "unknown", - "sourceProcessInfo_user": "", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", "targetProcessInfo_tgtFileHashSha1": "", "targetProcessInfo_tgtFileHashSha256": "", @@ -705,7 +705,7 @@ "sourceProcessInfo_pid": 44038, "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:56:01 AM", "sourceProcessInfo_subsystem": "unknown", - "sourceProcessInfo_user": "", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", "targetProcessInfo_tgtFileHashSha1": "", "targetProcessInfo_tgtFileHashSha256": "", @@ -1007,7 +1007,7 @@ "sourceProcessInfo_pid": 44042, "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:56:02 AM", "sourceProcessInfo_subsystem": "unknown", - "sourceProcessInfo_user": "", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", "targetProcessInfo_tgtFileHashSha1": "", "targetProcessInfo_tgtFileHashSha256": "", @@ -1309,7 +1309,7 @@ "sourceProcessInfo_pid": 44050, "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:57:02 AM", "sourceProcessInfo_subsystem": "unknown", - "sourceProcessInfo_user": "", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", "targetProcessInfo_tgtFileHashSha1": "", "targetProcessInfo_tgtFileHashSha256": "", @@ -1611,7 +1611,7 @@ "sourceProcessInfo_pid": 44054, "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:57:02 AM", "sourceProcessInfo_subsystem": "unknown", - "sourceProcessInfo_user": "", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", "targetProcessInfo_tgtFileHashSha1": "", "targetProcessInfo_tgtFileHashSha256": "", @@ -2215,7 +2215,7 @@ "sourceProcessInfo_pid": 44065, "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:58:01 AM", "sourceProcessInfo_subsystem": "unknown", - "sourceProcessInfo_user": "", + "sourceProcessInfo_user": "CLW547-\\Crest", "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", "targetProcessInfo_tgtFileHashSha1": "", "targetProcessInfo_tgtFileHashSha256": "", @@ -2517,7 +2517,7 @@ "sourceProcessInfo_pid": 44073, "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:59:01 AM", "sourceProcessInfo_subsystem": "unknown", - "sourceProcessInfo_user": "", + "sourceProcessInfo_user": "CLW547-\\Crest", "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", "targetProcessInfo_tgtFileHashSha1": "", "targetProcessInfo_tgtFileHashSha256": "", @@ -2819,7 +2819,7 @@ "sourceProcessInfo_pid": 44077, "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 6:59:01 AM", "sourceProcessInfo_subsystem": "unknown", - "sourceProcessInfo_user": "", + "sourceProcessInfo_user": "CLW547-\\Crest", "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", "targetProcessInfo_tgtFileHashSha1": "", "targetProcessInfo_tgtFileHashSha256": "", @@ -3121,7 +3121,7 @@ "sourceProcessInfo_pid": 44087, "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:00:02 AM", "sourceProcessInfo_subsystem": "unknown", - "sourceProcessInfo_user": "", + "sourceProcessInfo_user": "CLW547-\\Crest", "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", "targetProcessInfo_tgtFileHashSha1": "", "targetProcessInfo_tgtFileHashSha256": "", @@ -4027,7 +4027,7 @@ "sourceProcessInfo_pid": 44101, "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:01:02 AM", "sourceProcessInfo_subsystem": "unknown", - "sourceProcessInfo_user": "", + "sourceProcessInfo_user": "NT AUTHORITY\\NETWORK SERVICE", "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", "targetProcessInfo_tgtFileHashSha1": "", "targetProcessInfo_tgtFileHashSha256": "", @@ -4329,7 +4329,7 @@ "sourceProcessInfo_pid": 44107, "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:02:01 AM", "sourceProcessInfo_subsystem": "unknown", - "sourceProcessInfo_user": "", + "sourceProcessInfo_user": "NT AUTHORITY\\NETWORK SERVICE", "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", "targetProcessInfo_tgtFileHashSha1": "", "targetProcessInfo_tgtFileHashSha256": "", @@ -4933,7 +4933,7 @@ "sourceProcessInfo_pid": 44123, "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:03:01 AM", "sourceProcessInfo_subsystem": "unknown", - "sourceProcessInfo_user": "", + "sourceProcessInfo_user": "NT AUTHORITY\\LOCAL SERVICE", "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", "targetProcessInfo_tgtFileHashSha1": "", "targetProcessInfo_tgtFileHashSha256": "", @@ -5235,7 +5235,7 @@ "sourceProcessInfo_pid": 44119, "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 7:03:01 AM", "sourceProcessInfo_subsystem": "unknown", - "sourceProcessInfo_user": "", + "sourceProcessInfo_user": "NT AUTHORITY\\LOCAL SERVICE", "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", "targetProcessInfo_tgtFileHashSha1": "", "targetProcessInfo_tgtFileHashSha256": "", From d7c67f2c54ed3eb6deeb66be3ef45de58b5e5845 Mon Sep 17 00:00:00 2001 From: Jayesh Prajapati Date: Tue, 26 Sep 2023 18:00:26 +0530 Subject: [PATCH 9/9] Corrected the sequence of filters to fix the validation error. --- .../Parsers/vimProcessCreateSentinelOne.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml b/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml index 8e56287e1c5..d40656aec75 100644 --- a/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml +++ b/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml @@ -52,12 +52,12 @@ ParserParams: - Name: dvchostname_has_any Type: dynamic Default: dynamic([]) - - Name: hashes_has_any - Type: dynamic - Default: dynamic([]) - Name: eventtype Type: string Default: '*' + - Name: hashes_has_any + Type: dynamic + Default: dynamic([]) - Name: disabled Type: bool Default: false