Fixed the suggested changes to include some users 2FA activity to user and implement inner join instead of lookup.

2023-10-06 19:00:58 +05:30 · 2023-10-06 19:00:58 +05:30 · e80045ab77
--- a/Parsers/ASimAuditEvent/Parsers/ASimAuditEventSentinelOne.yaml
+++ b/Parsers/ASimAuditEvent/Parsers/ASimAuditEventSentinelOne.yaml
@ -1,7 +1,7 @@
 Parser:
  Title: Audit Event ASIM parser for SentinelOne
  Version: '0.1.0'
-  LastUpdated: Sep 20 2023
+  LastUpdated: Oct 05 2023
 Product:
  Name: SentinelOne
 Normalization:
@ -134,11 +134,8 @@ ParserQuery: |
        ObjectType: string
    )
        [
        67, "User 2FA Modified", "", "", "Success", "Two Factor Authentication", "Policy Rule",
        88, "User Remote Shell Modified", "", "", "Success", "Remote Shell", "Configuration Atom",
-        114, "API Token Revoked", "Disable", "", "Success", "API Token", "Service",
+        114, "API Token Revoked", "Disable", "", "Success", "API Token", "Service"
        145, "Enroll 2FA", "Set", "", "Success", "2FA setup", "Service",
        146, "Reset 2FA", "Set", "", "Success", "2FA setup", "Service",
    ];
    let EventFieldsLookup_otheractivity = datatable(
        activityType_d: real,
@ -152,7 +149,6 @@ ParserQuery: |
        [
        2, "Hash Defined as Malicious By Cloud", "Set", "", "Success", "", "Other",
        40, "Cloud Intelligence Settings Modified", "", "", "Success", "Cloud Intelligence Settings", "Policy Rule",
        42, "Global 2FA modified", "", "", "Success", "Global Two Factor Authentication", "Service",
        58, "Notification Option Level Modified", "Set", "", "Success", "Notification Level", "Service",
        59, "Event Severity Level Modified", "Set", "", "Success", "EventSeverity Level", "Other",
        60, "Notification - Recipients Configuration Modified", "Set", "", "Success", "Recipients configuration", "Policy Rule",
@ -164,7 +160,6 @@ ParserQuery: |
        112, "API token Generated", "Create", "", "Success", "API Token", "Service",
        113, "API Token Revoked", "Disable", "", "Success", "API Token", "Service",
        129, "Allowed Domains Settings Changed", "Set", "", "Success", "User Domain Setting", "Other",
        147, "User Configured 2FA", "Set", "", "Success", "2FA setup", "Service",
        1501, "Location Created", "Create", "", "Success", "", "Service",
        1502, "Location Copied", "Set", "Copy", "Success", "", "Service",
        1503, "Location Modified", "Set", "", "Success", "", "Service",
@ -365,19 +360,7 @@ ParserQuery: |
    ];
    let parser = (disabled: bool=false) {
        let RawGroupSiteActivityIds = dynamic([39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111]);
-        let RawOtherActivityIds = dynamic([2, 40, 42, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 147, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);
+        let RawOtherActivityIds = dynamic([2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);
        let Threatsdata = SentinelOne_CL
            | where event_name_s == "Threats."
            | project
                TimeGenerated,
                threatInfo_confidenceLevel_s,
                threatInfo_analystVerdict_s,
                threatInfo_threatName_s,
                threatInfo_incidentStatus_s,
                threatInfo_identifiedAt_t,
                threatInfo_updatedAt_t,
                threatInfo_threatId_s,
                mitigationStatus_s;
        let activitydata = SentinelOne_CL
            | where not(disabled) and event_name_s == "Activities."
            | project-away
@ -443,12 +426,12 @@ ParserQuery: |
                Object = coalesce(accountName, cloudProviderAccountName),
                ObjectId = accountId;
        let useractivitydata = activitydata
-            | where activityType_d in (67, 88, 114, 145, 146)
+            | where activityType_d in (88, 114)
-            | parse-kv DataFields_s as (username: string, byUser: string, affectedUser: string, newValue: string, ipAddress: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
+            | parse-kv DataFields_s as (username: string, byUser: string, newValue: string, ipAddress: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
            | lookup EventFieldsLookup_useractivity on activityType_d
            | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field
            | extend
-                ActorUsername = coalesce(byUser, username),
+                ActorUsername = byUser,
                EventType = coalesce(EventType_useractivity, EventType_fieldenableddisabled),
                EventSubType = EventSubType_useractivity,
                NewValue = NewValue_fieldenableddisabled;
@ -513,7 +496,19 @@ ParserQuery: |
            | lookup EventSeverityLookup_activity on activityType_d;
        let UnParsedActivitydatawithThreat = union ParsedActivitydata, parsedotheractivitydata_severity
            | where isnotempty(threatId_s)
-            | lookup Threatsdata on $left.threatId_s == $right.threatInfo_threatId_s
+            | join kind=inner (SentinelOne_CL
                | where event_name_s == "Threats."
                | project
                    TimeGenerated,
                    threatInfo_confidenceLevel_s,
                    threatInfo_analystVerdict_s,
                    threatInfo_threatName_s,
                    threatInfo_incidentStatus_s,
                    threatInfo_identifiedAt_t,
                    threatInfo_updatedAt_t,
                    threatInfo_threatId_s,
                    mitigationStatus_s)
                on $left.threatId_s == $right.threatInfo_threatId_s
            | where TimeGenerated1 >= TimeGenerated
            | summarize arg_min(TimeGenerated1, *) by activityType_d, threatId_s, createdAt_t, TimeGenerated;
        let undefineddata = UnParsedActivitydatawithThreat
@ -602,8 +597,6 @@ ParserQuery: |
            siteName,
            oldValue,
            computerName,
            byUser,
            affectedUser,
            accountName,
            cloudProviderAccountName,
            email,
@ -664,6 +657,7 @@ ParserQuery: |
            ThreatConfidence_*,
            accountId,
            policyId,
-            ruleId
+            ruleId,
            byUser
    };
    parser(disabled=disabled)
--- a/Parsers/ASimAuditEvent/Parsers/vimAuditEventSentinelOne.yaml
+++ b/Parsers/ASimAuditEvent/Parsers/vimAuditEventSentinelOne.yaml
@ -1,7 +1,7 @@
 Parser:
  Title: Audit Event ASIM parser for SentinelOne
  Version: '0.1.0'
-  LastUpdated: Sep 20 2023
+  LastUpdated: Oct 05 2023
 Product:
  Name: SentinelOne
 Normalization:
@ -161,11 +161,8 @@ ParserQuery: |
        ObjectType: string
    )
        [
        67, "User 2FA Modified", "", "", "Success", "Two Factor Authentication", "Policy Rule",
        88, "User Remote Shell Modified", "", "", "Success", "Remote Shell", "Configuration Atom",
-        114, "API Token Revoked", "Disable", "", "Success", "API Token", "Service",
+        114, "API Token Revoked", "Disable", "", "Success", "API Token", "Service"
        145, "Enroll 2FA", "Set", "", "Success", "2FA setup", "Service",
        146, "Reset 2FA", "Set", "", "Success", "2FA setup", "Service",
    ];
    let EventFieldsLookup_otheractivity = datatable(
        activityType_d: real,
@ -179,7 +176,6 @@ ParserQuery: |
        [
        2, "Hash Defined as Malicious By Cloud", "Set", "", "Success", "", "Other",
        40, "Cloud Intelligence Settings Modified", "", "", "Success", "Cloud Intelligence Settings", "Policy Rule",
        42, "Global 2FA modified", "", "", "Success", "Global Two Factor Authentication", "Service",
        58, "Notification Option Level Modified", "Set", "", "Success", "Notification Level", "Service",
        59, "Event Severity Level Modified", "Set", "", "Success", "EventSeverity Level", "Other",
        60, "Notification - Recipients Configuration Modified", "Set", "", "Success", "Recipients configuration", "Policy Rule",
@ -191,7 +187,6 @@ ParserQuery: |
        112, "API token Generated", "Create", "", "Success", "API Token", "Service",
        113, "API Token Revoked", "Disable", "", "Success", "API Token", "Service",
        129, "Allowed Domains Settings Changed", "Set", "", "Success", "User Domain Setting", "Other",
        147, "User Configured 2FA", "Set", "", "Success", "2FA setup", "Service",
        1501, "Location Created", "Create", "", "Success", "", "Service",
        1502, "Location Copied", "Set", "Copy", "Success", "", "Service",
        1503, "Location Modified", "Set", "", "Success", "", "Service",
@ -391,21 +386,8 @@ ParserQuery: |
        "true_positive", 100 
    ];
    let parser=(disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {
-        let AllActivityIdsForAudit = dynamic([39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111, 52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101, 130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203, 67, 88, 114, 145, 146, 2, 40, 42, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 147, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);
+        let AllActivityIdsForAudit = dynamic([39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111, 52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101, 130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203, 2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);
-        let RawOtherActivityIds = dynamic([2, 40, 42, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 147, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);
+        let RawOtherActivityIds = dynamic([2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);
        let Threatsdata = SentinelOne_CL
            | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)
            | where event_name_s == "Threats."
            | project
                TimeGenerated,
                threatInfo_confidenceLevel_s,
                threatInfo_analystVerdict_s,
                threatInfo_threatName_s,
                threatInfo_incidentStatus_s,
                threatInfo_identifiedAt_t,
                threatInfo_updatedAt_t,
                threatInfo_threatId_s,
                mitigationStatus_s;
        let activitydata = SentinelOne_CL
            | where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) 
                and event_name_s == "Activities." 
@ -476,12 +458,12 @@ ParserQuery: |
                Object = coalesce(accountName, cloudProviderAccountName),
                ObjectId = accountId;
        let useractivitydata = activitydata
-            | where activityType_d in (67, 88, 114, 145, 146)
+            | where activityType_d in (88, 114)
-            | parse-kv DataFields_s as (username: string, byUser: string, affectedUser: string, newValue: string, ipAddress: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
+            | parse-kv DataFields_s as (username: string, byUser: string, newValue: string, ipAddress: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
            | lookup EventFieldsLookup_useractivity on activityType_d
            | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field
            | extend
-                ActorUsername = coalesce(byUser, username),
+                ActorUsername = byUser,
                EventType = coalesce(EventType_useractivity, EventType_fieldenableddisabled),
                EventSubType = EventSubType_useractivity,
                NewValue = NewValue_fieldenableddisabled;
@ -558,7 +540,19 @@ ParserQuery: |
                and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix));
        let UnParsedActivitydatawithThreat = union ParsedActivitydata, parsedotheractivitydata_severity
            | where isnotempty(threatId_s)
-            | lookup Threatsdata on $left.threatId_s == $right.threatInfo_threatId_s
+            | join kind=inner (SentinelOne_CL
                | where event_name_s == "Threats."
                | project
                    TimeGenerated,
                    threatInfo_confidenceLevel_s,
                    threatInfo_analystVerdict_s,
                    threatInfo_threatName_s,
                    threatInfo_incidentStatus_s,
                    threatInfo_identifiedAt_t,
                    threatInfo_updatedAt_t,
                    threatInfo_threatId_s,
                    mitigationStatus_s)
                on $left.threatId_s == $right.threatInfo_threatId_s
            | where TimeGenerated1 >= TimeGenerated
            | summarize arg_min(TimeGenerated1, *) by activityType_d, threatId_s, createdAt_t, TimeGenerated;
        let undefineddata = UnParsedActivitydatawithThreat
@ -646,8 +640,6 @@ ParserQuery: |
            siteName,
            oldValue,
            computerName,
            byUser,
            affectedUser,
            accountName,
            cloudProviderAccountName,
            email,
@ -708,6 +700,7 @@ ParserQuery: |
            ThreatConfidence_*,
            accountId,
            policyId,
-            ruleId
+            ruleId,
            byUser
    };
    parser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)
--- a/Parsers/ASimAuditEvent/Tests/SentinelOne_ASimAuditEvent_DataTest.csv
+++ b/Parsers/ASimAuditEvent/Tests/SentinelOne_ASimAuditEvent_DataTest.csv
@ -1,33 +1,33 @@
 Result
 "(0) Error: 1 invalid value(s) (up to 10 listed) in 1 records (0.06%) for field [DvcHostname] of type [Hostname]: [""u2019s MacBook Pro""] (Schema:AuditEvent)"
-"(0) Error: 1 invalid value(s) (up to 10 listed) in 1587 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:AuditEvent)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 1559 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:AuditEvent)"
-"(0) Error: 1 invalid value(s) (up to 10 listed) in 1587 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:AuditEvent)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 1559 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1404 records (88.47%)  in recommended field [ObjectId] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1376 records (88.26%)  in recommended field [ObjectId] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1468 records (92.5%)  in optional field [RuleName] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1440 records (92.37%)  in optional field [RuleName] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1468 records (92.5%)  in optional field [Rule] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1440 records (92.37%)  in optional field [Rule] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1480 records (93.26%)  in recommended field [SrcIpAddr] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1480 records (94.93%)  in recommended field [SrcIpAddr] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1480 records (93.26%)  in recommended field [Src] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1480 records (94.93%)  in recommended field [Src] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1550 records (97.67%)  in recommended field [DvcHostname] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1522 records (97.63%)  in recommended field [DvcHostname] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1579 records (99.5%)  in optional field [EventSubType] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1551 records (99.49%)  in optional field [EventSubType] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1582 records (99.68%)  in optional field [DvcFQDN] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1554 records (99.68%)  in optional field [DvcFQDN] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1582 records (99.68%)  in recommended field [DvcDomain] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1554 records (99.68%)  in recommended field [DvcDomain] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1587 records (100.0%)  in optional field [TargetDomain] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1559 records (100.0%)  in optional field [TargetDomain] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1587 records (100.0%)  in optional field [TargetDvcId] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1559 records (100.0%)  in optional field [TargetDvcId] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1587 records (100.0%)  in optional field [TargetFQDN] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1559 records (100.0%)  in optional field [TargetFQDN] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1587 records (100.0%)  in optional field [TargetUrl] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1559 records (100.0%)  in optional field [TargetUrl] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1587 records (100.0%)  in recommended field [Dst] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1559 records (100.0%)  in recommended field [Dst] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1587 records (100.0%)  in recommended field [TargetHostname] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1559 records (100.0%)  in recommended field [TargetHostname] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1587 records (100.0%)  in recommended field [TargetIpAddr] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1559 records (100.0%)  in recommended field [TargetIpAddr] (Schema:AuditEvent)"
-"(2) Info: Empty value in 226 records (14.24%)  in optional field [DvcId] (Schema:AuditEvent)"
+"(2) Info: Empty value in 198 records (12.7%)  in optional field [DvcId] (Schema:AuditEvent)"
-"(2) Info: Empty value in 257 records (16.19%)  in optional field [ValueType] (Schema:AuditEvent)"
+"(2) Info: Empty value in 235 records (15.07%)  in optional field [ThreatCategory] (Schema:AuditEvent)"
-"(2) Info: Empty value in 257 records (16.19%)  in recommended field [NewValue] (Schema:AuditEvent)"
+"(2) Info: Empty value in 235 records (15.07%)  in optional field [ThreatConfidence] (Schema:AuditEvent)"
-"(2) Info: Empty value in 263 records (16.57%)  in optional field [ThreatCategory] (Schema:AuditEvent)"
+"(2) Info: Empty value in 235 records (15.07%)  in optional field [ThreatFirstReportedTime] (Schema:AuditEvent)"
-"(2) Info: Empty value in 263 records (16.57%)  in optional field [ThreatConfidence] (Schema:AuditEvent)"
+"(2) Info: Empty value in 235 records (15.07%)  in optional field [ThreatId] (Schema:AuditEvent)"
-"(2) Info: Empty value in 263 records (16.57%)  in optional field [ThreatFirstReportedTime] (Schema:AuditEvent)"
+"(2) Info: Empty value in 235 records (15.07%)  in optional field [ThreatOriginalConfidence] (Schema:AuditEvent)"
-"(2) Info: Empty value in 263 records (16.57%)  in optional field [ThreatId] (Schema:AuditEvent)"
+"(2) Info: Empty value in 243 records (15.59%)  in optional field [ThreatName] (Schema:AuditEvent)"
-"(2) Info: Empty value in 263 records (16.57%)  in optional field [ThreatOriginalConfidence] (Schema:AuditEvent)"
+"(2) Info: Empty value in 243 records (15.59%)  in optional field [ValueType] (Schema:AuditEvent)"
-"(2) Info: Empty value in 271 records (17.08%)  in optional field [ThreatName] (Schema:AuditEvent)"
+"(2) Info: Empty value in 243 records (15.59%)  in recommended field [NewValue] (Schema:AuditEvent)"
-"(2) Info: Empty value in 543 records (34.22%)  in optional field [ActorUserId] (Schema:AuditEvent)"
+"(2) Info: Empty value in 543 records (34.83%)  in optional field [ActorUserId] (Schema:AuditEvent)"
-"(2) Info: Empty value in 545 records (34.34%)  in optional field [ActorUserType] (Schema:AuditEvent)"
+"(2) Info: Empty value in 545 records (34.96%)  in optional field [ActorUserType] (Schema:AuditEvent)"
-"(2) Info: Empty value in 545 records (34.34%)  in recommended field [ActorUsername] (Schema:AuditEvent)"
+"(2) Info: Empty value in 545 records (34.96%)  in recommended field [ActorUsername] (Schema:AuditEvent)"
-"(2) Info: Empty value in 875 records (55.14%)  in optional field [OldValue] (Schema:AuditEvent)"
+"(2) Info: Empty value in 847 records (54.33%)  in optional field [OldValue] (Schema:AuditEvent)"
--- a/Parsers/ASimAuditEvent/Tests/SentinelOne_vimAuditEvent_DataTest.csv
+++ b/Parsers/ASimAuditEvent/Tests/SentinelOne_vimAuditEvent_DataTest.csv
@ -1,33 +1,33 @@
 Result
 "(0) Error: 1 invalid value(s) (up to 10 listed) in 1 records (0.06%) for field [DvcHostname] of type [Hostname]: [""u2019s MacBook Pro""] (Schema:AuditEvent)"
-"(0) Error: 1 invalid value(s) (up to 10 listed) in 1587 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:AuditEvent)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 1559 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:AuditEvent)"
-"(0) Error: 1 invalid value(s) (up to 10 listed) in 1587 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:AuditEvent)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 1559 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1404 records (88.47%)  in recommended field [ObjectId] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1376 records (88.26%)  in recommended field [ObjectId] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1468 records (92.5%)  in optional field [RuleName] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1440 records (92.37%)  in optional field [RuleName] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1468 records (92.5%)  in optional field [Rule] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1440 records (92.37%)  in optional field [Rule] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1480 records (93.26%)  in recommended field [SrcIpAddr] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1480 records (94.93%)  in recommended field [SrcIpAddr] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1480 records (93.26%)  in recommended field [Src] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1480 records (94.93%)  in recommended field [Src] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1550 records (97.67%)  in recommended field [DvcHostname] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1522 records (97.63%)  in recommended field [DvcHostname] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1579 records (99.5%)  in optional field [EventSubType] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1551 records (99.49%)  in optional field [EventSubType] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1582 records (99.68%)  in optional field [DvcFQDN] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1554 records (99.68%)  in optional field [DvcFQDN] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1582 records (99.68%)  in recommended field [DvcDomain] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1554 records (99.68%)  in recommended field [DvcDomain] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1587 records (100.0%)  in optional field [TargetDomain] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1559 records (100.0%)  in optional field [TargetDomain] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1587 records (100.0%)  in optional field [TargetDvcId] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1559 records (100.0%)  in optional field [TargetDvcId] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1587 records (100.0%)  in optional field [TargetFQDN] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1559 records (100.0%)  in optional field [TargetFQDN] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1587 records (100.0%)  in optional field [TargetUrl] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1559 records (100.0%)  in optional field [TargetUrl] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1587 records (100.0%)  in recommended field [Dst] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1559 records (100.0%)  in recommended field [Dst] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1587 records (100.0%)  in recommended field [TargetHostname] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1559 records (100.0%)  in recommended field [TargetHostname] (Schema:AuditEvent)"
-"(2) Info: Empty value in 1587 records (100.0%)  in recommended field [TargetIpAddr] (Schema:AuditEvent)"
+"(2) Info: Empty value in 1559 records (100.0%)  in recommended field [TargetIpAddr] (Schema:AuditEvent)"
-"(2) Info: Empty value in 226 records (14.24%)  in optional field [DvcId] (Schema:AuditEvent)"
+"(2) Info: Empty value in 198 records (12.7%)  in optional field [DvcId] (Schema:AuditEvent)"
-"(2) Info: Empty value in 257 records (16.19%)  in optional field [ValueType] (Schema:AuditEvent)"
+"(2) Info: Empty value in 235 records (15.07%)  in optional field [ThreatCategory] (Schema:AuditEvent)"
-"(2) Info: Empty value in 257 records (16.19%)  in recommended field [NewValue] (Schema:AuditEvent)"
+"(2) Info: Empty value in 235 records (15.07%)  in optional field [ThreatConfidence] (Schema:AuditEvent)"
-"(2) Info: Empty value in 263 records (16.57%)  in optional field [ThreatCategory] (Schema:AuditEvent)"
+"(2) Info: Empty value in 235 records (15.07%)  in optional field [ThreatFirstReportedTime] (Schema:AuditEvent)"
-"(2) Info: Empty value in 263 records (16.57%)  in optional field [ThreatConfidence] (Schema:AuditEvent)"
+"(2) Info: Empty value in 235 records (15.07%)  in optional field [ThreatId] (Schema:AuditEvent)"
-"(2) Info: Empty value in 263 records (16.57%)  in optional field [ThreatFirstReportedTime] (Schema:AuditEvent)"
+"(2) Info: Empty value in 235 records (15.07%)  in optional field [ThreatOriginalConfidence] (Schema:AuditEvent)"
-"(2) Info: Empty value in 263 records (16.57%)  in optional field [ThreatId] (Schema:AuditEvent)"
+"(2) Info: Empty value in 243 records (15.59%)  in optional field [ThreatName] (Schema:AuditEvent)"
-"(2) Info: Empty value in 263 records (16.57%)  in optional field [ThreatOriginalConfidence] (Schema:AuditEvent)"
+"(2) Info: Empty value in 243 records (15.59%)  in optional field [ValueType] (Schema:AuditEvent)"
-"(2) Info: Empty value in 271 records (17.08%)  in optional field [ThreatName] (Schema:AuditEvent)"
+"(2) Info: Empty value in 243 records (15.59%)  in recommended field [NewValue] (Schema:AuditEvent)"
-"(2) Info: Empty value in 543 records (34.22%)  in optional field [ActorUserId] (Schema:AuditEvent)"
+"(2) Info: Empty value in 543 records (34.83%)  in optional field [ActorUserId] (Schema:AuditEvent)"
-"(2) Info: Empty value in 545 records (34.34%)  in optional field [ActorUserType] (Schema:AuditEvent)"
+"(2) Info: Empty value in 545 records (34.96%)  in optional field [ActorUserType] (Schema:AuditEvent)"
-"(2) Info: Empty value in 545 records (34.34%)  in recommended field [ActorUsername] (Schema:AuditEvent)"
+"(2) Info: Empty value in 545 records (34.96%)  in recommended field [ActorUsername] (Schema:AuditEvent)"
-"(2) Info: Empty value in 875 records (55.14%)  in optional field [OldValue] (Schema:AuditEvent)"
+"(2) Info: Empty value in 847 records (54.33%)  in optional field [OldValue] (Schema:AuditEvent)"
--- a/Data/ASIM/SentinelOne_ASimAuditEvent_IngestedLogs.csv
+++ b/Data/ASIM/SentinelOne_ASimAuditEvent_IngestedLogs.csv
@ -11,8 +11,6 @@ activityType_d,TimeGenerated [UTC],TenantId,SourceSystem,MG,ManagementGroupName,
 61,"7/26/2023, 6:30:29.652 AM",1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71302311277097E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,9ffe4422-e8ca-4b8f-b410-8f70c86403d3,"7/26/2023, 6:11:34.909 AM",1.7374744509566E+018,The management user user1 issued a disconnect from network command to the machine DESKTOP-F1DPMEB.,,1.71250024242206E+018,Default site,"7/26/2023, 6:11:34.909 AM",1.71298647544447E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""computerName"": ""DESKTOP-F1DPMEB"", ""fullScopeDetails"": ""Group Crest Data Systems in Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site / Crest Data Systems"", ""groupName"": ""Crest Data Systems"", ""groupType"": ""Manual"", ""ipAddress"": null, ""scopeLevel"": ""Group"", ""scopeName"": ""Crest Data Systems"", ""siteName"": ""Default site"", ""username"": ""user1"", ""uuid"": ""20ee9f81027b432fb6c5d549705f3419""}",,,,,,,,,,,,,,,,,,,,,,1.71302996238084E+018,,Crest Data Systems,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL,
 45,"7/26/2023, 6:00:10.808 AM",1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,458563c2-77af-43ec-94da-163413d19fdb,"7/26/2023, 5:49:19.381 AM",1.73746324776763E+018,The management user user1 turned off Auto decommission for  all Sites.,IP address: 1.2.3.4,,,"7/26/2023, 5:49:19.381 AM",1.71298647544447E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.2.3.4"", ""newValue"": false, ""policy"": {""id"": ""1713026143600690038""}, ""policyName"": ""1713026143600690038"", ""realUser"": null, ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""username"": ""user1""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL,
 3603,"7/27/2023, 5:50:03.003 AM",1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,2b188146-c69c-481c-bd1f-5498f8764508,"7/27/2023, 5:34:24.759 AM",1.73818051884118E+018,The management user user1 changed the status of the Network_GET rule from disabled to activating.,,,,"7/27/2023, 5:34:24.756 AM",1.72246596566398E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""commandCorrelationid"": ""526ca428-2928-4e9d-ac65-3e3b3f85d079"", ""commandTimestamp"": 1690436064701, ""expiryDateStr"": null, ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": null, ""networkquarantine"": false, ""oldStatus"": ""disabled"", ""ruleCreationTime"": 1690380217470, ""ruleDescription"": """", ""ruleExpirationMode"": ""permanent"", ""ruleId"": ""1737712037810380185"", ""ruleName"": ""Network_GET"", ""ruleQueryDetails"": ""Url = \""https://th.bing.com/th?id=OCGE.9p3c5sx31v9k_v2_main&w=90&h=90&c=1&rs=1&p=0\"" AND EventTime >= \""Jul 15, 2023 19:42:16\"""", ""ruleQueryType"": ""events"", ""ruleSeverity"": ""low"", ""scopeId"": 1712500237934148927, ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""status"": ""activating"", ""systemUser"": 0, ""treatasthreat"": ""malicious"", ""userId"": 1722465965663983441, ""username"": ""user1""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL,
 67,"7/31/2023, 8:10:05.826 AM",1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,5fa60864-c413-4cc7-9355-249439407966,"7/31/2023, 7:53:03.633 AM",1.74114940552361E+018,The management user user1 enabled Two factor authentication on the user user1.,IP address: 1.2.3.4,,,"7/31/2023, 7:53:03.610 AM",1.73894939698783E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""user1"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.2.3.4"", ""newValue"": true, ""realUser"": null, ""role"": ""Admin"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""user1""}",user1,True,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL,
 147,"7/31/2023, 8:10:05.826 AM",1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,799c8282-d4ca-4e71-8cd9-5849edcd2243,"7/31/2023, 7:53:03.645 AM",1.74114940561588E+018,The Management User user1 successfully configured 2FA.,IP address: 1.2.3.4,,,"7/31/2023, 7:53:03.623 AM",1.73894939698783E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.2.3.4"", ""realUser"": null, ""role"": ""Admin"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""user1""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL,
 2030,"7/21/2023, 5:40:04.348 AM",1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.73097946686588E+018,,,1.73333300485309E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,ee0efeca-e129-487c-859f-e6defcb8184f,"7/21/2023, 5:20:45.666 AM",1.73382499337902E+018,The management user user1 changed the analyst verdict for Adwind.exe from Undefined to False positive.,,1.71250024242206E+018,Default site,"7/21/2023, 5:20:45.666 AM",1.71658347026226E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""computerName"": ""CLW547-"", ""escapedMaliciousProcessArguments"": null, ""fileDisplayName"": ""Adwind.exe"", ""filePath"": ""\\Device\\HarddiskVolume3\\Users\\Crest\\AppData\\Local\\Temp\\Temp7_The-MALWARE-Repo-master.zip\\The-MALWARE-Repo-master\\RAT\\Adwind.exe"", ""fullScopeDetails"": ""Group Crest Data Systems in Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site / Crest Data Systems"", ""groupName"": ""Crest Data Systems"", ""ipAddress"": null, ""newAnalystVerdict"": ""false_positive"", ""newAnalystVerdictTitle"": ""False positive"", ""oldAnalystVerdict"": ""undefined"", ""oldAnalystVerdictTitle"": ""Undefined"", ""realUser"": null, ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""threatClassification"": ""Malware"", ""threatClassificationSource"": ""Engine"", ""username"": ""user1""}",,,,,,,,,,,,,,,,,,,,,,1.71302996238084E+018,,Crest Data Systems,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL,
 2028,"7/21/2023, 5:40:04.348 AM",1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.73097946686588E+018,,,1.73333300485309E+018,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,15a90976-f730-438f-8907-defebe512275,"7/21/2023, 5:20:50.383 AM",1.73382503300681E+018,The management user user1 changed the incident status for Adwind.exe from Unresolved to Resolved,,1.71250024242206E+018,Default site,"7/21/2023, 5:20:50.383 AM",1.71658347026226E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""computerName"": ""CLW547-"", ""escapedMaliciousProcessArguments"": null, ""fileDisplayName"": ""Adwind.exe"", ""filePath"": ""\\Device\\HarddiskVolume3\\Users\\Crest\\AppData\\Local\\Temp\\Temp7_The-MALWARE-Repo-master.zip\\The-MALWARE-Repo-master\\RAT\\Adwind.exe"", ""fullScopeDetails"": ""Group Crest Data Systems in Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site / Crest Data Systems"", ""groupName"": ""Crest Data Systems"", ""ipAddress"": null, ""newIncidentStatus"": ""resolved"", ""newIncidentStatusTitle"": ""Resolved"", ""oldIncidentStatus"": ""unresolved"", ""oldIncidentStatusTitle"": ""Unresolved"", ""realUser"": null, ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""threatClassification"": ""Malware"", ""threatClassificationSource"": ""Engine"", ""username"": ""user1""}",,,,,,,,,,,,,,,,,,,,,,1.71302996238084E+018,,Crest Data Systems,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL,
 3602,"7/21/2023, 10:20:03.249 AM",1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,bb34695c-ffde-41ac-93b5-54f508b74d26,"7/21/2023, 10:06:43.230 AM",1.73396892146054E+018,The management user user1 deleted the user1Test rule on the Account Crest Data Systems.,,,,"7/21/2023, 10:06:43.226 AM",1.71298647544447E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""commandCorrelationid"": ""728c7fd3-8acb-4023-8987-eab7687ab5ed"", ""commandTimestamp"": 1689934002810, ""expiryDateStr"": ""January 18 2024"", ""expiryTime"": 1705536000000, ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": null, ""networkquarantine"": false, ""ruleCreationTime"": 1689771043428, ""ruleDescription"": """", ""ruleExpirationMode"": ""temporary"", ""ruleId"": ""1732601915572150716"", ""ruleName"": ""user1Test"", ""ruleQueryDetails"": ""TgtFileSha1 = \""f30232697b3f54e58af08421da697262c99ec48b\"" AND EndpointName = \""CLW547-\"" AND EventType in ( \""Registry Key Create\"" )"", ""ruleQueryType"": ""events"", ""ruleSeverity"": ""medium"", ""scopeId"": 1712500237934148927, ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""status"": ""deleting"", ""systemUser"": 0, ""treatasthreat"": ""suspicious"", ""userId"": 1712986475444464777, ""username"": ""user1""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL,
--- a/Data/ASIM/SentinelOne_ASimAuditEvent_RawLogs.json
+++ b/Data/ASIM/SentinelOne_ASimAuditEvent_RawLogs.json
@ -3844,640 +3844,6 @@
    "Type": "SentinelOne_CL",
    "_ResourceId": ""
  },
  {
    "activityType": 67,
    "TimeGenerated": "7/31/2023, 8:10:05.826 AM",
    "TenantId": "1a0e2567-2e58-4989-ad18-206108185325",
    "SourceSystem": "RestAPI",
    "MG": "",
    "ManagementGroupName": "",
    "Computer": "",
    "RawData": "",
    "alertInfo_indicatorDescription": "",
    "alertInfo_indicatorName": "",
    "targetProcessInfo_tgtFileOldPath": "",
    "alertInfo_indicatorCategory": "",
    "alertInfo_registryOldValue": "",
    "alertInfo_dstIp": "",
    "alertInfo_dstPort": "",
    "alertInfo_netEventDirection": "",
    "alertInfo_srcIp": "",
    "alertInfo_srcPort": "",
    "containerInfo_id": "",
    "targetProcessInfo_tgtFileId": "",
    "alertInfo_registryOldValueType": "",
    "alertInfo_dnsRequest": "",
    "alertInfo_dnsResponse": "",
    "alertInfo_registryKeyPath": "",
    "alertInfo_registryPath": "",
    "alertInfo_registryValue": "",
    "ruleInfo_description": "",
    "alertInfo_loginAccountDomain": "",
    "alertInfo_loginAccountSid": "",
    "alertInfo_loginIsAdministratorEquivalent": "",
    "alertInfo_loginIsSuccessful": "",
    "alertInfo_loginType": "",
    "alertInfo_loginsUserName": "",
    "alertInfo_srcMachineIp": "",
    "targetProcessInfo_tgtProcCmdLine": "",
    "targetProcessInfo_tgtProcImagePath": "",
    "targetProcessInfo_tgtProcName": "",
    "targetProcessInfo_tgtProcPid": "",
    "targetProcessInfo_tgtProcSignedStatus": "",
    "targetProcessInfo_tgtProcStorylineId": "",
    "targetProcessInfo_tgtProcUid": "",
    "sourceParentProcessInfo_storyline": "",
    "sourceParentProcessInfo_uniqueId": "",
    "sourceProcessInfo_storyline": "",
    "sourceProcessInfo_uniqueId": "",
    "agentDetectionInfo_machineType": "",
    "agentDetectionInfo_name": "",
    "agentDetectionInfo_osFamily": "",
    "agentDetectionInfo_osName": "",
    "agentDetectionInfo_osRevision": "",
    "agentDetectionInfo_uuid": "",
    "agentDetectionInfo_version": "",
    "agentRealtimeInfo_id": "",
    "agentRealtimeInfo_infected": "",
    "agentRealtimeInfo_isActive": "",
    "agentRealtimeInfo_isDecommissioned": "",
    "agentRealtimeInfo_machineType": "",
    "agentRealtimeInfo_name": "",
    "agentRealtimeInfo_os": "",
    "agentRealtimeInfo_uuid": "",
    "alertInfo_alertId": "",
    "alertInfo_analystVerdict": "",
    "alertInfo_createdAt": "",
    "alertInfo_dvEventId": "",
    "alertInfo_eventType": "",
    "alertInfo_hitType": "",
    "alertInfo_incidentStatus": "",
    "alertInfo_isEdr": "",
    "alertInfo_reportedAt": "",
    "alertInfo_source": "",
    "alertInfo_updatedAt": "",
    "ruleInfo_id": "",
    "ruleInfo_name": "",
    "ruleInfo_queryLang": "",
    "ruleInfo_queryType": "",
    "ruleInfo_s1ql": "",
    "ruleInfo_scopeLevel": "",
    "ruleInfo_severity": "",
    "ruleInfo_treatAsThreat": "",
    "sourceParentProcessInfo_commandline": "",
    "sourceParentProcessInfo_fileHashMd5": "",
    "sourceParentProcessInfo_fileHashSha1": "",
    "sourceParentProcessInfo_fileHashSha256": "",
    "sourceParentProcessInfo_filePath": "",
    "sourceParentProcessInfo_fileSignerIdentity": "",
    "sourceParentProcessInfo_integrityLevel": "",
    "sourceParentProcessInfo_name": "",
    "sourceParentProcessInfo_pid": "",
    "sourceParentProcessInfo_pidStarttime": "",
    "sourceParentProcessInfo_subsystem": "",
    "sourceParentProcessInfo_user": "",
    "sourceProcessInfo_commandline": "",
    "sourceProcessInfo_fileHashMd5": "",
    "sourceProcessInfo_fileHashSha1": "",
    "sourceProcessInfo_fileHashSha256": "",
    "sourceProcessInfo_filePath": "",
    "sourceProcessInfo_fileSignerIdentity": "",
    "sourceProcessInfo_integrityLevel": "",
    "sourceProcessInfo_name": "",
    "sourceProcessInfo_pid": "",
    "sourceProcessInfo_pidStarttime": "",
    "sourceProcessInfo_subsystem": "",
    "sourceProcessInfo_user": "",
    "targetProcessInfo_tgtFileCreatedAt": "",
    "targetProcessInfo_tgtFileHashSha1": "",
    "targetProcessInfo_tgtFileHashSha256": "",
    "targetProcessInfo_tgtFileIsSigned": "",
    "targetProcessInfo_tgtFileModifiedAt": "",
    "targetProcessInfo_tgtFilePath": "",
    "targetProcessInfo_tgtProcIntegrityLevel": "",
    "targetProcessInfo_tgtProcessStartTime": "",
    "agentUpdatedVersion": "",
    "agentId": "",
    "hash": "",
    "osFamily": "",
    "threatId": "",
    "creator": "",
    "creatorId": "",
    "inherits": "",
    "isDefault": "",
    "name": "",
    "registrationToken": "",
    "totalAgents": "",
    "type": "",
    "agentDetectionInfo_accountId": "",
    "agentDetectionInfo_accountName": "",
    "agentDetectionInfo_agentDetectionState": "",
    "agentDetectionInfo_agentDomain": "",
    "agentDetectionInfo_agentIpV4": "",
    "agentDetectionInfo_agentIpV6": "",
    "agentDetectionInfo_agentLastLoggedInUserName": "",
    "agentDetectionInfo_agentMitigationMode": "",
    "agentDetectionInfo_agentOsName": "",
    "agentDetectionInfo_agentOsRevision": "",
    "agentDetectionInfo_agentRegisteredAt": "",
    "agentDetectionInfo_agentUuid": "",
    "agentDetectionInfo_agentVersion": "",
    "agentDetectionInfo_externalIp": "",
    "agentDetectionInfo_groupId": "",
    "agentDetectionInfo_groupName": "",
    "agentDetectionInfo_siteId": "",
    "agentDetectionInfo_siteName": "",
    "agentRealtimeInfo_accountId": "",
    "agentRealtimeInfo_accountName": "",
    "agentRealtimeInfo_activeThreats": "",
    "agentRealtimeInfo_agentComputerName": "",
    "agentRealtimeInfo_agentDomain": "",
    "agentRealtimeInfo_agentId": "",
    "agentRealtimeInfo_agentInfected": "",
    "agentRealtimeInfo_agentIsActive": "",
    "agentRealtimeInfo_agentIsDecommissioned": "",
    "agentRealtimeInfo_agentMachineType": "",
    "agentRealtimeInfo_agentMitigationMode": "",
    "agentRealtimeInfo_agentNetworkStatus": "",
    "agentRealtimeInfo_agentOsName": "",
    "agentRealtimeInfo_agentOsRevision": "",
    "agentRealtimeInfo_agentOsType": "",
    "agentRealtimeInfo_agentUuid": "",
    "agentRealtimeInfo_agentVersion": "",
    "agentRealtimeInfo_groupId": "",
    "agentRealtimeInfo_groupName": "",
    "agentRealtimeInfo_networkInterfaces": "",
    "agentRealtimeInfo_operationalState": "",
    "agentRealtimeInfo_rebootRequired": "",
    "agentRealtimeInfo_scanFinishedAt": "",
    "agentRealtimeInfo_scanStartedAt": "",
    "agentRealtimeInfo_scanStatus": "",
    "agentRealtimeInfo_siteId": "",
    "agentRealtimeInfo_siteName": "",
    "agentRealtimeInfo_userActionsNeeded": "",
    "indicators": "",
    "mitigationStatus": "",
    "threatInfo_analystVerdict": "",
    "threatInfo_analystVerdictDescription": "",
    "threatInfo_automaticallyResolved": "",
    "threatInfo_certificateId": "",
    "threatInfo_classification": "",
    "threatInfo_classificationSource": "",
    "threatInfo_cloudFilesHashVerdict": "",
    "threatInfo_collectionId": "",
    "threatInfo_confidenceLevel": "",
    "threatInfo_createdAt": "",
    "threatInfo_detectionEngines": "",
    "threatInfo_detectionType": "",
    "threatInfo_engines": "",
    "threatInfo_externalTicketExists": "",
    "threatInfo_failedActions": "",
    "threatInfo_fileExtension": "",
    "threatInfo_fileExtensionType": "",
    "threatInfo_filePath": "",
    "threatInfo_fileSize": "",
    "threatInfo_fileVerificationType": "",
    "threatInfo_identifiedAt": "",
    "threatInfo_incidentStatus": "",
    "threatInfo_incidentStatusDescription": "",
    "threatInfo_initiatedBy": "",
    "threatInfo_initiatedByDescription": "",
    "threatInfo_isFileless": "",
    "threatInfo_isValidCertificate": "",
    "threatInfo_mitigatedPreemptively": "",
    "threatInfo_mitigationStatus": "",
    "threatInfo_mitigationStatusDescription": "",
    "threatInfo_originatorProcess": "",
    "threatInfo_pendingActions": "",
    "threatInfo_processUser": "",
    "threatInfo_publisherName": "",
    "threatInfo_reachedEventsLimit": "",
    "threatInfo_rebootRequired": "",
    "threatInfo_sha1": "",
    "threatInfo_storyline": "",
    "threatInfo_threatId": "",
    "threatInfo_threatName": "",
    "threatInfo_updatedAt": "",
    "whiteningOptions": "",
    "threatInfo_maliciousProcessArguments": "",
    "accountId": 1712500237934148900,
    "accountName": "Crest Data Systems",
    "activityUuid": "5fa60864-c413-4cc7-9355-249439407966",
    "createdAt": "7/31/2023, 7:53:03.633 AM",
    "id": 1741149405523608000,
    "primaryDescription": "The management user user1 enabled Two factor authentication on the user user1.",
    "secondaryDescription": "IP address: 1.2.3.4",
    "siteId": "",
    "siteName": "",
    "updatedAt": "7/31/2023, 7:53:03.610 AM",
    "userId": 1738949396987828700,
    "event_name": "Activities.",
    "DataFields": {
      "accountName": "Crest Data Systems",
      "byUser": "user1",
      "fullScopeDetails": "Account Crest Data Systems",
      "fullScopeDetailsPath": "Global / Crest Data Systems",
      "groupName": null,
      "ipAddress": "1.2.3.4",
      "newValue": true,
      "realUser": null,
      "role": "Admin",
      "scopeLevel": "Account",
      "scopeName": "Crest Data Systems",
      "siteName": null,
      "sourceType": "UI",
      "userScope": "account",
      "username": "user1"
    },
    "description": "user1",
    "comments": "True",
    "activeDirectory_computerMemberOf": "",
    "activeDirectory_lastUserMemberOf": "",
    "activeThreats": "",
    "agentVersion": "",
    "allowRemoteShell": "",
    "appsVulnerabilityStatus": "",
    "computerName": "",
    "consoleMigrationStatus": "",
    "coreCount": "",
    "cpuCount": "",
    "cpuId": "",
    "detectionState": "",
    "domain": "",
    "encryptedApplications": "",
    "externalId": "",
    "externalIp": "",
    "firewallEnabled": "",
    "firstFullModeTime": "",
    "fullDiskScanLastUpdatedAt": "",
    "groupId": "",
    "groupIp": "",
    "groupName": "",
    "inRemoteShellSession": "",
    "infected": "",
    "installerType": "",
    "isActive": "",
    "isDecommissioned": "",
    "isPendingUninstall": "",
    "isUninstalled": "",
    "isUpToDate": "",
    "lastActiveDate": "",
    "lastIpToMgmt": "",
    "lastLoggedInUserName": "",
    "licenseKey": "",
    "locationEnabled": "",
    "locationType": "",
    "locations": "",
    "machineType": "",
    "mitigationMode": "",
    "mitigationModeSuspicious": "",
    "modelName": "",
    "networkInterfaces": "",
    "networkQuarantineEnabled": "",
    "networkStatus": "",
    "operationalState": "",
    "osArch": "",
    "osName": "",
    "osRevision": "",
    "osStartTime": "",
    "osType": "",
    "rangerStatus": "",
    "rangerVersion": "",
    "registeredAt": "",
    "remoteProfilingState": "",
    "scanFinishedAt": "",
    "scanStartedAt": "",
    "scanStatus": "",
    "serialNumber": "",
    "showAlertIcon": "",
    "tags_sentinelone": "",
    "threatRebootRequired": "",
    "totalMemory": "",
    "userActionsNeeded": "",
    "uuid": "",
    "osUsername": "",
    "scanAbortedAt": "",
    "activeDirectory_computerDistinguishedName": "",
    "activeDirectory_lastUserDistinguishedName": "",
    "Type": "SentinelOne_CL",
    "_ResourceId": ""
  },
  {
    "activityType": 147,
    "TimeGenerated": "7/31/2023, 8:10:05.826 AM",
    "TenantId": "1a0e2567-2e58-4989-ad18-206108185325",
    "SourceSystem": "RestAPI",
    "MG": "",
    "ManagementGroupName": "",
    "Computer": "",
    "RawData": "",
    "alertInfo_indicatorDescription": "",
    "alertInfo_indicatorName": "",
    "targetProcessInfo_tgtFileOldPath": "",
    "alertInfo_indicatorCategory": "",
    "alertInfo_registryOldValue": "",
    "alertInfo_dstIp": "",
    "alertInfo_dstPort": "",
    "alertInfo_netEventDirection": "",
    "alertInfo_srcIp": "",
    "alertInfo_srcPort": "",
    "containerInfo_id": "",
    "targetProcessInfo_tgtFileId": "",
    "alertInfo_registryOldValueType": "",
    "alertInfo_dnsRequest": "",
    "alertInfo_dnsResponse": "",
    "alertInfo_registryKeyPath": "",
    "alertInfo_registryPath": "",
    "alertInfo_registryValue": "",
    "ruleInfo_description": "",
    "alertInfo_loginAccountDomain": "",
    "alertInfo_loginAccountSid": "",
    "alertInfo_loginIsAdministratorEquivalent": "",
    "alertInfo_loginIsSuccessful": "",
    "alertInfo_loginType": "",
    "alertInfo_loginsUserName": "",
    "alertInfo_srcMachineIp": "",
    "targetProcessInfo_tgtProcCmdLine": "",
    "targetProcessInfo_tgtProcImagePath": "",
    "targetProcessInfo_tgtProcName": "",
    "targetProcessInfo_tgtProcPid": "",
    "targetProcessInfo_tgtProcSignedStatus": "",
    "targetProcessInfo_tgtProcStorylineId": "",
    "targetProcessInfo_tgtProcUid": "",
    "sourceParentProcessInfo_storyline": "",
    "sourceParentProcessInfo_uniqueId": "",
    "sourceProcessInfo_storyline": "",
    "sourceProcessInfo_uniqueId": "",
    "agentDetectionInfo_machineType": "",
    "agentDetectionInfo_name": "",
    "agentDetectionInfo_osFamily": "",
    "agentDetectionInfo_osName": "",
    "agentDetectionInfo_osRevision": "",
    "agentDetectionInfo_uuid": "",
    "agentDetectionInfo_version": "",
    "agentRealtimeInfo_id": "",
    "agentRealtimeInfo_infected": "",
    "agentRealtimeInfo_isActive": "",
    "agentRealtimeInfo_isDecommissioned": "",
    "agentRealtimeInfo_machineType": "",
    "agentRealtimeInfo_name": "",
    "agentRealtimeInfo_os": "",
    "agentRealtimeInfo_uuid": "",
    "alertInfo_alertId": "",
    "alertInfo_analystVerdict": "",
    "alertInfo_createdAt": "",
    "alertInfo_dvEventId": "",
    "alertInfo_eventType": "",
    "alertInfo_hitType": "",
    "alertInfo_incidentStatus": "",
    "alertInfo_isEdr": "",
    "alertInfo_reportedAt": "",
    "alertInfo_source": "",
    "alertInfo_updatedAt": "",
    "ruleInfo_id": "",
    "ruleInfo_name": "",
    "ruleInfo_queryLang": "",
    "ruleInfo_queryType": "",
    "ruleInfo_s1ql": "",
    "ruleInfo_scopeLevel": "",
    "ruleInfo_severity": "",
    "ruleInfo_treatAsThreat": "",
    "sourceParentProcessInfo_commandline": "",
    "sourceParentProcessInfo_fileHashMd5": "",
    "sourceParentProcessInfo_fileHashSha1": "",
    "sourceParentProcessInfo_fileHashSha256": "",
    "sourceParentProcessInfo_filePath": "",
    "sourceParentProcessInfo_fileSignerIdentity": "",
    "sourceParentProcessInfo_integrityLevel": "",
    "sourceParentProcessInfo_name": "",
    "sourceParentProcessInfo_pid": "",
    "sourceParentProcessInfo_pidStarttime": "",
    "sourceParentProcessInfo_subsystem": "",
    "sourceParentProcessInfo_user": "",
    "sourceProcessInfo_commandline": "",
    "sourceProcessInfo_fileHashMd5": "",
    "sourceProcessInfo_fileHashSha1": "",
    "sourceProcessInfo_fileHashSha256": "",
    "sourceProcessInfo_filePath": "",
    "sourceProcessInfo_fileSignerIdentity": "",
    "sourceProcessInfo_integrityLevel": "",
    "sourceProcessInfo_name": "",
    "sourceProcessInfo_pid": "",
    "sourceProcessInfo_pidStarttime": "",
    "sourceProcessInfo_subsystem": "",
    "sourceProcessInfo_user": "",
    "targetProcessInfo_tgtFileCreatedAt": "",
    "targetProcessInfo_tgtFileHashSha1": "",
    "targetProcessInfo_tgtFileHashSha256": "",
    "targetProcessInfo_tgtFileIsSigned": "",
    "targetProcessInfo_tgtFileModifiedAt": "",
    "targetProcessInfo_tgtFilePath": "",
    "targetProcessInfo_tgtProcIntegrityLevel": "",
    "targetProcessInfo_tgtProcessStartTime": "",
    "agentUpdatedVersion": "",
    "agentId": "",
    "hash": "",
    "osFamily": "",
    "threatId": "",
    "creator": "",
    "creatorId": "",
    "inherits": "",
    "isDefault": "",
    "name": "",
    "registrationToken": "",
    "totalAgents": "",
    "type": "",
    "agentDetectionInfo_accountId": "",
    "agentDetectionInfo_accountName": "",
    "agentDetectionInfo_agentDetectionState": "",
    "agentDetectionInfo_agentDomain": "",
    "agentDetectionInfo_agentIpV4": "",
    "agentDetectionInfo_agentIpV6": "",
    "agentDetectionInfo_agentLastLoggedInUserName": "",
    "agentDetectionInfo_agentMitigationMode": "",
    "agentDetectionInfo_agentOsName": "",
    "agentDetectionInfo_agentOsRevision": "",
    "agentDetectionInfo_agentRegisteredAt": "",
    "agentDetectionInfo_agentUuid": "",
    "agentDetectionInfo_agentVersion": "",
    "agentDetectionInfo_externalIp": "",
    "agentDetectionInfo_groupId": "",
    "agentDetectionInfo_groupName": "",
    "agentDetectionInfo_siteId": "",
    "agentDetectionInfo_siteName": "",
    "agentRealtimeInfo_accountId": "",
    "agentRealtimeInfo_accountName": "",
    "agentRealtimeInfo_activeThreats": "",
    "agentRealtimeInfo_agentComputerName": "",
    "agentRealtimeInfo_agentDomain": "",
    "agentRealtimeInfo_agentId": "",
    "agentRealtimeInfo_agentInfected": "",
    "agentRealtimeInfo_agentIsActive": "",
    "agentRealtimeInfo_agentIsDecommissioned": "",
    "agentRealtimeInfo_agentMachineType": "",
    "agentRealtimeInfo_agentMitigationMode": "",
    "agentRealtimeInfo_agentNetworkStatus": "",
    "agentRealtimeInfo_agentOsName": "",
    "agentRealtimeInfo_agentOsRevision": "",
    "agentRealtimeInfo_agentOsType": "",
    "agentRealtimeInfo_agentUuid": "",
    "agentRealtimeInfo_agentVersion": "",
    "agentRealtimeInfo_groupId": "",
    "agentRealtimeInfo_groupName": "",
    "agentRealtimeInfo_networkInterfaces": "",
    "agentRealtimeInfo_operationalState": "",
    "agentRealtimeInfo_rebootRequired": "",
    "agentRealtimeInfo_scanFinishedAt": "",
    "agentRealtimeInfo_scanStartedAt": "",
    "agentRealtimeInfo_scanStatus": "",
    "agentRealtimeInfo_siteId": "",
    "agentRealtimeInfo_siteName": "",
    "agentRealtimeInfo_userActionsNeeded": "",
    "indicators": "",
    "mitigationStatus": "",
    "threatInfo_analystVerdict": "",
    "threatInfo_analystVerdictDescription": "",
    "threatInfo_automaticallyResolved": "",
    "threatInfo_certificateId": "",
    "threatInfo_classification": "",
    "threatInfo_classificationSource": "",
    "threatInfo_cloudFilesHashVerdict": "",
    "threatInfo_collectionId": "",
    "threatInfo_confidenceLevel": "",
    "threatInfo_createdAt": "",
    "threatInfo_detectionEngines": "",
    "threatInfo_detectionType": "",
    "threatInfo_engines": "",
    "threatInfo_externalTicketExists": "",
    "threatInfo_failedActions": "",
    "threatInfo_fileExtension": "",
    "threatInfo_fileExtensionType": "",
    "threatInfo_filePath": "",
    "threatInfo_fileSize": "",
    "threatInfo_fileVerificationType": "",
    "threatInfo_identifiedAt": "",
    "threatInfo_incidentStatus": "",
    "threatInfo_incidentStatusDescription": "",
    "threatInfo_initiatedBy": "",
    "threatInfo_initiatedByDescription": "",
    "threatInfo_isFileless": "",
    "threatInfo_isValidCertificate": "",
    "threatInfo_mitigatedPreemptively": "",
    "threatInfo_mitigationStatus": "",
    "threatInfo_mitigationStatusDescription": "",
    "threatInfo_originatorProcess": "",
    "threatInfo_pendingActions": "",
    "threatInfo_processUser": "",
    "threatInfo_publisherName": "",
    "threatInfo_reachedEventsLimit": "",
    "threatInfo_rebootRequired": "",
    "threatInfo_sha1": "",
    "threatInfo_storyline": "",
    "threatInfo_threatId": "",
    "threatInfo_threatName": "",
    "threatInfo_updatedAt": "",
    "whiteningOptions": "",
    "threatInfo_maliciousProcessArguments": "",
    "accountId": 1712500237934148900,
    "accountName": "Crest Data Systems",
    "activityUuid": "799c8282-d4ca-4e71-8cd9-5849edcd2243",
    "createdAt": "7/31/2023, 7:53:03.645 AM",
    "id": 1741149405615882800,
    "primaryDescription": "The Management User user1 successfully configured 2FA.",
    "secondaryDescription": "IP address: 1.2.3.4",
    "siteId": "",
    "siteName": "",
    "updatedAt": "7/31/2023, 7:53:03.623 AM",
    "userId": 1738949396987828700,
    "event_name": "Activities.",
    "DataFields": {
      "accountName": "Crest Data Systems",
      "fullScopeDetails": "Account Crest Data Systems",
      "fullScopeDetailsPath": "Global / Crest Data Systems",
      "groupName": null,
      "ipAddress": "1.2.3.4",
      "realUser": null,
      "role": "Admin",
      "scopeLevel": "Account",
      "scopeName": "Crest Data Systems",
      "siteName": null,
      "sourceType": "UI",
      "userScope": "account",
      "username": "user1"
    },
    "description": "",
    "comments": "",
    "activeDirectory_computerMemberOf": "",
    "activeDirectory_lastUserMemberOf": "",
    "activeThreats": "",
    "agentVersion": "",
    "allowRemoteShell": "",
    "appsVulnerabilityStatus": "",
    "computerName": "",
    "consoleMigrationStatus": "",
    "coreCount": "",
    "cpuCount": "",
    "cpuId": "",
    "detectionState": "",
    "domain": "",
    "encryptedApplications": "",
    "externalId": "",
    "externalIp": "",
    "firewallEnabled": "",
    "firstFullModeTime": "",
    "fullDiskScanLastUpdatedAt": "",
    "groupId": "",
    "groupIp": "",
    "groupName": "",
    "inRemoteShellSession": "",
    "infected": "",
    "installerType": "",
    "isActive": "",
    "isDecommissioned": "",
    "isPendingUninstall": "",
    "isUninstalled": "",
    "isUpToDate": "",
    "lastActiveDate": "",
    "lastIpToMgmt": "",
    "lastLoggedInUserName": "",
    "licenseKey": "",
    "locationEnabled": "",
    "locationType": "",
    "locations": "",
    "machineType": "",
    "mitigationMode": "",
    "mitigationModeSuspicious": "",
    "modelName": "",
    "networkInterfaces": "",
    "networkQuarantineEnabled": "",
    "networkStatus": "",
    "operationalState": "",
    "osArch": "",
    "osName": "",
    "osRevision": "",
    "osStartTime": "",
    "osType": "",
    "rangerStatus": "",
    "rangerVersion": "",
    "registeredAt": "",
    "remoteProfilingState": "",
    "scanFinishedAt": "",
    "scanStartedAt": "",
    "scanStatus": "",
    "serialNumber": "",
    "showAlertIcon": "",
    "tags_sentinelone": "",
    "threatRebootRequired": "",
    "totalMemory": "",
    "userActionsNeeded": "",
    "uuid": "",
    "osUsername": "",
    "scanAbortedAt": "",
    "activeDirectory_computerDistinguishedName": "",
    "activeDirectory_lastUserDistinguishedName": "",
    "Type": "SentinelOne_CL",
    "_ResourceId": ""
  },
  {
    "activityType": 2030,
    "TimeGenerated": "7/21/2023, 5:40:04.348 AM",