Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NewASimAlertSchema #11238

Draft
wants to merge 18 commits into
base: master
Choose a base branch
from
Draft

NewASimAlertSchema #11238

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
2c5e801
NewASimAlertSchema
vakohl Oct 9, 2024
5bb1a8c
xdr parser
vakohl Oct 9, 2024
199e6af
test
vakohl Oct 9, 2024
2d5daff
template update
vakohl Oct 9, 2024
eb0403e
SentinelOne
vakohl Oct 10, 2024
d86bdd1
SentinelOneThreatsLogs
vakohl Oct 12, 2024
2261946
DarkTrace Parser
vakohl Oct 13, 2024
af449e0
Update ASimAlertSentinelOneSingularity.yaml
vakohl Oct 14, 2024
3d220f2
Update ASimAlertDarkTraceDetect.yaml
vakohl Oct 14, 2024
03ea5f7
Update ASimAlertDarkTraceDetect.yaml
vakohl Oct 14, 2024
777af58
Update ASimAlertDarkTraceDetect.yaml
vakohl Oct 14, 2024
5bd6242
minor change
vakohl Oct 15, 2024
cb4d0dc
vim files
vakohl Oct 17, 2024
59e2645
vim parsers
vakohl Oct 17, 2024
571eef2
union parser
vakohl Oct 18, 2024
37aa911
ASimTesterFile
vakohl Oct 18, 2024
f4c67b1
template update
vakohl Oct 18, 2024
0f93947
App field updates
vakohl Oct 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
SentinelOne
  • Loading branch information
@vakohl
vakohl committed Oct 10, 2024
commit eb0403e52793b4998562c360e836b89b7144b0b2
2 changes: 1 addition & 1 deletion Parsers/ASimAlert/Parsers/ASimAlertMicrosoftDefenderXDR.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,7 @@ ParserQuery: |
EventStartTime = TimeGenerated,
EventProduct = 'Defender XDR',
EventVendor = 'Microsoft',
EventSchemaVersion = '0.1.0',
EventSchemaVersion = '0.1',
EventType = 'Alert'
| project-away
Title,
Expand Down
103 changes: 103 additions & 0 deletions Parsers/ASimAlert/Parsers/ASimAlertSentinelOneSingularity.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
Parser:
Title: Alert ASIM parser for SentinelOne
Version: '0.1.0'
LastUpdated: Oct 09, 2024
Product:
Name: SentinelOne
Normalization:
Schema: Alert
Version: '0.1'
References:
- Title: ASIM Alert Schema
Link: https://aka.ms/ASimAlertDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
Description: |
This ASIM parser supports normalizing the SentinelOne alerts to the ASIM Alert normalized schema.
ParserName: ASimAlertSentinelOneSingularity
EquivalentBuiltInParser: _ASim_Alert_SentinelOneSingularity
ParserParams:
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let AlertVerdictLookup = datatable (alertInfo_analystVerdict_s: string, AlertVerdict: string)
[
"Undefined", "Unknown",
"true_positve", "malicious",
"suspicious","suspicious",
];
let EventSubTypeLookup = datatable (ruleInfo_treatAsThreat_s:string, EventSubType:string)
[
"Malicious", "Threat",
"Suspicious", "Suspicious Activity"
];
let parser = (
disabled: bool = false
) {
SentinelOne_CL
| where event_name_s == "Alerts."
// Mapping Alert Fields
| extend
AlertId = alertInfo_alertId_s,
AlertStatus = iif(alertInfo_incidentStatus_s == "Unresolved","Active",""),
AlertOriginalStatus = alertInfo_incidentStatus_s,
AlertDescription = alertInfo_indicatorDescription_s
| lookup AlertVerdictLookup on alertInfo_analystVerdict_s
// Mapping Inspection Fields
| extend
ThreatIsActive = agentRealtimeInfo_infected_b,
ThreatFirstReportedTime = alertInfo_createdAt_t,
ThreatLastReportedTime = alertInfo_reportedAt_t,
ThreatLastUpdatedTime = alertInfo_updatedAt_t,
RuleNumber = toint(ruleInfo_id_s),
RuleName = ruleInfo_name_s,
RuleDescription = ruleInfo_description_s
// Mapping Dvc Fields
| extend
DvcHostname = agentDetectionInfo_name_s,
DvcOs = agentDetectionInfo_osName_s,
DvcOsVersion = agentDetectionInfo_osRevision_s,
DvcId = agentRealtimeInfo_id_s
// Mapping IP Entity
| extend
IpAddr = alertInfo_srcIp_s,
PortNumber = alertInfo_srcPort_s
// Mapping Process Entity
| extend
// Parent Process Fields
ParentProcessCommandLine = sourceParentProcessInfo_commandline_s,
ParentProcessMD5 = sourceParentProcessInfo_fileHashMd5_g,
ParentProcessSHA1 = sourceParentProcessInfo_fileHashSha1_s,
ParentProcessSHA256 = sourceParentProcessInfo_fileHashSha256_s,
ParentProcessName = sourceParentProcessInfo_filePath_s,
ParentProcessFileCompany = sourceParentProcessInfo_fileSignerIdentity_s,
ParentProcessIntegrityLevel = sourceParentProcessInfo_integrityLevel_s,
ParentProcessId = sourceParentProcessInfo_pid_s,
ParentProcessCreationTime = sourceParentProcessInfo_pidStarttime_t,
// Process Fields
ProcessCommandLine = sourceProcessInfo_commandline_s,
ProcessMD5 = sourceProcessInfo_fileHashMd5_g,
ProcessSHA1 = sourceProcessInfo_fileHashSha1_s,
ProcessSHA256 = sourceProcessInfo_fileHashSha256_s,
ProcessName = sourceProcessInfo_filePath_s,
ProcessFileCompany = sourceProcessInfo_fileSignerIdentity_s,
ProcessIntegrityLevel = sourceProcessInfo_integrityLevel_s,
ProcessId = sourceProcessInfo_pid_s,
ProcessCreationTime = sourceProcessInfo_pidStarttime_t
// Event Fields
| extend
EventOriginalUid = alertInfo_dvEventId_s,
EventOriginalSubType = alertInfo_eventType_s,
EventSeverity = iif(ruleInfo_severity_s == "Critical","High",ruleInfo_severity_s),
EventCount = int(1),
EventEndTime = TimeGenerated,
EventStartTime = TimeGenerated,
EventProduct = 'Singularity',
EventVendor = 'SentinelOne',
EventSchemaVersion = '0.1',
EventType = 'Alert'
| lookup EventSubTypeLookup on ruleInfo_treatAsThreat_s
| project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t
};
parser (disabled = disabled)
Loading