Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Fixed the suggested changes to include some users 2FA activity to user and implement inner join instead of lookup.

This commit is contained in:
Jayesh Prajapati 2023-10-06 19:00:58 +05:30
Родитель 72ec27515d
Коммит e80045ab77
6 изменённых файлов: 105 добавлений и 754 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

48
Parsers/ASimAuditEvent/Parsers/ASimAuditEventSentinelOne.yaml
Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Audit Event ASIM parser for SentinelOne
Version: '0.1.0'
LastUpdated: Sep 20 2023
LastUpdated: Oct 05 2023
Product:
Name: SentinelOne
Normalization:
@ -134,11 +134,8 @@ ParserQuery: |
ObjectType: string
)
[
67, "User 2FA Modified", "", "", "Success", "Two Factor Authentication", "Policy Rule",
88, "User Remote Shell Modified", "", "", "Success", "Remote Shell", "Configuration Atom",
114, "API Token Revoked", "Disable", "", "Success", "API Token", "Service",
145, "Enroll 2FA", "Set", "", "Success", "2FA setup", "Service",
146, "Reset 2FA", "Set", "", "Success", "2FA setup", "Service",
114, "API Token Revoked", "Disable", "", "Success", "API Token", "Service"
];
let EventFieldsLookup_otheractivity = datatable(
activityType_d: real,
@ -152,7 +149,6 @@ ParserQuery: |
[
2, "Hash Defined as Malicious By Cloud", "Set", "", "Success", "", "Other",
40, "Cloud Intelligence Settings Modified", "", "", "Success", "Cloud Intelligence Settings", "Policy Rule",
42, "Global 2FA modified", "", "", "Success", "Global Two Factor Authentication", "Service",
58, "Notification Option Level Modified", "Set", "", "Success", "Notification Level", "Service",
59, "Event Severity Level Modified", "Set", "", "Success", "EventSeverity Level", "Other",
60, "Notification - Recipients Configuration Modified", "Set", "", "Success", "Recipients configuration", "Policy Rule",
@ -164,7 +160,6 @@ ParserQuery: |
112, "API token Generated", "Create", "", "Success", "API Token", "Service",
113, "API Token Revoked", "Disable", "", "Success", "API Token", "Service",
129, "Allowed Domains Settings Changed", "Set", "", "Success", "User Domain Setting", "Other",
147, "User Configured 2FA", "Set", "", "Success", "2FA setup", "Service",
1501, "Location Created", "Create", "", "Success", "", "Service",
1502, "Location Copied", "Set", "Copy", "Success", "", "Service",
1503, "Location Modified", "Set", "", "Success", "", "Service",
@ -365,19 +360,7 @@ ParserQuery: |
];
let parser = (disabled: bool=false) {
let RawGroupSiteActivityIds = dynamic([39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111]);
let RawOtherActivityIds = dynamic([2, 40, 42, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 147, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);
let Threatsdata = SentinelOne_CL
| where event_name_s == "Threats."
| project
TimeGenerated,
threatInfo_confidenceLevel_s,
threatInfo_analystVerdict_s,
threatInfo_threatName_s,
threatInfo_incidentStatus_s,
threatInfo_identifiedAt_t,
threatInfo_updatedAt_t,
threatInfo_threatId_s,
mitigationStatus_s;
let RawOtherActivityIds = dynamic([2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);
let activitydata = SentinelOne_CL
| where not(disabled) and event_name_s == "Activities."
| project-away
@ -443,12 +426,12 @@ ParserQuery: |
Object = coalesce(accountName, cloudProviderAccountName),
ObjectId = accountId;
let useractivitydata = activitydata
| where activityType_d in (67, 88, 114, 145, 146)
| parse-kv DataFields_s as (username: string, byUser: string, affectedUser: string, newValue: string, ipAddress: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
| where activityType_d in (88, 114)
| parse-kv DataFields_s as (username: string, byUser: string, newValue: string, ipAddress: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
| lookup EventFieldsLookup_useractivity on activityType_d
| lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field
| extend
ActorUsername = coalesce(byUser, username),
ActorUsername = byUser,
EventType = coalesce(EventType_useractivity, EventType_fieldenableddisabled),
EventSubType = EventSubType_useractivity,
NewValue = NewValue_fieldenableddisabled;
@ -513,7 +496,19 @@ ParserQuery: |
| lookup EventSeverityLookup_activity on activityType_d;
let UnParsedActivitydatawithThreat = union ParsedActivitydata, parsedotheractivitydata_severity
| where isnotempty(threatId_s)
| lookup Threatsdata on $left.threatId_s == $right.threatInfo_threatId_s
| join kind=inner (SentinelOne_CL
| where event_name_s == "Threats."
| project
TimeGenerated,
threatInfo_confidenceLevel_s,
threatInfo_analystVerdict_s,
threatInfo_threatName_s,
threatInfo_incidentStatus_s,
threatInfo_identifiedAt_t,
threatInfo_updatedAt_t,
threatInfo_threatId_s,
mitigationStatus_s)
on $left.threatId_s == $right.threatInfo_threatId_s
| where TimeGenerated1 >= TimeGenerated
| summarize arg_min(TimeGenerated1, *) by activityType_d, threatId_s, createdAt_t, TimeGenerated;
let undefineddata = UnParsedActivitydatawithThreat
@ -602,8 +597,6 @@ ParserQuery: |
siteName,
oldValue,
computerName,
byUser,
affectedUser,
accountName,
cloudProviderAccountName,
email,
@ -664,6 +657,7 @@ ParserQuery: |
ThreatConfidence_*,
accountId,
policyId,
ruleId
ruleId,
byUser
};
parser(disabled=disabled)

51
Parsers/ASimAuditEvent/Parsers/vimAuditEventSentinelOne.yaml
Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Audit Event ASIM parser for SentinelOne
Version: '0.1.0'
LastUpdated: Sep 20 2023
LastUpdated: Oct 05 2023
Product:
Name: SentinelOne
Normalization:
@ -161,11 +161,8 @@ ParserQuery: |
ObjectType: string
)
[
67, "User 2FA Modified", "", "", "Success", "Two Factor Authentication", "Policy Rule",
88, "User Remote Shell Modified", "", "", "Success", "Remote Shell", "Configuration Atom",
114, "API Token Revoked", "Disable", "", "Success", "API Token", "Service",
145, "Enroll 2FA", "Set", "", "Success", "2FA setup", "Service",
146, "Reset 2FA", "Set", "", "Success", "2FA setup", "Service",
114, "API Token Revoked", "Disable", "", "Success", "API Token", "Service"
];
let EventFieldsLookup_otheractivity = datatable(
activityType_d: real,
@ -179,7 +176,6 @@ ParserQuery: |
[
2, "Hash Defined as Malicious By Cloud", "Set", "", "Success", "", "Other",
40, "Cloud Intelligence Settings Modified", "", "", "Success", "Cloud Intelligence Settings", "Policy Rule",
42, "Global 2FA modified", "", "", "Success", "Global Two Factor Authentication", "Service",
58, "Notification Option Level Modified", "Set", "", "Success", "Notification Level", "Service",
59, "Event Severity Level Modified", "Set", "", "Success", "EventSeverity Level", "Other",
60, "Notification - Recipients Configuration Modified", "Set", "", "Success", "Recipients configuration", "Policy Rule",
@ -191,7 +187,6 @@ ParserQuery: |
112, "API token Generated", "Create", "", "Success", "API Token", "Service",
113, "API Token Revoked", "Disable", "", "Success", "API Token", "Service",
129, "Allowed Domains Settings Changed", "Set", "", "Success", "User Domain Setting", "Other",
147, "User Configured 2FA", "Set", "", "Success", "2FA setup", "Service",
1501, "Location Created", "Create", "", "Success", "", "Service",
1502, "Location Copied", "Set", "Copy", "Success", "", "Service",
1503, "Location Modified", "Set", "", "Success", "", "Service",
@ -391,21 +386,8 @@ ParserQuery: |
"true_positive", 100
];
let parser=(disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {
let AllActivityIdsForAudit = dynamic([39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111, 52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101, 130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203, 67, 88, 114, 145, 146, 2, 40, 42, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 147, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);
let RawOtherActivityIds = dynamic([2, 40, 42, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 147, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);
let Threatsdata = SentinelOne_CL
| where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)
| where event_name_s == "Threats."
| project
TimeGenerated,
threatInfo_confidenceLevel_s,
threatInfo_analystVerdict_s,
threatInfo_threatName_s,
threatInfo_incidentStatus_s,
threatInfo_identifiedAt_t,
threatInfo_updatedAt_t,
threatInfo_threatId_s,
mitigationStatus_s;
let AllActivityIdsForAudit = dynamic([39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111, 52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101, 130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203, 2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);
let RawOtherActivityIds = dynamic([2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);
let activitydata = SentinelOne_CL
| where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)
and event_name_s == "Activities."
@ -476,12 +458,12 @@ ParserQuery: |
Object = coalesce(accountName, cloudProviderAccountName),
ObjectId = accountId;
let useractivitydata = activitydata
| where activityType_d in (67, 88, 114, 145, 146)
| parse-kv DataFields_s as (username: string, byUser: string, affectedUser: string, newValue: string, ipAddress: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
| where activityType_d in (88, 114)
| parse-kv DataFields_s as (username: string, byUser: string, newValue: string, ipAddress: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
| lookup EventFieldsLookup_useractivity on activityType_d
| lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field
| extend
ActorUsername = coalesce(byUser, username),
ActorUsername = byUser,
EventType = coalesce(EventType_useractivity, EventType_fieldenableddisabled),
EventSubType = EventSubType_useractivity,
NewValue = NewValue_fieldenableddisabled;
@ -558,7 +540,19 @@ ParserQuery: |
and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix));
let UnParsedActivitydatawithThreat = union ParsedActivitydata, parsedotheractivitydata_severity
| where isnotempty(threatId_s)
| lookup Threatsdata on $left.threatId_s == $right.threatInfo_threatId_s
| join kind=inner (SentinelOne_CL
| where event_name_s == "Threats."
| project
TimeGenerated,
threatInfo_confidenceLevel_s,
threatInfo_analystVerdict_s,
threatInfo_threatName_s,
threatInfo_incidentStatus_s,
threatInfo_identifiedAt_t,
threatInfo_updatedAt_t,
threatInfo_threatId_s,
mitigationStatus_s)
on $left.threatId_s == $right.threatInfo_threatId_s
| where TimeGenerated1 >= TimeGenerated
| summarize arg_min(TimeGenerated1, *) by activityType_d, threatId_s, createdAt_t, TimeGenerated;
let undefineddata = UnParsedActivitydatawithThreat
@ -646,8 +640,6 @@ ParserQuery: |
siteName,
oldValue,
computerName,
byUser,
affectedUser,
accountName,
cloudProviderAccountName,
email,
@ -708,6 +700,7 @@ ParserQuery: |
ThreatConfidence_*,
accountId,
policyId,
ruleId
ruleId,
byUser
};
parser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)

62
Parsers/ASimAuditEvent/Tests/SentinelOne_ASimAuditEvent_DataTest.csv
Просмотреть файл

@ -1,33 +1,33 @@
Result
"(0) Error: 1 invalid value(s) (up to 10 listed) in 1 records (0.06%) for field [DvcHostname] of type [Hostname]: [""u2019s MacBook Pro""] (Schema:AuditEvent)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 1587 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:AuditEvent)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 1587 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:AuditEvent)"
"(2) Info: Empty value in 1404 records (88.47%) in recommended field [ObjectId] (Schema:AuditEvent)"
"(2) Info: Empty value in 1468 records (92.5%) in optional field [RuleName] (Schema:AuditEvent)"
"(2) Info: Empty value in 1468 records (92.5%) in optional field [Rule] (Schema:AuditEvent)"
"(2) Info: Empty value in 1480 records (93.26%) in recommended field [SrcIpAddr] (Schema:AuditEvent)"
"(2) Info: Empty value in 1480 records (93.26%) in recommended field [Src] (Schema:AuditEvent)"
"(2) Info: Empty value in 1550 records (97.67%) in recommended field [DvcHostname] (Schema:AuditEvent)"
"(2) Info: Empty value in 1579 records (99.5%) in optional field [EventSubType] (Schema:AuditEvent)"
"(2) Info: Empty value in 1582 records (99.68%) in optional field [DvcFQDN] (Schema:AuditEvent)"
"(2) Info: Empty value in 1582 records (99.68%) in recommended field [DvcDomain] (Schema:AuditEvent)"
"(2) Info: Empty value in 1587 records (100.0%) in optional field [TargetDomain] (Schema:AuditEvent)"
"(2) Info: Empty value in 1587 records (100.0%) in optional field [TargetDvcId] (Schema:AuditEvent)"
"(2) Info: Empty value in 1587 records (100.0%) in optional field [TargetFQDN] (Schema:AuditEvent)"
"(2) Info: Empty value in 1587 records (100.0%) in optional field [TargetUrl] (Schema:AuditEvent)"
"(2) Info: Empty value in 1587 records (100.0%) in recommended field [Dst] (Schema:AuditEvent)"
"(2) Info: Empty value in 1587 records (100.0%) in recommended field [TargetHostname] (Schema:AuditEvent)"
"(2) Info: Empty value in 1587 records (100.0%) in recommended field [TargetIpAddr] (Schema:AuditEvent)"
"(2) Info: Empty value in 226 records (14.24%) in optional field [DvcId] (Schema:AuditEvent)"
"(2) Info: Empty value in 257 records (16.19%) in optional field [ValueType] (Schema:AuditEvent)"
"(2) Info: Empty value in 257 records (16.19%) in recommended field [NewValue] (Schema:AuditEvent)"
"(2) Info: Empty value in 263 records (16.57%) in optional field [ThreatCategory] (Schema:AuditEvent)"
"(2) Info: Empty value in 263 records (16.57%) in optional field [ThreatConfidence] (Schema:AuditEvent)"
"(2) Info: Empty value in 263 records (16.57%) in optional field [ThreatFirstReportedTime] (Schema:AuditEvent)"
"(2) Info: Empty value in 263 records (16.57%) in optional field [ThreatId] (Schema:AuditEvent)"
"(2) Info: Empty value in 263 records (16.57%) in optional field [ThreatOriginalConfidence] (Schema:AuditEvent)"
"(2) Info: Empty value in 271 records (17.08%) in optional field [ThreatName] (Schema:AuditEvent)"
"(2) Info: Empty value in 543 records (34.22%) in optional field [ActorUserId] (Schema:AuditEvent)"
"(2) Info: Empty value in 545 records (34.34%) in optional field [ActorUserType] (Schema:AuditEvent)"
"(2) Info: Empty value in 545 records (34.34%) in recommended field [ActorUsername] (Schema:AuditEvent)"
"(2) Info: Empty value in 875 records (55.14%) in optional field [OldValue] (Schema:AuditEvent)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 1559 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:AuditEvent)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 1559 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:AuditEvent)"
"(2) Info: Empty value in 1376 records (88.26%) in recommended field [ObjectId] (Schema:AuditEvent)"
"(2) Info: Empty value in 1440 records (92.37%) in optional field [RuleName] (Schema:AuditEvent)"
"(2) Info: Empty value in 1440 records (92.37%) in optional field [Rule] (Schema:AuditEvent)"
"(2) Info: Empty value in 1480 records (94.93%) in recommended field [SrcIpAddr] (Schema:AuditEvent)"
"(2) Info: Empty value in 1480 records (94.93%) in recommended field [Src] (Schema:AuditEvent)"
"(2) Info: Empty value in 1522 records (97.63%) in recommended field [DvcHostname] (Schema:AuditEvent)"
"(2) Info: Empty value in 1551 records (99.49%) in optional field [EventSubType] (Schema:AuditEvent)"
"(2) Info: Empty value in 1554 records (99.68%) in optional field [DvcFQDN] (Schema:AuditEvent)"
"(2) Info: Empty value in 1554 records (99.68%) in recommended field [DvcDomain] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in optional field [TargetDomain] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in optional field [TargetDvcId] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in optional field [TargetFQDN] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in optional field [TargetUrl] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in recommended field [Dst] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in recommended field [TargetHostname] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in recommended field [TargetIpAddr] (Schema:AuditEvent)"
"(2) Info: Empty value in 198 records (12.7%) in optional field [DvcId] (Schema:AuditEvent)"
"(2) Info: Empty value in 235 records (15.07%) in optional field [ThreatCategory] (Schema:AuditEvent)"
"(2) Info: Empty value in 235 records (15.07%) in optional field [ThreatConfidence] (Schema:AuditEvent)"
"(2) Info: Empty value in 235 records (15.07%) in optional field [ThreatFirstReportedTime] (Schema:AuditEvent)"
"(2) Info: Empty value in 235 records (15.07%) in optional field [ThreatId] (Schema:AuditEvent)"
"(2) Info: Empty value in 235 records (15.07%) in optional field [ThreatOriginalConfidence] (Schema:AuditEvent)"
"(2) Info: Empty value in 243 records (15.59%) in optional field [ThreatName] (Schema:AuditEvent)"
"(2) Info: Empty value in 243 records (15.59%) in optional field [ValueType] (Schema:AuditEvent)"
"(2) Info: Empty value in 243 records (15.59%) in recommended field [NewValue] (Schema:AuditEvent)"
"(2) Info: Empty value in 543 records (34.83%) in optional field [ActorUserId] (Schema:AuditEvent)"
"(2) Info: Empty value in 545 records (34.96%) in optional field [ActorUserType] (Schema:AuditEvent)"
"(2) Info: Empty value in 545 records (34.96%) in recommended field [ActorUsername] (Schema:AuditEvent)"
"(2) Info: Empty value in 847 records (54.33%) in optional field [OldValue] (Schema:AuditEvent)"

1 Result
2 (0) Error: 1 invalid value(s) (up to 10 listed) in 1 records (0.06%) for field [DvcHostname] of type [Hostname]: ["u2019s MacBook Pro"] (Schema:AuditEvent)
3 (0) Error: 1 invalid value(s) (up to 10 listed) in 1587 records (100.0%) for field [EventProduct] of type [Enumerated]: ["SentinelOne"] (Schema:AuditEvent) (0) Error: 1 invalid value(s) (up to 10 listed) in 1559 records (100.0%) for field [EventProduct] of type [Enumerated]: ["SentinelOne"] (Schema:AuditEvent)
4 (0) Error: 1 invalid value(s) (up to 10 listed) in 1587 records (100.0%) for field [EventVendor] of type [Enumerated]: ["SentinelOne"] (Schema:AuditEvent) (0) Error: 1 invalid value(s) (up to 10 listed) in 1559 records (100.0%) for field [EventVendor] of type [Enumerated]: ["SentinelOne"] (Schema:AuditEvent)
5 (2) Info: Empty value in 1404 records (88.47%) in recommended field [ObjectId] (Schema:AuditEvent) (2) Info: Empty value in 1376 records (88.26%) in recommended field [ObjectId] (Schema:AuditEvent)
6 (2) Info: Empty value in 1468 records (92.5%) in optional field [RuleName] (Schema:AuditEvent) (2) Info: Empty value in 1440 records (92.37%) in optional field [RuleName] (Schema:AuditEvent)
7 (2) Info: Empty value in 1468 records (92.5%) in optional field [Rule] (Schema:AuditEvent) (2) Info: Empty value in 1440 records (92.37%) in optional field [Rule] (Schema:AuditEvent)
8 (2) Info: Empty value in 1480 records (93.26%) in recommended field [SrcIpAddr] (Schema:AuditEvent) (2) Info: Empty value in 1480 records (94.93%) in recommended field [SrcIpAddr] (Schema:AuditEvent)
9 (2) Info: Empty value in 1480 records (93.26%) in recommended field [Src] (Schema:AuditEvent) (2) Info: Empty value in 1480 records (94.93%) in recommended field [Src] (Schema:AuditEvent)
10 (2) Info: Empty value in 1550 records (97.67%) in recommended field [DvcHostname] (Schema:AuditEvent) (2) Info: Empty value in 1522 records (97.63%) in recommended field [DvcHostname] (Schema:AuditEvent)
11 (2) Info: Empty value in 1579 records (99.5%) in optional field [EventSubType] (Schema:AuditEvent) (2) Info: Empty value in 1551 records (99.49%) in optional field [EventSubType] (Schema:AuditEvent)
12 (2) Info: Empty value in 1582 records (99.68%) in optional field [DvcFQDN] (Schema:AuditEvent) (2) Info: Empty value in 1554 records (99.68%) in optional field [DvcFQDN] (Schema:AuditEvent)
13 (2) Info: Empty value in 1582 records (99.68%) in recommended field [DvcDomain] (Schema:AuditEvent) (2) Info: Empty value in 1554 records (99.68%) in recommended field [DvcDomain] (Schema:AuditEvent)
14 (2) Info: Empty value in 1587 records (100.0%) in optional field [TargetDomain] (Schema:AuditEvent) (2) Info: Empty value in 1559 records (100.0%) in optional field [TargetDomain] (Schema:AuditEvent)
15 (2) Info: Empty value in 1587 records (100.0%) in optional field [TargetDvcId] (Schema:AuditEvent) (2) Info: Empty value in 1559 records (100.0%) in optional field [TargetDvcId] (Schema:AuditEvent)
16 (2) Info: Empty value in 1587 records (100.0%) in optional field [TargetFQDN] (Schema:AuditEvent) (2) Info: Empty value in 1559 records (100.0%) in optional field [TargetFQDN] (Schema:AuditEvent)
17 (2) Info: Empty value in 1587 records (100.0%) in optional field [TargetUrl] (Schema:AuditEvent) (2) Info: Empty value in 1559 records (100.0%) in optional field [TargetUrl] (Schema:AuditEvent)
18 (2) Info: Empty value in 1587 records (100.0%) in recommended field [Dst] (Schema:AuditEvent) (2) Info: Empty value in 1559 records (100.0%) in recommended field [Dst] (Schema:AuditEvent)
19 (2) Info: Empty value in 1587 records (100.0%) in recommended field [TargetHostname] (Schema:AuditEvent) (2) Info: Empty value in 1559 records (100.0%) in recommended field [TargetHostname] (Schema:AuditEvent)
20 (2) Info: Empty value in 1587 records (100.0%) in recommended field [TargetIpAddr] (Schema:AuditEvent) (2) Info: Empty value in 1559 records (100.0%) in recommended field [TargetIpAddr] (Schema:AuditEvent)
21 (2) Info: Empty value in 226 records (14.24%) in optional field [DvcId] (Schema:AuditEvent) (2) Info: Empty value in 198 records (12.7%) in optional field [DvcId] (Schema:AuditEvent)
22 (2) Info: Empty value in 257 records (16.19%) in optional field [ValueType] (Schema:AuditEvent) (2) Info: Empty value in 235 records (15.07%) in optional field [ThreatCategory] (Schema:AuditEvent)
23 (2) Info: Empty value in 257 records (16.19%) in recommended field [NewValue] (Schema:AuditEvent) (2) Info: Empty value in 235 records (15.07%) in optional field [ThreatConfidence] (Schema:AuditEvent)
24 (2) Info: Empty value in 263 records (16.57%) in optional field [ThreatCategory] (Schema:AuditEvent) (2) Info: Empty value in 235 records (15.07%) in optional field [ThreatFirstReportedTime] (Schema:AuditEvent)
25 (2) Info: Empty value in 263 records (16.57%) in optional field [ThreatConfidence] (Schema:AuditEvent) (2) Info: Empty value in 235 records (15.07%) in optional field [ThreatId] (Schema:AuditEvent)
26 (2) Info: Empty value in 263 records (16.57%) in optional field [ThreatFirstReportedTime] (Schema:AuditEvent) (2) Info: Empty value in 235 records (15.07%) in optional field [ThreatOriginalConfidence] (Schema:AuditEvent)
27 (2) Info: Empty value in 263 records (16.57%) in optional field [ThreatId] (Schema:AuditEvent) (2) Info: Empty value in 243 records (15.59%) in optional field [ThreatName] (Schema:AuditEvent)
28 (2) Info: Empty value in 263 records (16.57%) in optional field [ThreatOriginalConfidence] (Schema:AuditEvent) (2) Info: Empty value in 243 records (15.59%) in optional field [ValueType] (Schema:AuditEvent)
29 (2) Info: Empty value in 271 records (17.08%) in optional field [ThreatName] (Schema:AuditEvent) (2) Info: Empty value in 243 records (15.59%) in recommended field [NewValue] (Schema:AuditEvent)
30 (2) Info: Empty value in 543 records (34.22%) in optional field [ActorUserId] (Schema:AuditEvent) (2) Info: Empty value in 543 records (34.83%) in optional field [ActorUserId] (Schema:AuditEvent)
31 (2) Info: Empty value in 545 records (34.34%) in optional field [ActorUserType] (Schema:AuditEvent) (2) Info: Empty value in 545 records (34.96%) in optional field [ActorUserType] (Schema:AuditEvent)
32 (2) Info: Empty value in 545 records (34.34%) in recommended field [ActorUsername] (Schema:AuditEvent) (2) Info: Empty value in 545 records (34.96%) in recommended field [ActorUsername] (Schema:AuditEvent)
33 (2) Info: Empty value in 875 records (55.14%) in optional field [OldValue] (Schema:AuditEvent) (2) Info: Empty value in 847 records (54.33%) in optional field [OldValue] (Schema:AuditEvent)

62
Parsers/ASimAuditEvent/Tests/SentinelOne_vimAuditEvent_DataTest.csv
Просмотреть файл

@ -1,33 +1,33 @@
Result
"(0) Error: 1 invalid value(s) (up to 10 listed) in 1 records (0.06%) for field [DvcHostname] of type [Hostname]: [""u2019s MacBook Pro""] (Schema:AuditEvent)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 1587 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:AuditEvent)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 1587 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:AuditEvent)"
"(2) Info: Empty value in 1404 records (88.47%) in recommended field [ObjectId] (Schema:AuditEvent)"
"(2) Info: Empty value in 1468 records (92.5%) in optional field [RuleName] (Schema:AuditEvent)"
"(2) Info: Empty value in 1468 records (92.5%) in optional field [Rule] (Schema:AuditEvent)"
"(2) Info: Empty value in 1480 records (93.26%) in recommended field [SrcIpAddr] (Schema:AuditEvent)"
"(2) Info: Empty value in 1480 records (93.26%) in recommended field [Src] (Schema:AuditEvent)"
"(2) Info: Empty value in 1550 records (97.67%) in recommended field [DvcHostname] (Schema:AuditEvent)"
"(2) Info: Empty value in 1579 records (99.5%) in optional field [EventSubType] (Schema:AuditEvent)"
"(2) Info: Empty value in 1582 records (99.68%) in optional field [DvcFQDN] (Schema:AuditEvent)"
"(2) Info: Empty value in 1582 records (99.68%) in recommended field [DvcDomain] (Schema:AuditEvent)"
"(2) Info: Empty value in 1587 records (100.0%) in optional field [TargetDomain] (Schema:AuditEvent)"
"(2) Info: Empty value in 1587 records (100.0%) in optional field [TargetDvcId] (Schema:AuditEvent)"
"(2) Info: Empty value in 1587 records (100.0%) in optional field [TargetFQDN] (Schema:AuditEvent)"
"(2) Info: Empty value in 1587 records (100.0%) in optional field [TargetUrl] (Schema:AuditEvent)"
"(2) Info: Empty value in 1587 records (100.0%) in recommended field [Dst] (Schema:AuditEvent)"
"(2) Info: Empty value in 1587 records (100.0%) in recommended field [TargetHostname] (Schema:AuditEvent)"
"(2) Info: Empty value in 1587 records (100.0%) in recommended field [TargetIpAddr] (Schema:AuditEvent)"
"(2) Info: Empty value in 226 records (14.24%) in optional field [DvcId] (Schema:AuditEvent)"
"(2) Info: Empty value in 257 records (16.19%) in optional field [ValueType] (Schema:AuditEvent)"
"(2) Info: Empty value in 257 records (16.19%) in recommended field [NewValue] (Schema:AuditEvent)"
"(2) Info: Empty value in 263 records (16.57%) in optional field [ThreatCategory] (Schema:AuditEvent)"
"(2) Info: Empty value in 263 records (16.57%) in optional field [ThreatConfidence] (Schema:AuditEvent)"
"(2) Info: Empty value in 263 records (16.57%) in optional field [ThreatFirstReportedTime] (Schema:AuditEvent)"
"(2) Info: Empty value in 263 records (16.57%) in optional field [ThreatId] (Schema:AuditEvent)"
"(2) Info: Empty value in 263 records (16.57%) in optional field [ThreatOriginalConfidence] (Schema:AuditEvent)"
"(2) Info: Empty value in 271 records (17.08%) in optional field [ThreatName] (Schema:AuditEvent)"
"(2) Info: Empty value in 543 records (34.22%) in optional field [ActorUserId] (Schema:AuditEvent)"
"(2) Info: Empty value in 545 records (34.34%) in optional field [ActorUserType] (Schema:AuditEvent)"
"(2) Info: Empty value in 545 records (34.34%) in recommended field [ActorUsername] (Schema:AuditEvent)"
"(2) Info: Empty value in 875 records (55.14%) in optional field [OldValue] (Schema:AuditEvent)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 1559 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:AuditEvent)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 1559 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:AuditEvent)"
"(2) Info: Empty value in 1376 records (88.26%) in recommended field [ObjectId] (Schema:AuditEvent)"
"(2) Info: Empty value in 1440 records (92.37%) in optional field [RuleName] (Schema:AuditEvent)"
"(2) Info: Empty value in 1440 records (92.37%) in optional field [Rule] (Schema:AuditEvent)"
"(2) Info: Empty value in 1480 records (94.93%) in recommended field [SrcIpAddr] (Schema:AuditEvent)"
"(2) Info: Empty value in 1480 records (94.93%) in recommended field [Src] (Schema:AuditEvent)"
"(2) Info: Empty value in 1522 records (97.63%) in recommended field [DvcHostname] (Schema:AuditEvent)"
"(2) Info: Empty value in 1551 records (99.49%) in optional field [EventSubType] (Schema:AuditEvent)"
"(2) Info: Empty value in 1554 records (99.68%) in optional field [DvcFQDN] (Schema:AuditEvent)"
"(2) Info: Empty value in 1554 records (99.68%) in recommended field [DvcDomain] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in optional field [TargetDomain] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in optional field [TargetDvcId] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in optional field [TargetFQDN] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in optional field [TargetUrl] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in recommended field [Dst] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in recommended field [TargetHostname] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in recommended field [TargetIpAddr] (Schema:AuditEvent)"
"(2) Info: Empty value in 198 records (12.7%) in optional field [DvcId] (Schema:AuditEvent)"
"(2) Info: Empty value in 235 records (15.07%) in optional field [ThreatCategory] (Schema:AuditEvent)"
"(2) Info: Empty value in 235 records (15.07%) in optional field [ThreatConfidence] (Schema:AuditEvent)"
"(2) Info: Empty value in 235 records (15.07%) in optional field [ThreatFirstReportedTime] (Schema:AuditEvent)"
"(2) Info: Empty value in 235 records (15.07%) in optional field [ThreatId] (Schema:AuditEvent)"
"(2) Info: Empty value in 235 records (15.07%) in optional field [ThreatOriginalConfidence] (Schema:AuditEvent)"
"(2) Info: Empty value in 243 records (15.59%) in optional field [ThreatName] (Schema:AuditEvent)"
"(2) Info: Empty value in 243 records (15.59%) in optional field [ValueType] (Schema:AuditEvent)"
"(2) Info: Empty value in 243 records (15.59%) in recommended field [NewValue] (Schema:AuditEvent)"
"(2) Info: Empty value in 543 records (34.83%) in optional field [ActorUserId] (Schema:AuditEvent)"
"(2) Info: Empty value in 545 records (34.96%) in optional field [ActorUserType] (Schema:AuditEvent)"
"(2) Info: Empty value in 545 records (34.96%) in recommended field [ActorUsername] (Schema:AuditEvent)"
"(2) Info: Empty value in 847 records (54.33%) in optional field [OldValue] (Schema:AuditEvent)"

1 Result
2 (0) Error: 1 invalid value(s) (up to 10 listed) in 1 records (0.06%) for field [DvcHostname] of type [Hostname]: ["u2019s MacBook Pro"] (Schema:AuditEvent)
3 (0) Error: 1 invalid value(s) (up to 10 listed) in 1587 records (100.0%) for field [EventProduct] of type [Enumerated]: ["SentinelOne"] (Schema:AuditEvent) (0) Error: 1 invalid value(s) (up to 10 listed) in 1559 records (100.0%) for field [EventProduct] of type [Enumerated]: ["SentinelOne"] (Schema:AuditEvent)
4 (0) Error: 1 invalid value(s) (up to 10 listed) in 1587 records (100.0%) for field [EventVendor] of type [Enumerated]: ["SentinelOne"] (Schema:AuditEvent) (0) Error: 1 invalid value(s) (up to 10 listed) in 1559 records (100.0%) for field [EventVendor] of type [Enumerated]: ["SentinelOne"] (Schema:AuditEvent)
5 (2) Info: Empty value in 1404 records (88.47%) in recommended field [ObjectId] (Schema:AuditEvent) (2) Info: Empty value in 1376 records (88.26%) in recommended field [ObjectId] (Schema:AuditEvent)
6 (2) Info: Empty value in 1468 records (92.5%) in optional field [RuleName] (Schema:AuditEvent) (2) Info: Empty value in 1440 records (92.37%) in optional field [RuleName] (Schema:AuditEvent)
7 (2) Info: Empty value in 1468 records (92.5%) in optional field [Rule] (Schema:AuditEvent) (2) Info: Empty value in 1440 records (92.37%) in optional field [Rule] (Schema:AuditEvent)
8 (2) Info: Empty value in 1480 records (93.26%) in recommended field [SrcIpAddr] (Schema:AuditEvent) (2) Info: Empty value in 1480 records (94.93%) in recommended field [SrcIpAddr] (Schema:AuditEvent)
9 (2) Info: Empty value in 1480 records (93.26%) in recommended field [Src] (Schema:AuditEvent) (2) Info: Empty value in 1480 records (94.93%) in recommended field [Src] (Schema:AuditEvent)
10 (2) Info: Empty value in 1550 records (97.67%) in recommended field [DvcHostname] (Schema:AuditEvent) (2) Info: Empty value in 1522 records (97.63%) in recommended field [DvcHostname] (Schema:AuditEvent)
11 (2) Info: Empty value in 1579 records (99.5%) in optional field [EventSubType] (Schema:AuditEvent) (2) Info: Empty value in 1551 records (99.49%) in optional field [EventSubType] (Schema:AuditEvent)
12 (2) Info: Empty value in 1582 records (99.68%) in optional field [DvcFQDN] (Schema:AuditEvent) (2) Info: Empty value in 1554 records (99.68%) in optional field [DvcFQDN] (Schema:AuditEvent)
13 (2) Info: Empty value in 1582 records (99.68%) in recommended field [DvcDomain] (Schema:AuditEvent) (2) Info: Empty value in 1554 records (99.68%) in recommended field [DvcDomain] (Schema:AuditEvent)
14 (2) Info: Empty value in 1587 records (100.0%) in optional field [TargetDomain] (Schema:AuditEvent) (2) Info: Empty value in 1559 records (100.0%) in optional field [TargetDomain] (Schema:AuditEvent)
15 (2) Info: Empty value in 1587 records (100.0%) in optional field [TargetDvcId] (Schema:AuditEvent) (2) Info: Empty value in 1559 records (100.0%) in optional field [TargetDvcId] (Schema:AuditEvent)
16 (2) Info: Empty value in 1587 records (100.0%) in optional field [TargetFQDN] (Schema:AuditEvent) (2) Info: Empty value in 1559 records (100.0%) in optional field [TargetFQDN] (Schema:AuditEvent)
17 (2) Info: Empty value in 1587 records (100.0%) in optional field [TargetUrl] (Schema:AuditEvent) (2) Info: Empty value in 1559 records (100.0%) in optional field [TargetUrl] (Schema:AuditEvent)
18 (2) Info: Empty value in 1587 records (100.0%) in recommended field [Dst] (Schema:AuditEvent) (2) Info: Empty value in 1559 records (100.0%) in recommended field [Dst] (Schema:AuditEvent)
19 (2) Info: Empty value in 1587 records (100.0%) in recommended field [TargetHostname] (Schema:AuditEvent) (2) Info: Empty value in 1559 records (100.0%) in recommended field [TargetHostname] (Schema:AuditEvent)
20 (2) Info: Empty value in 1587 records (100.0%) in recommended field [TargetIpAddr] (Schema:AuditEvent) (2) Info: Empty value in 1559 records (100.0%) in recommended field [TargetIpAddr] (Schema:AuditEvent)
21 (2) Info: Empty value in 226 records (14.24%) in optional field [DvcId] (Schema:AuditEvent) (2) Info: Empty value in 198 records (12.7%) in optional field [DvcId] (Schema:AuditEvent)
22 (2) Info: Empty value in 257 records (16.19%) in optional field [ValueType] (Schema:AuditEvent) (2) Info: Empty value in 235 records (15.07%) in optional field [ThreatCategory] (Schema:AuditEvent)
23 (2) Info: Empty value in 257 records (16.19%) in recommended field [NewValue] (Schema:AuditEvent) (2) Info: Empty value in 235 records (15.07%) in optional field [ThreatConfidence] (Schema:AuditEvent)
24 (2) Info: Empty value in 263 records (16.57%) in optional field [ThreatCategory] (Schema:AuditEvent) (2) Info: Empty value in 235 records (15.07%) in optional field [ThreatFirstReportedTime] (Schema:AuditEvent)
25 (2) Info: Empty value in 263 records (16.57%) in optional field [ThreatConfidence] (Schema:AuditEvent) (2) Info: Empty value in 235 records (15.07%) in optional field [ThreatId] (Schema:AuditEvent)
26 (2) Info: Empty value in 263 records (16.57%) in optional field [ThreatFirstReportedTime] (Schema:AuditEvent) (2) Info: Empty value in 235 records (15.07%) in optional field [ThreatOriginalConfidence] (Schema:AuditEvent)
27 (2) Info: Empty value in 263 records (16.57%) in optional field [ThreatId] (Schema:AuditEvent) (2) Info: Empty value in 243 records (15.59%) in optional field [ThreatName] (Schema:AuditEvent)
28 (2) Info: Empty value in 263 records (16.57%) in optional field [ThreatOriginalConfidence] (Schema:AuditEvent) (2) Info: Empty value in 243 records (15.59%) in optional field [ValueType] (Schema:AuditEvent)
29 (2) Info: Empty value in 271 records (17.08%) in optional field [ThreatName] (Schema:AuditEvent) (2) Info: Empty value in 243 records (15.59%) in recommended field [NewValue] (Schema:AuditEvent)
30 (2) Info: Empty value in 543 records (34.22%) in optional field [ActorUserId] (Schema:AuditEvent) (2) Info: Empty value in 543 records (34.83%) in optional field [ActorUserId] (Schema:AuditEvent)
31 (2) Info: Empty value in 545 records (34.34%) in optional field [ActorUserType] (Schema:AuditEvent) (2) Info: Empty value in 545 records (34.96%) in optional field [ActorUserType] (Schema:AuditEvent)
32 (2) Info: Empty value in 545 records (34.34%) in recommended field [ActorUsername] (Schema:AuditEvent) (2) Info: Empty value in 545 records (34.96%) in recommended field [ActorUsername] (Schema:AuditEvent)
33 (2) Info: Empty value in 875 records (55.14%) in optional field [OldValue] (Schema:AuditEvent) (2) Info: Empty value in 847 records (54.33%) in optional field [OldValue] (Schema:AuditEvent)

2
Sample Data/ASIM/SentinelOne_ASimAuditEvent_IngestedLogs.csv
Просмотреть файл

@ -11,8 +11,6 @@ activityType_d,TimeGenerated [UTC],TenantId,SourceSystem,MG,ManagementGroupName,
61,"7/26/2023, 6:30:29.652 AM",1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71302311277097E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,9ffe4422-e8ca-4b8f-b410-8f70c86403d3,"7/26/2023, 6:11:34.909 AM",1.7374744509566E+018,The management user user1 issued a disconnect from network command to the machine DESKTOP-F1DPMEB.,,1.71250024242206E+018,Default site,"7/26/2023, 6:11:34.909 AM",1.71298647544447E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""computerName"": ""DESKTOP-F1DPMEB"", ""fullScopeDetails"": ""Group Crest Data Systems in Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site / Crest Data Systems"", ""groupName"": ""Crest Data Systems"", ""groupType"": ""Manual"", ""ipAddress"": null, ""scopeLevel"": ""Group"", ""scopeName"": ""Crest Data Systems"", ""siteName"": ""Default site"", ""username"": ""user1"", ""uuid"": ""20ee9f81027b432fb6c5d549705f3419""}",,,,,,,,,,,,,,,,,,,,,,1.71302996238084E+018,,Crest Data Systems,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL,
45,"7/26/2023, 6:00:10.808 AM",1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,458563c2-77af-43ec-94da-163413d19fdb,"7/26/2023, 5:49:19.381 AM",1.73746324776763E+018,The management user user1 turned off Auto decommission for all Sites.,IP address: 1.2.3.4,,,"7/26/2023, 5:49:19.381 AM",1.71298647544447E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.2.3.4"", ""newValue"": false, ""policy"": {""id"": ""1713026143600690038""}, ""policyName"": ""1713026143600690038"", ""realUser"": null, ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""username"": ""user1""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL,
3603,"7/27/2023, 5:50:03.003 AM",1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,2b188146-c69c-481c-bd1f-5498f8764508,"7/27/2023, 5:34:24.759 AM",1.73818051884118E+018,The management user user1 changed the status of the Network_GET rule from disabled to activating.,,,,"7/27/2023, 5:34:24.756 AM",1.72246596566398E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""commandCorrelationid"": ""526ca428-2928-4e9d-ac65-3e3b3f85d079"", ""commandTimestamp"": 1690436064701, ""expiryDateStr"": null, ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": null, ""networkquarantine"": false, ""oldStatus"": ""disabled"", ""ruleCreationTime"": 1690380217470, ""ruleDescription"": """", ""ruleExpirationMode"": ""permanent"", ""ruleId"": ""1737712037810380185"", ""ruleName"": ""Network_GET"", ""ruleQueryDetails"": ""Url = \""https://th.bing.com/th?id=OCGE.9p3c5sx31v9k_v2_main&w=90&h=90&c=1&rs=1&p=0\"" AND EventTime >= \""Jul 15, 2023 19:42:16\"""", ""ruleQueryType"": ""events"", ""ruleSeverity"": ""low"", ""scopeId"": 1712500237934148927, ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""status"": ""activating"", ""systemUser"": 0, ""treatasthreat"": ""malicious"", ""userId"": 1722465965663983441, ""username"": ""user1""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL,
67,"7/31/2023, 8:10:05.826 AM",1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,5fa60864-c413-4cc7-9355-249439407966,"7/31/2023, 7:53:03.633 AM",1.74114940552361E+018,The management user user1 enabled Two factor authentication on the user user1.,IP address: 1.2.3.4,,,"7/31/2023, 7:53:03.610 AM",1.73894939698783E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""user1"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.2.3.4"", ""newValue"": true, ""realUser"": null, ""role"": ""Admin"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""user1""}",user1,True,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL,
147,"7/31/2023, 8:10:05.826 AM",1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,799c8282-d4ca-4e71-8cd9-5849edcd2243,"7/31/2023, 7:53:03.645 AM",1.74114940561588E+018,The Management User user1 successfully configured 2FA.,IP address: 1.2.3.4,,,"7/31/2023, 7:53:03.623 AM",1.73894939698783E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.2.3.4"", ""realUser"": null, ""role"": ""Admin"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""user1""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL,
2030,"7/21/2023, 5:40:04.348 AM",1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.73097946686588E+018,,,1.73333300485309E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,ee0efeca-e129-487c-859f-e6defcb8184f,"7/21/2023, 5:20:45.666 AM",1.73382499337902E+018,The management user user1 changed the analyst verdict for Adwind.exe from Undefined to False positive.,,1.71250024242206E+018,Default site,"7/21/2023, 5:20:45.666 AM",1.71658347026226E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""computerName"": ""CLW547-"", ""escapedMaliciousProcessArguments"": null, ""fileDisplayName"": ""Adwind.exe"", ""filePath"": ""\\Device\\HarddiskVolume3\\Users\\Crest\\AppData\\Local\\Temp\\Temp7_The-MALWARE-Repo-master.zip\\The-MALWARE-Repo-master\\RAT\\Adwind.exe"", ""fullScopeDetails"": ""Group Crest Data Systems in Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site / Crest Data Systems"", ""groupName"": ""Crest Data Systems"", ""ipAddress"": null, ""newAnalystVerdict"": ""false_positive"", ""newAnalystVerdictTitle"": ""False positive"", ""oldAnalystVerdict"": ""undefined"", ""oldAnalystVerdictTitle"": ""Undefined"", ""realUser"": null, ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""threatClassification"": ""Malware"", ""threatClassificationSource"": ""Engine"", ""username"": ""user1""}",,,,,,,,,,,,,,,,,,,,,,1.71302996238084E+018,,Crest Data Systems,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL,
2028,"7/21/2023, 5:40:04.348 AM",1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.73097946686588E+018,,,1.73333300485309E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,15a90976-f730-438f-8907-defebe512275,"7/21/2023, 5:20:50.383 AM",1.73382503300681E+018,The management user user1 changed the incident status for Adwind.exe from Unresolved to Resolved,,1.71250024242206E+018,Default site,"7/21/2023, 5:20:50.383 AM",1.71658347026226E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""computerName"": ""CLW547-"", ""escapedMaliciousProcessArguments"": null, ""fileDisplayName"": ""Adwind.exe"", ""filePath"": ""\\Device\\HarddiskVolume3\\Users\\Crest\\AppData\\Local\\Temp\\Temp7_The-MALWARE-Repo-master.zip\\The-MALWARE-Repo-master\\RAT\\Adwind.exe"", ""fullScopeDetails"": ""Group Crest Data Systems in Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site / Crest Data Systems"", ""groupName"": ""Crest Data Systems"", ""ipAddress"": null, ""newIncidentStatus"": ""resolved"", ""newIncidentStatusTitle"": ""Resolved"", ""oldIncidentStatus"": ""unresolved"", ""oldIncidentStatusTitle"": ""Unresolved"", ""realUser"": null, ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""threatClassification"": ""Malware"", ""threatClassificationSource"": ""Engine"", ""username"": ""user1""}",,,,,,,,,,,,,,,,,,,,,,1.71302996238084E+018,,Crest Data Systems,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL,
3602,"7/21/2023, 10:20:03.249 AM",1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,bb34695c-ffde-41ac-93b5-54f508b74d26,"7/21/2023, 10:06:43.230 AM",1.73396892146054E+018,The management user user1 deleted the user1Test rule on the Account Crest Data Systems.,,,,"7/21/2023, 10:06:43.226 AM",1.71298647544447E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""commandCorrelationid"": ""728c7fd3-8acb-4023-8987-eab7687ab5ed"", ""commandTimestamp"": 1689934002810, ""expiryDateStr"": ""January 18 2024"", ""expiryTime"": 1705536000000, ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": null, ""networkquarantine"": false, ""ruleCreationTime"": 1689771043428, ""ruleDescription"": """", ""ruleExpirationMode"": ""temporary"", ""ruleId"": ""1732601915572150716"", ""ruleName"": ""user1Test"", ""ruleQueryDetails"": ""TgtFileSha1 = \""f30232697b3f54e58af08421da697262c99ec48b\"" AND EndpointName = \""CLW547-\"" AND EventType in ( \""Registry Key Create\"" )"", ""ruleQueryType"": ""events"", ""ruleSeverity"": ""medium"", ""scopeId"": 1712500237934148927, ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""status"": ""deleting"", ""systemUser"": 0, ""treatasthreat"": ""suspicious"", ""userId"": 1712986475444464777, ""username"": ""user1""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL,

1 activityType_d TimeGenerated [UTC] TenantId SourceSystem MG ManagementGroupName Computer RawData alertInfo_indicatorDescription_s alertInfo_indicatorName_s targetProcessInfo_tgtFileOldPath_s alertInfo_indicatorCategory_s alertInfo_registryOldValue_g alertInfo_dstIp_s alertInfo_dstPort_s alertInfo_netEventDirection_s alertInfo_srcIp_s alertInfo_srcPort_s containerInfo_id_s targetProcessInfo_tgtFileId_g alertInfo_registryOldValue_s alertInfo_registryOldValueType_s alertInfo_dnsRequest_s alertInfo_dnsResponse_s alertInfo_registryKeyPath_s alertInfo_registryPath_s alertInfo_registryValue_g ruleInfo_description_s alertInfo_registryValue_s alertInfo_loginAccountDomain_s alertInfo_loginAccountSid_s alertInfo_loginIsAdministratorEquivalent_s alertInfo_loginIsSuccessful_s alertInfo_loginType_s alertInfo_loginsUserName_s alertInfo_srcMachineIp_s targetProcessInfo_tgtProcCmdLine_s targetProcessInfo_tgtProcImagePath_s targetProcessInfo_tgtProcName_s targetProcessInfo_tgtProcPid_s targetProcessInfo_tgtProcSignedStatus_s targetProcessInfo_tgtProcStorylineId_s targetProcessInfo_tgtProcUid_s sourceParentProcessInfo_storyline_g sourceParentProcessInfo_uniqueId_g sourceProcessInfo_storyline_g sourceProcessInfo_uniqueId_g targetProcessInfo_tgtProcStorylineId_g targetProcessInfo_tgtProcUid_g agentDetectionInfo_machineType_s agentDetectionInfo_name_s agentDetectionInfo_osFamily_s agentDetectionInfo_osName_s agentDetectionInfo_osRevision_s agentDetectionInfo_uuid_g agentDetectionInfo_version_s agentRealtimeInfo_id_s agentRealtimeInfo_infected_b agentRealtimeInfo_isActive_b agentRealtimeInfo_isDecommissioned_b agentRealtimeInfo_machineType_s agentRealtimeInfo_name_s agentRealtimeInfo_os_s agentRealtimeInfo_uuid_g alertInfo_alertId_s alertInfo_analystVerdict_s alertInfo_createdAt_t [UTC] alertInfo_dvEventId_s alertInfo_eventType_s alertInfo_hitType_s alertInfo_incidentStatus_s alertInfo_isEdr_b alertInfo_reportedAt_t [UTC] alertInfo_source_s alertInfo_updatedAt_t [UTC] ruleInfo_id_s ruleInfo_name_s ruleInfo_queryLang_s ruleInfo_queryType_s ruleInfo_s1ql_s ruleInfo_scopeLevel_s ruleInfo_severity_s ruleInfo_treatAsThreat_s sourceParentProcessInfo_commandline_s sourceParentProcessInfo_fileHashMd5_g sourceParentProcessInfo_fileHashSha1_s sourceParentProcessInfo_fileHashSha256_s sourceParentProcessInfo_filePath_s sourceParentProcessInfo_fileSignerIdentity_s sourceParentProcessInfo_integrityLevel_s sourceParentProcessInfo_name_s sourceParentProcessInfo_pid_s sourceParentProcessInfo_pidStarttime_t [UTC] sourceParentProcessInfo_storyline_s sourceParentProcessInfo_subsystem_s sourceParentProcessInfo_uniqueId_s sourceParentProcessInfo_user_s sourceProcessInfo_commandline_s sourceProcessInfo_fileHashMd5_g sourceProcessInfo_fileHashSha1_s sourceProcessInfo_fileHashSha256_s sourceProcessInfo_filePath_s sourceProcessInfo_fileSignerIdentity_s sourceProcessInfo_integrityLevel_s sourceProcessInfo_name_s sourceProcessInfo_pid_s sourceProcessInfo_pidStarttime_t [UTC] sourceProcessInfo_storyline_s sourceProcessInfo_subsystem_s sourceProcessInfo_uniqueId_s sourceProcessInfo_user_s targetProcessInfo_tgtFileCreatedAt_t [UTC] targetProcessInfo_tgtFileHashSha1_s targetProcessInfo_tgtFileHashSha256_s targetProcessInfo_tgtFileId_s targetProcessInfo_tgtFileIsSigned_s targetProcessInfo_tgtFileModifiedAt_t [UTC] targetProcessInfo_tgtFilePath_s targetProcessInfo_tgtProcIntegrityLevel_s targetProcessInfo_tgtProcessStartTime_t [UTC] agentUpdatedVersion_s agentId_s hash_s osFamily_s threatId_s creator_s creatorId_s inherits_b isDefault_b name_s registrationToken_s totalAgents_d type_s agentDetectionInfo_accountId_s agentDetectionInfo_accountName_s agentDetectionInfo_agentDetectionState_s agentDetectionInfo_agentDomain_s agentDetectionInfo_agentIpV4_s agentDetectionInfo_agentIpV6_s agentDetectionInfo_agentLastLoggedInUserName_s agentDetectionInfo_agentMitigationMode_s agentDetectionInfo_agentOsName_s agentDetectionInfo_agentOsRevision_s agentDetectionInfo_agentRegisteredAt_t [UTC] agentDetectionInfo_agentUuid_g agentDetectionInfo_agentVersion_s agentDetectionInfo_externalIp_s agentDetectionInfo_groupId_s agentDetectionInfo_groupName_s agentDetectionInfo_siteId_s agentDetectionInfo_siteName_s agentRealtimeInfo_accountId_s agentRealtimeInfo_accountName_s agentRealtimeInfo_activeThreats_d agentRealtimeInfo_agentComputerName_s agentRealtimeInfo_agentDomain_s agentRealtimeInfo_agentId_s agentRealtimeInfo_agentInfected_b agentRealtimeInfo_agentIsActive_b agentRealtimeInfo_agentIsDecommissioned_b agentRealtimeInfo_agentMachineType_s agentRealtimeInfo_agentMitigationMode_s agentRealtimeInfo_agentNetworkStatus_s agentRealtimeInfo_agentOsName_s agentRealtimeInfo_agentOsRevision_s agentRealtimeInfo_agentOsType_s agentRealtimeInfo_agentUuid_g agentRealtimeInfo_agentVersion_s agentRealtimeInfo_groupId_s agentRealtimeInfo_groupName_s agentRealtimeInfo_networkInterfaces_s agentRealtimeInfo_operationalState_s agentRealtimeInfo_rebootRequired_b agentRealtimeInfo_scanFinishedAt_t [UTC] agentRealtimeInfo_scanStartedAt_t [UTC] agentRealtimeInfo_scanStatus_s agentRealtimeInfo_siteId_s agentRealtimeInfo_siteName_s agentRealtimeInfo_userActionsNeeded_s indicators_s mitigationStatus_s threatInfo_analystVerdict_s threatInfo_analystVerdictDescription_s threatInfo_automaticallyResolved_b threatInfo_certificateId_s threatInfo_classification_s threatInfo_classificationSource_s threatInfo_cloudFilesHashVerdict_s threatInfo_collectionId_s threatInfo_confidenceLevel_s threatInfo_createdAt_t [UTC] threatInfo_detectionEngines_s threatInfo_detectionType_s threatInfo_engines_s threatInfo_externalTicketExists_b threatInfo_failedActions_b threatInfo_fileExtension_s threatInfo_fileExtensionType_s threatInfo_filePath_s threatInfo_fileSize_d threatInfo_fileVerificationType_s threatInfo_identifiedAt_t [UTC] threatInfo_incidentStatus_s threatInfo_incidentStatusDescription_s threatInfo_initiatedBy_s threatInfo_initiatedByDescription_s threatInfo_isFileless_b threatInfo_isValidCertificate_b threatInfo_mitigatedPreemptively_b threatInfo_mitigationStatus_s threatInfo_mitigationStatusDescription_s threatInfo_originatorProcess_s threatInfo_pendingActions_b threatInfo_processUser_s threatInfo_publisherName_s threatInfo_reachedEventsLimit_b threatInfo_rebootRequired_b threatInfo_sha1_s threatInfo_storyline_s threatInfo_threatId_s threatInfo_threatName_s threatInfo_updatedAt_t [UTC] whiteningOptions_s threatInfo_maliciousProcessArguments_s threatInfo_fileExtension_g threatInfo_threatName_g threatInfo_storyline_g accountId_s accountName_s activityUuid_g createdAt_t [UTC] id_s primaryDescription_s secondaryDescription_s siteId_s siteName_s updatedAt_t [UTC] userId_s event_name_s DataFields_s description_s comments_s activeDirectory_computerMemberOf_s activeDirectory_lastUserMemberOf_s activeThreats_d agentVersion_s allowRemoteShell_b appsVulnerabilityStatus_s computerName_s consoleMigrationStatus_s coreCount_d cpuCount_d cpuId_s detectionState_s domain_s encryptedApplications_b externalId_s externalIp_s firewallEnabled_b firstFullModeTime_t [UTC] fullDiskScanLastUpdatedAt_t [UTC] groupId_s groupIp_s groupName_s inRemoteShellSession_b infected_b installerType_s isActive_b isDecommissioned_b isPendingUninstall_b isUninstalled_b isUpToDate_b lastActiveDate_t [UTC] lastIpToMgmt_s lastLoggedInUserName_s licenseKey_s locationEnabled_b locationType_s locations_s machineType_s mitigationMode_s mitigationModeSuspicious_s modelName_s networkInterfaces_s networkQuarantineEnabled_b networkStatus_s operationalState_s osArch_s osName_s osRevision_s osStartTime_t [UTC] osType_s rangerStatus_s rangerVersion_s registeredAt_t [UTC] remoteProfilingState_s scanFinishedAt_t [UTC] scanStartedAt_t [UTC] scanStatus_s serialNumber_s showAlertIcon_b tags_sentinelone_s threatRebootRequired_b totalMemory_d userActionsNeeded_s uuid_g osUsername_s scanAbortedAt_t [UTC] activeDirectory_computerDistinguishedName_s activeDirectory_lastUserDistinguishedName_s Type _ResourceId
11 61 7/26/2023, 6:30:29.652 AM 1a0e2567-2e58-4989-ad18-206108185325 RestAPI 1.71302311277097E+018 1.71250023793415E+018 Crest Data Systems 9ffe4422-e8ca-4b8f-b410-8f70c86403d3 7/26/2023, 6:11:34.909 AM 1.7374744509566E+018 The management user user1 issued a disconnect from network command to the machine DESKTOP-F1DPMEB. 1.71250024242206E+018 Default site 7/26/2023, 6:11:34.909 AM 1.71298647544447E+018 Activities. {"accountName": "Crest Data Systems", "computerName": "DESKTOP-F1DPMEB", "fullScopeDetails": "Group Crest Data Systems in Site Default site of Account Crest Data Systems", "fullScopeDetailsPath": "Global / Crest Data Systems / Default site / Crest Data Systems", "groupName": "Crest Data Systems", "groupType": "Manual", "ipAddress": null, "scopeLevel": "Group", "scopeName": "Crest Data Systems", "siteName": "Default site", "username": "user1", "uuid": "20ee9f81027b432fb6c5d549705f3419"} 1.71302996238084E+018 Crest Data Systems SentinelOne_CL
12 45 7/26/2023, 6:00:10.808 AM 1a0e2567-2e58-4989-ad18-206108185325 RestAPI 1.71250023793415E+018 Crest Data Systems 458563c2-77af-43ec-94da-163413d19fdb 7/26/2023, 5:49:19.381 AM 1.73746324776763E+018 The management user user1 turned off Auto decommission for all Sites. IP address: 1.2.3.4 7/26/2023, 5:49:19.381 AM 1.71298647544447E+018 Activities. {"accountName": "Crest Data Systems", "fullScopeDetails": "Account Crest Data Systems", "fullScopeDetailsPath": "Global / Crest Data Systems", "groupName": null, "ipAddress": "1.2.3.4", "newValue": false, "policy": {"id": "1713026143600690038"}, "policyName": "1713026143600690038", "realUser": null, "scopeLevel": "Account", "scopeName": "Crest Data Systems", "siteName": null, "sourceType": "UI", "username": "user1"} SentinelOne_CL
13 3603 7/27/2023, 5:50:03.003 AM 1a0e2567-2e58-4989-ad18-206108185325 RestAPI 1.71250023793415E+018 Crest Data Systems 2b188146-c69c-481c-bd1f-5498f8764508 7/27/2023, 5:34:24.759 AM 1.73818051884118E+018 The management user user1 changed the status of the Network_GET rule from disabled to activating. 7/27/2023, 5:34:24.756 AM 1.72246596566398E+018 Activities. {"accountName": "Crest Data Systems", "commandCorrelationid": "526ca428-2928-4e9d-ac65-3e3b3f85d079", "commandTimestamp": 1690436064701, "expiryDateStr": null, "fullScopeDetails": "Account Crest Data Systems", "fullScopeDetailsPath": "Global / Crest Data Systems", "groupName": null, "ipAddress": null, "networkquarantine": false, "oldStatus": "disabled", "ruleCreationTime": 1690380217470, "ruleDescription": "", "ruleExpirationMode": "permanent", "ruleId": "1737712037810380185", "ruleName": "Network_GET", "ruleQueryDetails": "Url = \"https://th.bing.com/th?id=OCGE.9p3c5sx31v9k_v2_main&w=90&h=90&c=1&rs=1&p=0\" AND EventTime >= \"Jul 15, 2023 19:42:16\"", "ruleQueryType": "events", "ruleSeverity": "low", "scopeId": 1712500237934148927, "scopeLevel": "Account", "scopeName": "Crest Data Systems", "siteName": null, "status": "activating", "systemUser": 0, "treatasthreat": "malicious", "userId": 1722465965663983441, "username": "user1"} SentinelOne_CL
67 7/31/2023, 8:10:05.826 AM 1a0e2567-2e58-4989-ad18-206108185325 RestAPI 1.71250023793415E+018 Crest Data Systems 5fa60864-c413-4cc7-9355-249439407966 7/31/2023, 7:53:03.633 AM 1.74114940552361E+018 The management user user1 enabled Two factor authentication on the user user1. IP address: 1.2.3.4 7/31/2023, 7:53:03.610 AM 1.73894939698783E+018 Activities. {"accountName": "Crest Data Systems", "byUser": "user1", "fullScopeDetails": "Account Crest Data Systems", "fullScopeDetailsPath": "Global / Crest Data Systems", "groupName": null, "ipAddress": "1.2.3.4", "newValue": true, "realUser": null, "role": "Admin", "scopeLevel": "Account", "scopeName": "Crest Data Systems", "siteName": null, "sourceType": "UI", "userScope": "account", "username": "user1"} user1 True SentinelOne_CL
147 7/31/2023, 8:10:05.826 AM 1a0e2567-2e58-4989-ad18-206108185325 RestAPI 1.71250023793415E+018 Crest Data Systems 799c8282-d4ca-4e71-8cd9-5849edcd2243 7/31/2023, 7:53:03.645 AM 1.74114940561588E+018 The Management User user1 successfully configured 2FA. IP address: 1.2.3.4 7/31/2023, 7:53:03.623 AM 1.73894939698783E+018 Activities. {"accountName": "Crest Data Systems", "fullScopeDetails": "Account Crest Data Systems", "fullScopeDetailsPath": "Global / Crest Data Systems", "groupName": null, "ipAddress": "1.2.3.4", "realUser": null, "role": "Admin", "scopeLevel": "Account", "scopeName": "Crest Data Systems", "siteName": null, "sourceType": "UI", "userScope": "account", "username": "user1"} SentinelOne_CL
14 2030 7/21/2023, 5:40:04.348 AM 1a0e2567-2e58-4989-ad18-206108185325 RestAPI 1.73097946686588E+018 1.73333300485309E+018 1.71250023793415E+018 Crest Data Systems ee0efeca-e129-487c-859f-e6defcb8184f 7/21/2023, 5:20:45.666 AM 1.73382499337902E+018 The management user user1 changed the analyst verdict for Adwind.exe from Undefined to False positive. 1.71250024242206E+018 Default site 7/21/2023, 5:20:45.666 AM 1.71658347026226E+018 Activities. {"accountName": "Crest Data Systems", "computerName": "CLW547-", "escapedMaliciousProcessArguments": null, "fileDisplayName": "Adwind.exe", "filePath": "\\Device\\HarddiskVolume3\\Users\\Crest\\AppData\\Local\\Temp\\Temp7_The-MALWARE-Repo-master.zip\\The-MALWARE-Repo-master\\RAT\\Adwind.exe", "fullScopeDetails": "Group Crest Data Systems in Site Default site of Account Crest Data Systems", "fullScopeDetailsPath": "Global / Crest Data Systems / Default site / Crest Data Systems", "groupName": "Crest Data Systems", "ipAddress": null, "newAnalystVerdict": "false_positive", "newAnalystVerdictTitle": "False positive", "oldAnalystVerdict": "undefined", "oldAnalystVerdictTitle": "Undefined", "realUser": null, "siteName": "Default site", "sourceType": "UI", "threatClassification": "Malware", "threatClassificationSource": "Engine", "username": "user1"} 1.71302996238084E+018 Crest Data Systems SentinelOne_CL
15 2028 7/21/2023, 5:40:04.348 AM 1a0e2567-2e58-4989-ad18-206108185325 RestAPI 1.73097946686588E+018 1.73333300485309E+018 1.71250023793415E+018 Crest Data Systems 15a90976-f730-438f-8907-defebe512275 7/21/2023, 5:20:50.383 AM 1.73382503300681E+018 The management user user1 changed the incident status for Adwind.exe from Unresolved to Resolved 1.71250024242206E+018 Default site 7/21/2023, 5:20:50.383 AM 1.71658347026226E+018 Activities. {"accountName": "Crest Data Systems", "computerName": "CLW547-", "escapedMaliciousProcessArguments": null, "fileDisplayName": "Adwind.exe", "filePath": "\\Device\\HarddiskVolume3\\Users\\Crest\\AppData\\Local\\Temp\\Temp7_The-MALWARE-Repo-master.zip\\The-MALWARE-Repo-master\\RAT\\Adwind.exe", "fullScopeDetails": "Group Crest Data Systems in Site Default site of Account Crest Data Systems", "fullScopeDetailsPath": "Global / Crest Data Systems / Default site / Crest Data Systems", "groupName": "Crest Data Systems", "ipAddress": null, "newIncidentStatus": "resolved", "newIncidentStatusTitle": "Resolved", "oldIncidentStatus": "unresolved", "oldIncidentStatusTitle": "Unresolved", "realUser": null, "siteName": "Default site", "sourceType": "UI", "threatClassification": "Malware", "threatClassificationSource": "Engine", "username": "user1"} 1.71302996238084E+018 Crest Data Systems SentinelOne_CL
16 3602 7/21/2023, 10:20:03.249 AM 1a0e2567-2e58-4989-ad18-206108185325 RestAPI 1.71250023793415E+018 Crest Data Systems bb34695c-ffde-41ac-93b5-54f508b74d26 7/21/2023, 10:06:43.230 AM 1.73396892146054E+018 The management user user1 deleted the user1Test rule on the Account Crest Data Systems. 7/21/2023, 10:06:43.226 AM 1.71298647544447E+018 Activities. {"accountName": "Crest Data Systems", "commandCorrelationid": "728c7fd3-8acb-4023-8987-eab7687ab5ed", "commandTimestamp": 1689934002810, "expiryDateStr": "January 18 2024", "expiryTime": 1705536000000, "fullScopeDetails": "Account Crest Data Systems", "fullScopeDetailsPath": "Global / Crest Data Systems", "groupName": null, "ipAddress": null, "networkquarantine": false, "ruleCreationTime": 1689771043428, "ruleDescription": "", "ruleExpirationMode": "temporary", "ruleId": "1732601915572150716", "ruleName": "user1Test", "ruleQueryDetails": "TgtFileSha1 = \"f30232697b3f54e58af08421da697262c99ec48b\" AND EndpointName = \"CLW547-\" AND EventType in ( \"Registry Key Create\" )", "ruleQueryType": "events", "ruleSeverity": "medium", "scopeId": 1712500237934148927, "scopeLevel": "Account", "scopeName": "Crest Data Systems", "siteName": null, "status": "deleting", "systemUser": 0, "treatasthreat": "suspicious", "userId": 1712986475444464777, "username": "user1"} SentinelOne_CL

634
Sample Data/ASIM/SentinelOne_ASimAuditEvent_RawLogs.json
Просмотреть файл

@ -3844,640 +3844,6 @@
"Type": "SentinelOne_CL",
"_ResourceId": ""
},
{
"activityType": 67,
"TimeGenerated": "7/31/2023, 8:10:05.826 AM",
"TenantId": "1a0e2567-2e58-4989-ad18-206108185325",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"Computer": "",
"RawData": "",
"alertInfo_indicatorDescription": "",
"alertInfo_indicatorName": "",
"targetProcessInfo_tgtFileOldPath": "",
"alertInfo_indicatorCategory": "",
"alertInfo_registryOldValue": "",
"alertInfo_dstIp": "",
"alertInfo_dstPort": "",
"alertInfo_netEventDirection": "",
"alertInfo_srcIp": "",
"alertInfo_srcPort": "",
"containerInfo_id": "",
"targetProcessInfo_tgtFileId": "",
"alertInfo_registryOldValueType": "",
"alertInfo_dnsRequest": "",
"alertInfo_dnsResponse": "",
"alertInfo_registryKeyPath": "",
"alertInfo_registryPath": "",
"alertInfo_registryValue": "",
"ruleInfo_description": "",
"alertInfo_loginAccountDomain": "",
"alertInfo_loginAccountSid": "",
"alertInfo_loginIsAdministratorEquivalent": "",
"alertInfo_loginIsSuccessful": "",
"alertInfo_loginType": "",
"alertInfo_loginsUserName": "",
"alertInfo_srcMachineIp": "",
"targetProcessInfo_tgtProcCmdLine": "",
"targetProcessInfo_tgtProcImagePath": "",
"targetProcessInfo_tgtProcName": "",
"targetProcessInfo_tgtProcPid": "",
"targetProcessInfo_tgtProcSignedStatus": "",
"targetProcessInfo_tgtProcStorylineId": "",
"targetProcessInfo_tgtProcUid": "",
"sourceParentProcessInfo_storyline": "",
"sourceParentProcessInfo_uniqueId": "",
"sourceProcessInfo_storyline": "",
"sourceProcessInfo_uniqueId": "",
"agentDetectionInfo_machineType": "",
"agentDetectionInfo_name": "",
"agentDetectionInfo_osFamily": "",
"agentDetectionInfo_osName": "",
"agentDetectionInfo_osRevision": "",
"agentDetectionInfo_uuid": "",
"agentDetectionInfo_version": "",
"agentRealtimeInfo_id": "",
"agentRealtimeInfo_infected": "",
"agentRealtimeInfo_isActive": "",
"agentRealtimeInfo_isDecommissioned": "",
"agentRealtimeInfo_machineType": "",
"agentRealtimeInfo_name": "",
"agentRealtimeInfo_os": "",
"agentRealtimeInfo_uuid": "",
"alertInfo_alertId": "",
"alertInfo_analystVerdict": "",
"alertInfo_createdAt": "",
"alertInfo_dvEventId": "",
"alertInfo_eventType": "",
"alertInfo_hitType": "",
"alertInfo_incidentStatus": "",
"alertInfo_isEdr": "",
"alertInfo_reportedAt": "",
"alertInfo_source": "",
"alertInfo_updatedAt": "",
"ruleInfo_id": "",
"ruleInfo_name": "",
"ruleInfo_queryLang": "",
"ruleInfo_queryType": "",
"ruleInfo_s1ql": "",
"ruleInfo_scopeLevel": "",
"ruleInfo_severity": "",
"ruleInfo_treatAsThreat": "",
"sourceParentProcessInfo_commandline": "",
"sourceParentProcessInfo_fileHashMd5": "",
"sourceParentProcessInfo_fileHashSha1": "",
"sourceParentProcessInfo_fileHashSha256": "",
"sourceParentProcessInfo_filePath": "",
"sourceParentProcessInfo_fileSignerIdentity": "",
"sourceParentProcessInfo_integrityLevel": "",
"sourceParentProcessInfo_name": "",
"sourceParentProcessInfo_pid": "",
"sourceParentProcessInfo_pidStarttime": "",
"sourceParentProcessInfo_subsystem": "",
"sourceParentProcessInfo_user": "",
"sourceProcessInfo_commandline": "",
"sourceProcessInfo_fileHashMd5": "",
"sourceProcessInfo_fileHashSha1": "",
"sourceProcessInfo_fileHashSha256": "",
"sourceProcessInfo_filePath": "",
"sourceProcessInfo_fileSignerIdentity": "",
"sourceProcessInfo_integrityLevel": "",
"sourceProcessInfo_name": "",
"sourceProcessInfo_pid": "",
"sourceProcessInfo_pidStarttime": "",
"sourceProcessInfo_subsystem": "",
"sourceProcessInfo_user": "",
"targetProcessInfo_tgtFileCreatedAt": "",
"targetProcessInfo_tgtFileHashSha1": "",
"targetProcessInfo_tgtFileHashSha256": "",
"targetProcessInfo_tgtFileIsSigned": "",
"targetProcessInfo_tgtFileModifiedAt": "",
"targetProcessInfo_tgtFilePath": "",
"targetProcessInfo_tgtProcIntegrityLevel": "",
"targetProcessInfo_tgtProcessStartTime": "",
"agentUpdatedVersion": "",
"agentId": "",
"hash": "",
"osFamily": "",
"threatId": "",
"creator": "",
"creatorId": "",
"inherits": "",
"isDefault": "",
"name": "",
"registrationToken": "",
"totalAgents": "",
"type": "",
"agentDetectionInfo_accountId": "",
"agentDetectionInfo_accountName": "",
"agentDetectionInfo_agentDetectionState": "",
"agentDetectionInfo_agentDomain": "",
"agentDetectionInfo_agentIpV4": "",
"agentDetectionInfo_agentIpV6": "",
"agentDetectionInfo_agentLastLoggedInUserName": "",
"agentDetectionInfo_agentMitigationMode": "",
"agentDetectionInfo_agentOsName": "",
"agentDetectionInfo_agentOsRevision": "",
"agentDetectionInfo_agentRegisteredAt": "",
"agentDetectionInfo_agentUuid": "",
"agentDetectionInfo_agentVersion": "",
"agentDetectionInfo_externalIp": "",
"agentDetectionInfo_groupId": "",
"agentDetectionInfo_groupName": "",
"agentDetectionInfo_siteId": "",
"agentDetectionInfo_siteName": "",
"agentRealtimeInfo_accountId": "",
"agentRealtimeInfo_accountName": "",
"agentRealtimeInfo_activeThreats": "",
"agentRealtimeInfo_agentComputerName": "",
"agentRealtimeInfo_agentDomain": "",
"agentRealtimeInfo_agentId": "",
"agentRealtimeInfo_agentInfected": "",
"agentRealtimeInfo_agentIsActive": "",
"agentRealtimeInfo_agentIsDecommissioned": "",
"agentRealtimeInfo_agentMachineType": "",
"agentRealtimeInfo_agentMitigationMode": "",
"agentRealtimeInfo_agentNetworkStatus": "",
"agentRealtimeInfo_agentOsName": "",
"agentRealtimeInfo_agentOsRevision": "",
"agentRealtimeInfo_agentOsType": "",
"agentRealtimeInfo_agentUuid": "",
"agentRealtimeInfo_agentVersion": "",
"agentRealtimeInfo_groupId": "",
"agentRealtimeInfo_groupName": "",
"agentRealtimeInfo_networkInterfaces": "",
"agentRealtimeInfo_operationalState": "",
"agentRealtimeInfo_rebootRequired": "",
"agentRealtimeInfo_scanFinishedAt": "",
"agentRealtimeInfo_scanStartedAt": "",
"agentRealtimeInfo_scanStatus": "",
"agentRealtimeInfo_siteId": "",
"agentRealtimeInfo_siteName": "",
"agentRealtimeInfo_userActionsNeeded": "",
"indicators": "",
"mitigationStatus": "",
"threatInfo_analystVerdict": "",
"threatInfo_analystVerdictDescription": "",
"threatInfo_automaticallyResolved": "",
"threatInfo_certificateId": "",
"threatInfo_classification": "",
"threatInfo_classificationSource": "",
"threatInfo_cloudFilesHashVerdict": "",
"threatInfo_collectionId": "",
"threatInfo_confidenceLevel": "",
"threatInfo_createdAt": "",
"threatInfo_detectionEngines": "",
"threatInfo_detectionType": "",
"threatInfo_engines": "",
"threatInfo_externalTicketExists": "",
"threatInfo_failedActions": "",
"threatInfo_fileExtension": "",
"threatInfo_fileExtensionType": "",
"threatInfo_filePath": "",
"threatInfo_fileSize": "",
"threatInfo_fileVerificationType": "",
"threatInfo_identifiedAt": "",
"threatInfo_incidentStatus": "",
"threatInfo_incidentStatusDescription": "",
"threatInfo_initiatedBy": "",
"threatInfo_initiatedByDescription": "",
"threatInfo_isFileless": "",
"threatInfo_isValidCertificate": "",
"threatInfo_mitigatedPreemptively": "",
"threatInfo_mitigationStatus": "",
"threatInfo_mitigationStatusDescription": "",
"threatInfo_originatorProcess": "",
"threatInfo_pendingActions": "",
"threatInfo_processUser": "",
"threatInfo_publisherName": "",
"threatInfo_reachedEventsLimit": "",
"threatInfo_rebootRequired": "",
"threatInfo_sha1": "",
"threatInfo_storyline": "",
"threatInfo_threatId": "",
"threatInfo_threatName": "",
"threatInfo_updatedAt": "",
"whiteningOptions": "",
"threatInfo_maliciousProcessArguments": "",
"accountId": 1712500237934148900,
"accountName": "Crest Data Systems",
"activityUuid": "5fa60864-c413-4cc7-9355-249439407966",
"createdAt": "7/31/2023, 7:53:03.633 AM",
"id": 1741149405523608000,
"primaryDescription": "The management user user1 enabled Two factor authentication on the user user1.",
"secondaryDescription": "IP address: 1.2.3.4",
"siteId": "",
"siteName": "",
"updatedAt": "7/31/2023, 7:53:03.610 AM",
"userId": 1738949396987828700,
"event_name": "Activities.",
"DataFields": {
"accountName": "Crest Data Systems",
"byUser": "user1",
"fullScopeDetails": "Account Crest Data Systems",
"fullScopeDetailsPath": "Global / Crest Data Systems",
"groupName": null,
"ipAddress": "1.2.3.4",
"newValue": true,
"realUser": null,
"role": "Admin",
"scopeLevel": "Account",
"scopeName": "Crest Data Systems",
"siteName": null,
"sourceType": "UI",
"userScope": "account",
"username": "user1"
},
"description": "user1",
"comments": "True",
"activeDirectory_computerMemberOf": "",
"activeDirectory_lastUserMemberOf": "",
"activeThreats": "",
"agentVersion": "",
"allowRemoteShell": "",
"appsVulnerabilityStatus": "",
"computerName": "",
"consoleMigrationStatus": "",
"coreCount": "",
"cpuCount": "",
"cpuId": "",
"detectionState": "",
"domain": "",
"encryptedApplications": "",
"externalId": "",
"externalIp": "",
"firewallEnabled": "",
"firstFullModeTime": "",
"fullDiskScanLastUpdatedAt": "",
"groupId": "",
"groupIp": "",
"groupName": "",
"inRemoteShellSession": "",
"infected": "",
"installerType": "",
"isActive": "",
"isDecommissioned": "",
"isPendingUninstall": "",
"isUninstalled": "",
"isUpToDate": "",
"lastActiveDate": "",
"lastIpToMgmt": "",
"lastLoggedInUserName": "",
"licenseKey": "",
"locationEnabled": "",
"locationType": "",
"locations": "",
"machineType": "",
"mitigationMode": "",
"mitigationModeSuspicious": "",
"modelName": "",
"networkInterfaces": "",
"networkQuarantineEnabled": "",
"networkStatus": "",
"operationalState": "",
"osArch": "",
"osName": "",
"osRevision": "",
"osStartTime": "",
"osType": "",
"rangerStatus": "",
"rangerVersion": "",
"registeredAt": "",
"remoteProfilingState": "",
"scanFinishedAt": "",
"scanStartedAt": "",
"scanStatus": "",
"serialNumber": "",
"showAlertIcon": "",
"tags_sentinelone": "",
"threatRebootRequired": "",
"totalMemory": "",
"userActionsNeeded": "",
"uuid": "",
"osUsername": "",
"scanAbortedAt": "",
"activeDirectory_computerDistinguishedName": "",
"activeDirectory_lastUserDistinguishedName": "",
"Type": "SentinelOne_CL",
"_ResourceId": ""
},
{
"activityType": 147,
"TimeGenerated": "7/31/2023, 8:10:05.826 AM",
"TenantId": "1a0e2567-2e58-4989-ad18-206108185325",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"Computer": "",
"RawData": "",
"alertInfo_indicatorDescription": "",
"alertInfo_indicatorName": "",
"targetProcessInfo_tgtFileOldPath": "",
"alertInfo_indicatorCategory": "",
"alertInfo_registryOldValue": "",
"alertInfo_dstIp": "",
"alertInfo_dstPort": "",
"alertInfo_netEventDirection": "",
"alertInfo_srcIp": "",
"alertInfo_srcPort": "",
"containerInfo_id": "",
"targetProcessInfo_tgtFileId": "",
"alertInfo_registryOldValueType": "",
"alertInfo_dnsRequest": "",
"alertInfo_dnsResponse": "",
"alertInfo_registryKeyPath": "",
"alertInfo_registryPath": "",
"alertInfo_registryValue": "",
"ruleInfo_description": "",
"alertInfo_loginAccountDomain": "",
"alertInfo_loginAccountSid": "",
"alertInfo_loginIsAdministratorEquivalent": "",
"alertInfo_loginIsSuccessful": "",
"alertInfo_loginType": "",
"alertInfo_loginsUserName": "",
"alertInfo_srcMachineIp": "",
"targetProcessInfo_tgtProcCmdLine": "",
"targetProcessInfo_tgtProcImagePath": "",
"targetProcessInfo_tgtProcName": "",
"targetProcessInfo_tgtProcPid": "",
"targetProcessInfo_tgtProcSignedStatus": "",
"targetProcessInfo_tgtProcStorylineId": "",
"targetProcessInfo_tgtProcUid": "",
"sourceParentProcessInfo_storyline": "",
"sourceParentProcessInfo_uniqueId": "",
"sourceProcessInfo_storyline": "",
"sourceProcessInfo_uniqueId": "",
"agentDetectionInfo_machineType": "",
"agentDetectionInfo_name": "",
"agentDetectionInfo_osFamily": "",
"agentDetectionInfo_osName": "",
"agentDetectionInfo_osRevision": "",
"agentDetectionInfo_uuid": "",
"agentDetectionInfo_version": "",
"agentRealtimeInfo_id": "",
"agentRealtimeInfo_infected": "",
"agentRealtimeInfo_isActive": "",
"agentRealtimeInfo_isDecommissioned": "",
"agentRealtimeInfo_machineType": "",
"agentRealtimeInfo_name": "",
"agentRealtimeInfo_os": "",
"agentRealtimeInfo_uuid": "",
"alertInfo_alertId": "",
"alertInfo_analystVerdict": "",
"alertInfo_createdAt": "",
"alertInfo_dvEventId": "",
"alertInfo_eventType": "",
"alertInfo_hitType": "",
"alertInfo_incidentStatus": "",
"alertInfo_isEdr": "",
"alertInfo_reportedAt": "",
"alertInfo_source": "",
"alertInfo_updatedAt": "",
"ruleInfo_id": "",
"ruleInfo_name": "",
"ruleInfo_queryLang": "",
"ruleInfo_queryType": "",
"ruleInfo_s1ql": "",
"ruleInfo_scopeLevel": "",
"ruleInfo_severity": "",
"ruleInfo_treatAsThreat": "",
"sourceParentProcessInfo_commandline": "",
"sourceParentProcessInfo_fileHashMd5": "",
"sourceParentProcessInfo_fileHashSha1": "",
"sourceParentProcessInfo_fileHashSha256": "",
"sourceParentProcessInfo_filePath": "",
"sourceParentProcessInfo_fileSignerIdentity": "",
"sourceParentProcessInfo_integrityLevel": "",
"sourceParentProcessInfo_name": "",
"sourceParentProcessInfo_pid": "",
"sourceParentProcessInfo_pidStarttime": "",
"sourceParentProcessInfo_subsystem": "",
"sourceParentProcessInfo_user": "",
"sourceProcessInfo_commandline": "",
"sourceProcessInfo_fileHashMd5": "",
"sourceProcessInfo_fileHashSha1": "",
"sourceProcessInfo_fileHashSha256": "",
"sourceProcessInfo_filePath": "",
"sourceProcessInfo_fileSignerIdentity": "",
"sourceProcessInfo_integrityLevel": "",
"sourceProcessInfo_name": "",
"sourceProcessInfo_pid": "",
"sourceProcessInfo_pidStarttime": "",
"sourceProcessInfo_subsystem": "",
"sourceProcessInfo_user": "",
"targetProcessInfo_tgtFileCreatedAt": "",
"targetProcessInfo_tgtFileHashSha1": "",
"targetProcessInfo_tgtFileHashSha256": "",
"targetProcessInfo_tgtFileIsSigned": "",
"targetProcessInfo_tgtFileModifiedAt": "",
"targetProcessInfo_tgtFilePath": "",
"targetProcessInfo_tgtProcIntegrityLevel": "",
"targetProcessInfo_tgtProcessStartTime": "",
"agentUpdatedVersion": "",
"agentId": "",
"hash": "",
"osFamily": "",
"threatId": "",
"creator": "",
"creatorId": "",
"inherits": "",
"isDefault": "",
"name": "",
"registrationToken": "",
"totalAgents": "",
"type": "",
"agentDetectionInfo_accountId": "",
"agentDetectionInfo_accountName": "",
"agentDetectionInfo_agentDetectionState": "",
"agentDetectionInfo_agentDomain": "",
"agentDetectionInfo_agentIpV4": "",
"agentDetectionInfo_agentIpV6": "",
"agentDetectionInfo_agentLastLoggedInUserName": "",
"agentDetectionInfo_agentMitigationMode": "",
"agentDetectionInfo_agentOsName": "",
"agentDetectionInfo_agentOsRevision": "",
"agentDetectionInfo_agentRegisteredAt": "",
"agentDetectionInfo_agentUuid": "",
"agentDetectionInfo_agentVersion": "",
"agentDetectionInfo_externalIp": "",
"agentDetectionInfo_groupId": "",
"agentDetectionInfo_groupName": "",
"agentDetectionInfo_siteId": "",
"agentDetectionInfo_siteName": "",
"agentRealtimeInfo_accountId": "",
"agentRealtimeInfo_accountName": "",
"agentRealtimeInfo_activeThreats": "",
"agentRealtimeInfo_agentComputerName": "",
"agentRealtimeInfo_agentDomain": "",
"agentRealtimeInfo_agentId": "",
"agentRealtimeInfo_agentInfected": "",
"agentRealtimeInfo_agentIsActive": "",
"agentRealtimeInfo_agentIsDecommissioned": "",
"agentRealtimeInfo_agentMachineType": "",
"agentRealtimeInfo_agentMitigationMode": "",
"agentRealtimeInfo_agentNetworkStatus": "",
"agentRealtimeInfo_agentOsName": "",
"agentRealtimeInfo_agentOsRevision": "",
"agentRealtimeInfo_agentOsType": "",
"agentRealtimeInfo_agentUuid": "",
"agentRealtimeInfo_agentVersion": "",
"agentRealtimeInfo_groupId": "",
"agentRealtimeInfo_groupName": "",
"agentRealtimeInfo_networkInterfaces": "",
"agentRealtimeInfo_operationalState": "",
"agentRealtimeInfo_rebootRequired": "",
"agentRealtimeInfo_scanFinishedAt": "",
"agentRealtimeInfo_scanStartedAt": "",
"agentRealtimeInfo_scanStatus": "",
"agentRealtimeInfo_siteId": "",
"agentRealtimeInfo_siteName": "",
"agentRealtimeInfo_userActionsNeeded": "",
"indicators": "",
"mitigationStatus": "",
"threatInfo_analystVerdict": "",
"threatInfo_analystVerdictDescription": "",
"threatInfo_automaticallyResolved": "",
"threatInfo_certificateId": "",
"threatInfo_classification": "",
"threatInfo_classificationSource": "",
"threatInfo_cloudFilesHashVerdict": "",
"threatInfo_collectionId": "",
"threatInfo_confidenceLevel": "",
"threatInfo_createdAt": "",
"threatInfo_detectionEngines": "",
"threatInfo_detectionType": "",
"threatInfo_engines": "",
"threatInfo_externalTicketExists": "",
"threatInfo_failedActions": "",
"threatInfo_fileExtension": "",
"threatInfo_fileExtensionType": "",
"threatInfo_filePath": "",
"threatInfo_fileSize": "",
"threatInfo_fileVerificationType": "",
"threatInfo_identifiedAt": "",
"threatInfo_incidentStatus": "",
"threatInfo_incidentStatusDescription": "",
"threatInfo_initiatedBy": "",
"threatInfo_initiatedByDescription": "",
"threatInfo_isFileless": "",
"threatInfo_isValidCertificate": "",
"threatInfo_mitigatedPreemptively": "",
"threatInfo_mitigationStatus": "",
"threatInfo_mitigationStatusDescription": "",
"threatInfo_originatorProcess": "",
"threatInfo_pendingActions": "",
"threatInfo_processUser": "",
"threatInfo_publisherName": "",
"threatInfo_reachedEventsLimit": "",
"threatInfo_rebootRequired": "",
"threatInfo_sha1": "",
"threatInfo_storyline": "",
"threatInfo_threatId": "",
"threatInfo_threatName": "",
"threatInfo_updatedAt": "",
"whiteningOptions": "",
"threatInfo_maliciousProcessArguments": "",
"accountId": 1712500237934148900,
"accountName": "Crest Data Systems",
"activityUuid": "799c8282-d4ca-4e71-8cd9-5849edcd2243",
"createdAt": "7/31/2023, 7:53:03.645 AM",
"id": 1741149405615882800,
"primaryDescription": "The Management User user1 successfully configured 2FA.",
"secondaryDescription": "IP address: 1.2.3.4",
"siteId": "",
"siteName": "",
"updatedAt": "7/31/2023, 7:53:03.623 AM",
"userId": 1738949396987828700,
"event_name": "Activities.",
"DataFields": {
"accountName": "Crest Data Systems",
"fullScopeDetails": "Account Crest Data Systems",
"fullScopeDetailsPath": "Global / Crest Data Systems",
"groupName": null,
"ipAddress": "1.2.3.4",
"realUser": null,
"role": "Admin",
"scopeLevel": "Account",
"scopeName": "Crest Data Systems",
"siteName": null,
"sourceType": "UI",
"userScope": "account",
"username": "user1"
},
"description": "",
"comments": "",
"activeDirectory_computerMemberOf": "",
"activeDirectory_lastUserMemberOf": "",
"activeThreats": "",
"agentVersion": "",
"allowRemoteShell": "",
"appsVulnerabilityStatus": "",
"computerName": "",
"consoleMigrationStatus": "",
"coreCount": "",
"cpuCount": "",
"cpuId": "",
"detectionState": "",
"domain": "",
"encryptedApplications": "",
"externalId": "",
"externalIp": "",
"firewallEnabled": "",
"firstFullModeTime": "",
"fullDiskScanLastUpdatedAt": "",
"groupId": "",
"groupIp": "",
"groupName": "",
"inRemoteShellSession": "",
"infected": "",
"installerType": "",
"isActive": "",
"isDecommissioned": "",
"isPendingUninstall": "",
"isUninstalled": "",
"isUpToDate": "",
"lastActiveDate": "",
"lastIpToMgmt": "",
"lastLoggedInUserName": "",
"licenseKey": "",
"locationEnabled": "",
"locationType": "",
"locations": "",
"machineType": "",
"mitigationMode": "",
"mitigationModeSuspicious": "",
"modelName": "",
"networkInterfaces": "",
"networkQuarantineEnabled": "",
"networkStatus": "",
"operationalState": "",
"osArch": "",
"osName": "",
"osRevision": "",
"osStartTime": "",
"osType": "",
"rangerStatus": "",
"rangerVersion": "",
"registeredAt": "",
"remoteProfilingState": "",
"scanFinishedAt": "",
"scanStartedAt": "",
"scanStatus": "",
"serialNumber": "",
"showAlertIcon": "",
"tags_sentinelone": "",
"threatRebootRequired": "",
"totalMemory": "",
"userActionsNeeded": "",
"uuid": "",
"osUsername": "",
"scanAbortedAt": "",
"activeDirectory_computerDistinguishedName": "",
"activeDirectory_lastUserDistinguishedName": "",
"Type": "SentinelOne_CL",
"_ResourceId": ""
},
{
"activityType": 2030,
"TimeGenerated": "7/21/2023, 5:40:04.348 AM",