ASIM Process Event schema parser with its sample and test data for SentinelOne

Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml

@@ -0,0 +1,103 @@
+Parser:
+  Title: Process Create ASIM parser for SentinelOne
+  Version: '0.1.1'
+  LastUpdated: Jul 24, 2023
+Product:
+  Name: SentinelOne
+Normalization:
+  Schema: ProcessEvent
+  Version: '0.1.4'
+References:
+- Title: ASIM ProcessEvent Schema
+  Link: https://aka.ms/ASimProcessEventDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+- Title: SentinelOne Documentation
+- Link: https://<SOneInstanceDomain>.sentinelone.net/api-doc/overview
+Description: |
+  This ASIM parser supports normalizing SentinelOne logs to the ASIM Process Event normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API.
+ParserName: ASimProcessCreateSentinelOne
+EquivalentBuiltInParser: _Im_ProcessCreate_SentinelOne
+ParserParams:
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let parser = (disabled: bool=false) {
+      SentinelOne_CL
+      | where not(disabled) 
+          and event_name_s == "Alerts."
+          and alertInfo_eventType_s == "PROCESSCREATION" 
+      | project-rename
+          DvcId = agentDetectionInfo_uuid_g,
+          EventStartTime = sourceProcessInfo_pidStarttime_t,
+          TargetProcessCommandLine = targetProcessInfo_tgtProcCmdLine_s,
+          TargetProcessId = targetProcessInfo_tgtProcPid_s,
+          TargetProcessName = targetProcessInfo_tgtProcName_s,
+          EventUid = _ResourceId,
+          TargetProcessCreationTime = targetProcessInfo_tgtProcessStartTime_t,
+          DvcHostname = agentDetectionInfo_name_s,
+          ActingProcessName = sourceProcessInfo_name_s,
+          ParentProcessName = sourceParentProcessInfo_name_s,
+          ActingProcessCommandLine = sourceProcessInfo_commandline_s,
+          ActingProcessGuid = sourceProcessInfo_uniqueId_g,
+          ActingProcessSHA1 = sourceProcessInfo_fileHashSha1_s,
+          ParentProcessSHA1 = sourceParentProcessInfo_fileHashSha1_s,
+          ActingProcessSHA256 = sourceProcessInfo_fileHashSha256_s,
+          ParentProcessSHA256 = sourceParentProcessInfo_fileHashSha256_s,
+          DvcOs = agentDetectionInfo_osName_s,
+          DvcOsVersion = agentDetectionInfo_version_s,
+          TargetProcessIntegrityLevel = targetProcessInfo_tgtProcIntegrityLevel_s,
+          EventOriginalType = alertInfo_eventType_s,
+          EventOriginalUid = alertInfo_dvEventId_s
+      | extend
+          ActingProcessId = sourceProcessInfo_pid_s,
+          ActorUsername = coalesce(sourceProcessInfo_user_s, 'N/A'),
+          TargetUsername = coalesce(sourceProcessInfo_user_s, 'N/A'),
+          Hash = coalesce(targetProcessInfo_tgtFileHashSha256_s, targetProcessInfo_tgtFileHashSha1_s),
+          ParentProcessId = sourceProcessInfo_pid_s,
+          TargetProcessSHA1 = targetProcessInfo_tgtFileHashSha1_s,
+          TargetProcessSHA256 = targetProcessInfo_tgtFileHashSha256_s,
+          ParentProcessMD5 = replace_string(sourceParentProcessInfo_fileHashMd5_g, "-", ""),
+          ActingProcessMD5 = replace_string(sourceProcessInfo_fileHashMd5_g, "-", ""),
+          EventSeverity = iff(ruleInfo_severity_s == "Critical", "High", ruleInfo_severity_s)
+      | extend
+          EventCount = int(1),
+          EventProduct = "SentinelOne",
+          EventResult = "Success",
+          EventSchemaVersion = "0.1.4",
+          EventType = "ProcessCreated",
+          EventVendor = "SentinelOne",
+          EventSchema = "ProcessEvent"
+      | extend 
+          Dvc = DvcId,
+          EventEndTime = EventStartTime,
+          User = TargetUsername,
+          ActingProcessCreationTime = EventStartTime,
+          CommandLine = TargetProcessCommandLine,
+          Process = TargetProcessName
+      | extend 
+          HashType = case(
+                isnotempty(Hash) and isnotempty(TargetProcessSHA256),
+                "SHA256",
+                isnotempty(Hash) and isnotempty(TargetProcessSHA1),
+                "SHA1",
+                ""
+            ),
+          TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),
+          DvcIdType = iff(isnotempty(DvcId), "Other", ""),
+          ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)
+      | project-away
+          *_d,
+          *_s,
+          *_g,
+          *_t,
+          *_b,
+          TenantId,
+          RawData,
+          Computer,
+          MG,
+          ManagementGroupName,
+          SourceSystem
+  };
+  parser(disabled=disabled)

Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml

@@ -29,6 +29,7 @@ Parsers:
   - _ASim_ProcessEvent_TerminateMicrosoftWindowsEvents
   - _ASim_ProcessEvent_CreateMicrosoftWindowsEvents
   - _ASim_ProcessEvent_MD4IoT
+  - _ASim_ProcessEvent_CreateSentinelOne
 
 ParserQuery: |
   let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);
@@ -44,4 +45,5 @@ ParserQuery: |
     ASimProcessTerminateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )),
     ASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )),
     ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )),
-    ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) ))
+    ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) )),
+    ASimProcessASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessvimProcessCreateSentinelOne' in (DisabledParsers) ))

Parsers/ASimProcessEvent/Parsers/imProcess.yaml

@@ -28,4 +28,5 @@ ParserQuery: |
     vimProcessTerminateLinuxSysmon,
     vimProcessTerminateMicrosoftWindowsEvents,
     vimProcessCreateMicrosoftWindowsEvents,
-    vimProcessEventMD4IoT
+    vimProcessEventMD4IoT,
+    vimProcessEventCreateSentinelOne

Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml

@@ -0,0 +1,184 @@
+Parser:
+  Title: Process Create ASIM parser for SentinelOne
+  Version: '0.1.1'
+  LastUpdated: Jul 24, 2023
+Product:
+  Name: SentinelOne
+Normalization:
+  Schema: ProcessEvent
+  Version: '0.1.4'
+References:
+- Title: ASIM ProcessEvent Schema
+  Link: https://aka.ms/ASimProcessEventDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+- Title: SentinelOne Documentation
+- Link: https://<SOneInstanceDomain>.sentinelone.net/api-doc/overview
+Description: |
+  This ASIM parser supports normalizing SentinelOne logs to the ASIM Process Event normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API.
+ParserName: vimProcessCreateSentinelOne
+EquivalentBuiltInParser: _Im_ProcessCreate_SentinelOne
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: commandline_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: commandline_has_all
+    Type: dynamic
+    Default: dynamic([])
+  - Name: commandline_has_any_ip_prefix
+    Type: dynamic
+    Default: dynamic([])
+  - Name: actingprocess_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: targetprocess_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: parentprocess_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: targetusername_has
+    Type: string
+    Default: '*'
+  - Name: dvcipaddr_has_any_prefix
+    Type: dynamic
+    Default: dynamic([])
+  - Name: dvcname_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: hashes_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: eventtype
+    Type: string
+    Default: '*'
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let parser = (
+      starttime: datetime=datetime(null),
+      endtime: datetime=datetime(null),
+      commandline_has_any: dynamic=dynamic([]),
+      commandline_has_all: dynamic=dynamic([]),
+      commandline_has_any_ip_prefix: dynamic=dynamic([]),
+      actingprocess_has_any: dynamic=dynamic([]),
+      targetprocess_has_any: dynamic=dynamic([]),
+      parentprocess_has_any: dynamic=dynamic([]),
+      targetusername_has: string='*',
+      dvcipaddr_has_any_prefix: dynamic=dynamic([]),
+      dvcname_has_any: dynamic=dynamic([]),
+      eventtype: string='*',
+      hashes_has_any: dynamic=dynamic([]),
+      disabled: bool=false) {
+      SentinelOne_CL
+      | where not(disabled)
+          and (isnull(starttime) or TimeGenerated >= starttime)
+          and (isnull(endtime) or TimeGenerated <= endtime)
+          and event_name_s == "Alerts."
+          and alertInfo_eventType_s == "PROCESSCREATION" 
+          and (eventtype == '*' or eventtype == 'PROCESSCREATION')
+          and array_length(dvcipaddr_has_any_prefix) == 0
+          and (targetusername_has == '*' or sourceProcessInfo_user_s has targetusername_has)
+          and (array_length(commandline_has_all) == 0 or targetProcessInfo_tgtProcCmdLine_s has_all (commandline_has_all))
+          and (array_length(commandline_has_any) == 0 or targetProcessInfo_tgtProcCmdLine_s has_any (commandline_has_any))
+          and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(targetProcessInfo_tgtProcCmdLine_s, commandline_has_any_ip_prefix))
+          and (array_length(actingprocess_has_any) == 0 or sourceProcessInfo_name_s has_any (actingprocess_has_any))
+          and (array_length(targetprocess_has_any) == 0 or targetProcessInfo_tgtProcName_s has_any (targetprocess_has_any))
+          and (array_length(parentprocess_has_any) == 0 or sourceParentProcessInfo_name_s has_any (parentprocess_has_any))
+          and (array_length(dvcname_has_any) == 0 or agentDetectionInfo_name_s  has_any (dvcname_has_any))
+          and array_length(hashes_has_any) == 0 or targetProcessInfo_tgtFileHashSha1_s has_any (hashes_has_any) or targetProcessInfo_tgtFileHashSha256_s has_any (hashes_has_any)
+      | project-rename
+          DvcId = agentDetectionInfo_uuid_g,
+          EventStartTime = sourceProcessInfo_pidStarttime_t,
+          TargetProcessCommandLine = targetProcessInfo_tgtProcCmdLine_s,
+          TargetProcessId = targetProcessInfo_tgtProcPid_s,
+          TargetProcessName = targetProcessInfo_tgtProcName_s,
+          EventUid = _ResourceId,
+          TargetProcessCreationTime = targetProcessInfo_tgtProcessStartTime_t,
+          DvcHostname = agentDetectionInfo_name_s,
+          ActingProcessName = sourceProcessInfo_name_s,
+          ParentProcessName = sourceParentProcessInfo_name_s,
+          ActingProcessCommandLine = sourceProcessInfo_commandline_s,
+          ActingProcessGuid = sourceProcessInfo_uniqueId_g,
+          ActingProcessSHA1 = sourceProcessInfo_fileHashSha1_s,
+          ParentProcessSHA1 = sourceParentProcessInfo_fileHashSha1_s,
+          ActingProcessSHA256 = sourceProcessInfo_fileHashSha256_s,
+          ParentProcessSHA256 = sourceParentProcessInfo_fileHashSha256_s,
+          DvcOs = agentDetectionInfo_osName_s,
+          DvcOsVersion = agentDetectionInfo_version_s,
+          TargetProcessIntegrityLevel = targetProcessInfo_tgtProcIntegrityLevel_s,
+          EventOriginalType = alertInfo_eventType_s,
+          EventOriginalUid = alertInfo_dvEventId_s
+      | extend
+          ActingProcessId = sourceProcessInfo_pid_s,
+          ActorUsername = coalesce(sourceProcessInfo_user_s, 'N/A'),
+          TargetUsername = coalesce(sourceProcessInfo_user_s, 'N/A'),
+          Hash = coalesce(targetProcessInfo_tgtFileHashSha256_s, targetProcessInfo_tgtFileHashSha1_s),
+          ParentProcessId = sourceProcessInfo_pid_s,
+          TargetProcessSHA1 = targetProcessInfo_tgtFileHashSha1_s,
+          TargetProcessSHA256 = targetProcessInfo_tgtFileHashSha256_s,
+          ParentProcessMD5 = replace_string(sourceParentProcessInfo_fileHashMd5_g, "-", ""),
+          ActingProcessMD5 = replace_string(sourceProcessInfo_fileHashMd5_g, "-", ""),
+          EventSeverity = iff(ruleInfo_severity_s == "Critical", "High", ruleInfo_severity_s)
+      | extend
+          EventCount = int(1),
+          EventProduct = "SentinelOne",
+          EventResult = "Success",
+          EventSchemaVersion = "0.1.4",
+          EventType = "ProcessCreated",
+          EventVendor = "SentinelOne",
+          EventSchema = "ProcessEvent"
+      | extend 
+          Dvc = DvcId,
+          EventEndTime = EventStartTime,
+          User = TargetUsername,
+          ActingProcessCreationTime = EventStartTime,
+          CommandLine = TargetProcessCommandLine,
+          Process = TargetProcessName
+      | extend 
+          HashType = case(
+                isnotempty(Hash) and isnotempty(TargetProcessSHA256),
+                "SHA256",
+                isnotempty(Hash) and isnotempty(TargetProcessSHA1),
+                "SHA1",
+                ""
+            ),
+          TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),
+          DvcIdType = iff(isnotempty(DvcId), "Other", ""),
+          ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)
+      | project-away
+          *_d,
+          *_s,
+          *_g,
+          *_t,
+          *_b,
+          TenantId,
+          RawData,
+          Computer,
+          MG,
+          ManagementGroupName,
+          SourceSystem
+  };
+  parser(
+      starttime=starttime, 
+      endtime=endtime, 
+      commandline_has_any=commandline_has_any,
+      commandline_has_all=commandline_has_all,
+      commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,
+      actingprocess_has_any=actingprocess_has_any,
+      targetprocess_has_any=targetprocess_has_any,
+      parentprocess_has_any=parentprocess_has_any,
+      targetusername_has=targetusername_has,
+      dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,
+      dvcname_has_any=dvcname_has_any,
+      eventtype=eventtype,
+      hashes_has_any=hashes_has_any,
+      disabled=disabled
+  )

Parsers/ASimProcessEvent/test/SentinelOne_ASimProcessCreate_DataTest.csv

@@ -0,0 +1,20 @@
+Result
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 1625 records (32.22%) for field [DvcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:ProcessEvent)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 5043 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:ProcessEvent)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 5043 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:ProcessEvent)"
+"(1) Warning: Empty value in 2 records (0.04%)  in mandatory field [TargetProcessName] (Schema:ProcessEvent)"
+"(1) Warning: Empty value in 6 records (0.12%)  in mandatory field [TargetProcessCommandLine] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 140 records (2.78%)  in optional field [ActingProcessCommandLine] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 140 records (2.78%)  in optional field [ActingProcessName] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 194 records (3.85%)  in optional field [ActingProcessGuid] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 3125 records (61.97%)  in optional field [ParentProcessSHA1] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 469 records (9.3%)  in optional field [ParentProcessName] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 4849 records (96.15%)  in optional field [ActingProcessMD5] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 4849 records (96.15%)  in optional field [ActingProcessSHA256] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 4850 records (96.17%)  in optional field [ParentProcessMD5] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 4850 records (96.17%)  in optional field [ParentProcessSHA256] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 5043 records (100.0%)  in optional field [TargetProcessSHA1] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 5043 records (100.0%)  in optional field [TargetProcessSHA256] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 5043 records (100.0%)  in recommended field [EventUid] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 5043 records (100.0%)  in recommended field [Hash] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 962 records (19.08%)  in optional field [ActingProcessSHA1] (Schema:ProcessEvent)"