Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ASIM Process Event schema parser with its sample and test data for SentinelOne #8669

Merged
merged 12 commits into from
Sep 27, 2023
Merged
900 changes: 900 additions & 0 deletions .script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions ASIM/dev/ASimTester/ASimTester.csv
Original file line number Diff line number Diff line change
Expand Up @@ -540,7 +540,7 @@ EventProduct,string,Mandatory,Common,,,
EventProduct,string,Mandatory,Dhcp,,,
EventProduct,string,Mandatory,Dns,Enumerated,Umbrella|Azure Firewall|DNS Server|Sysmon|Sysmon for Linux|ZIA DNS|NIOS|Cloud DNS|Zeek|Vectra Stream,
EventProduct,string,Mandatory,FileEvent,Enumerated,Sysmon for Linux|Sysmon|M365 Defender for Endpoint|Azure File Storage|SharePoint|OneDrive,
EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki MX|Zeek|Firewall|ASA|Cynerio,
EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki MX|Zeek|Firewall|ASA|Cynerio|SentinelOne,
EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events,
EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event,
EventProduct,string,Mandatory,UserManagement,,,
Expand Down Expand Up @@ -668,7 +668,7 @@ EventVendor,string,Mandatory,Common,,,
EventVendor,string,Mandatory,Dhcp,,,
EventVendor,string,Mandatory,Dns,Enumerated,Cisco|Corelight|GCP|Infoblox|Microsoft|Zscaler|Vectra AI,
EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft,
EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio,
EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio|SentinelOne,
EventVendor,string,Mandatory,ProcessEvent,Enumerated,Microsoft,
EventVendor,string,Mandatory,UserManagement,,,
EventVendor,string,Mandatory,WebSession,Enumerated,Microsoft|Squid|Zscaler|Vectra AI|Palo Alto|WatchGuard|Cisco|Forcepoint|Corelight|Dataminr,
Expand Down
153 changes: 153 additions & 0 deletions Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,153 @@
Parser:
Title: Process Create ASIM parser for SentinelOne
jayeshprajapaticrest marked this conversation as resolved.
Show resolved Hide resolved
Version: '0.1.0'
LastUpdated: Sep 18, 2023
Product:
Name: SentinelOne
Normalization:
Schema: ProcessEvent
Version: '0.1.4'
References:
- Title: ASIM ProcessEvent Schema
Link: https://aka.ms/ASimProcessEventDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
- Title: SentinelOne Documentation
- Link: https://<SOneInstanceDomain>.sentinelone.net/api-doc/overview
jayeshprajapaticrest marked this conversation as resolved.
Show resolved Hide resolved
Description: |
This ASIM parser supports normalizing SentinelOne logs to the ASIM Process Event normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API.
ParserName: ASimProcessCreateSentinelOne
EquivalentBuiltInParser: _ASim_ProcessCreate_SentinelOne
ParserParams:
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let ThreatConfidenceLookup_undefined = datatable(
alertInfo_analystVerdict_s: string,
ThreatConfidence_undefined: int
)
[
"FALSE_POSITIVE", 5,
"Undefined", 15,
"SUSPICIOUS", 25,
"TRUE_POSITIVE", 33
];
let ThreatConfidenceLookup_suspicious = datatable(
alertInfo_analystVerdict_s: string,
ThreatConfidence_suspicious: int
)
[
"FALSE_POSITIVE", 40,
"Undefined", 50,
"SUSPICIOUS", 60,
"TRUE_POSITIVE", 67
];
let ThreatConfidenceLookup_malicious = datatable(
alertInfo_analystVerdict_s: string,
ThreatConfidence_malicious: int
)
[
"FALSE_POSITIVE", 75,
"Undefined", 80,
"SUSPICIOUS", 90,
"TRUE_POSITIVE", 100
];
let parser = (disabled: bool=false) {
let alldata = SentinelOne_CL
| where not(disabled)
and event_name_s == "Alerts."
and alertInfo_eventType_s == "PROCESSCREATION";
let undefineddata = alldata
| where ruleInfo_treatAsThreat_s == "UNDEFINED"
| lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;
let suspiciousdata = alldata
| where ruleInfo_treatAsThreat_s == "Suspicious"
| lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;
let maaliciousdata = alldata
| where ruleInfo_treatAsThreat_s == "Malicious"
| lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;
union undefineddata, suspiciousdata, maaliciousdata
| extend ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)
| project-rename
DvcId = agentDetectionInfo_uuid_g,
EventStartTime = sourceProcessInfo_pidStarttime_t,
TargetProcessCommandLine = targetProcessInfo_tgtProcCmdLine_s,
TargetProcessId = targetProcessInfo_tgtProcPid_s,
TargetProcessName = targetProcessInfo_tgtProcName_s,
EventUid = _ItemId,
TargetProcessCreationTime = targetProcessInfo_tgtProcessStartTime_t,
ActingProcessName = sourceProcessInfo_name_s,
ParentProcessName = sourceParentProcessInfo_name_s,
ActingProcessCommandLine = sourceProcessInfo_commandline_s,
ActingProcessGuid = sourceProcessInfo_uniqueId_g,
ActingProcessSHA1 = sourceProcessInfo_fileHashSha1_s,
ParentProcessSHA1 = sourceParentProcessInfo_fileHashSha1_s,
ActingProcessSHA256 = sourceProcessInfo_fileHashSha256_s,
ParentProcessSHA256 = sourceParentProcessInfo_fileHashSha256_s,
DvcOs = agentDetectionInfo_osName_s,
DvcOsVersion = agentDetectionInfo_osRevision_s,
TargetProcessIntegrityLevel = targetProcessInfo_tgtProcIntegrityLevel_s,
EventOriginalType = alertInfo_eventType_s,
EventOriginalSeverity = ruleInfo_severity_s,
EventOriginalUid = alertInfo_dvEventId_s,
RuleName = ruleInfo_name_s,
ThreatOriginalConfidence = ruleInfo_treatAsThreat_s
| invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')
| extend
ActingProcessId = sourceProcessInfo_pid_s,
ActorUsername = sourceProcessInfo_user_s,
TargetUsername = sourceProcessInfo_user_s,
Hash = coalesce(targetProcessInfo_tgtFileHashSha256_s, targetProcessInfo_tgtFileHashSha1_s),
ParentProcessId = sourceProcessInfo_pid_s,
TargetProcessSHA1 = targetProcessInfo_tgtFileHashSha1_s,
TargetProcessSHA256 = targetProcessInfo_tgtFileHashSha256_s,
ParentProcessMD5 = replace_string(sourceParentProcessInfo_fileHashMd5_g, "-", ""),
ActingProcessMD5 = replace_string(sourceProcessInfo_fileHashMd5_g, "-", ""),
EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity)
| extend
EventCount = int(1),
EventProduct = "SentinelOne",
EventResult = "Success",
jayeshprajapaticrest marked this conversation as resolved.
Show resolved Hide resolved
DvcAction = "Allowed",
EventSchemaVersion = "0.1.4",
EventType = "ProcessCreated",
EventVendor = "SentinelOne",
jayeshprajapaticrest marked this conversation as resolved.
Show resolved Hide resolved
EventSchema = "ProcessEvent"
| extend
Dvc = DvcId,
EventEndTime = EventStartTime,
User = TargetUsername,
ActingProcessCreationTime = EventStartTime,
CommandLine = TargetProcessCommandLine,
Process = TargetProcessName,
Rule = RuleName
| extend
HashType = case(
isnotempty(Hash) and isnotempty(TargetProcessSHA256),
"TargetProcessSHA256",
isnotempty(Hash) and isnotempty(TargetProcessSHA1),
"TargetProcessSHA1",
""
),
TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),
TargetUserType = _ASIM_GetUserType(TargetUsername, ""),
DvcIdType = iff(isnotempty(DvcId), "Other", ""),
ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),
ActorUserType = _ASIM_GetUserType(ActorUsername, "")
| project-away
*_d,
*_s,
*_g,
*_t,
*_b,
_ResourceId,
TenantId,
RawData,
Computer,
MG,
ManagementGroupName,
SourceSystem,
ThreatConfidence_*
};
parser(disabled=disabled)
4 changes: 3 additions & 1 deletion Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ Parsers:
- _ASim_ProcessEvent_TerminateMicrosoftWindowsEvents
- _ASim_ProcessEvent_CreateMicrosoftWindowsEvents
- _ASim_ProcessEvent_MD4IoT
- _ASim_ProcessEvent_CreateSentinelOne

ParserQuery: |
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);
Expand All @@ -44,4 +45,5 @@ ParserQuery: |
ASimProcessTerminateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )),
ASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )),
ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )),
ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) ))
ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) )),
ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) ))
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ Parsers:
- _ASim_ProcessEvent_CreateLinuxSysmon
- _ASim_ProcessEvent_CreateMicrosoftWindowsEvents
- _ASim_ProcessEvent_MD4IoT
- _ASim_ProcessEvent_CreateSentinelOne

ParserQuery: |
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcessEventCreate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);
Expand All @@ -35,4 +36,5 @@ ParserQuery: |
ASimProcessCreateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) )),
ASimProcessCreateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateLinuxSysmon' in (DisabledParsers) )),
ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )),
ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) ))
ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )),
ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) ))
Loading
Loading