Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

sentinel1 analytic content

This commit is contained in:
sp 2021-12-17 19:18:49 +02:00
Родитель ff558fe2d5
Коммит ff5c9d2519
26 изменённых файлов: 1471 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

533
.script/tests/KqlvalidationsTests/CustomTables/SentinelOne.json Normal file
Просмотреть файл

@ -0,0 +1,533 @@
{
"name": "SentinelOne",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "EventVendor",
"Type": "String"
},
{
"Name": "EventProduct",
"Type": "String"
},
{
"Name": "AccountName",
"Type": "String"
},
{
"Name": "ActivityType",
"Type": "Double"
},
{
"Name": "EventCreationTime",
"Type": "DateTime"
},
{
"Name": "DataAccountName",
"Type": "String"
},
{
"Name": "DataFullScopeDetails",
"Type": "String"
},
{
"Name": "DataScopeLevel",
"Type": "String"
},
{
"Name": "DataScopeName",
"Type": "String"
},
{
"Name": "DataSiteId",
"Type": "Double"
},
{
"Name": "DataSiteName",
"Type": "String"
},
{
"Name": "UserName",
"Type": "String"
},
{
"Name": "EventId",
"Type": "String"
},
{
"Name": "EventOriginalMessage",
"Type": "String"
},
{
"Name": "SiteId",
"Type": "String"
},
{
"Name": "SiteName",
"Type": "String"
},
{
"Name": "UpdatedAt",
"Type": "DateTime"
},
{
"Name": "UserIdentity",
"Type": "String"
},
{
"Name": "EventType",
"Type": "String"
},
{
"Name": "DataByUser",
"Type": "String"
},
{
"Name": "DataRole",
"Type": "String"
},
{
"Name": "DataUserScope",
"Type": "String"
},
{
"Name": "EventTypeDetailed",
"Type": "String"
},
{
"Name": "DataSource",
"Type": "String"
},
{
"Name": "DataExpiryDateStr",
"Type": "String"
},
{
"Name": "DataExpiryTime",
"Type": "Double"
},
{
"Name": "DataNetworkquarantine",
"Type": "Boolean"
},
{
"Name": "DataRuleCreationTime",
"Type": "Double"
},
{
"Name": "DataRuleDescription",
"Type": "String"
},
{
"Name": "DataRuleExpirationMode",
"Type": "String"
},
{
"Name": "DataRuleId",
"Type": "Double"
},
{
"Name": "DataRuleName",
"Type": "String"
},
{
"Name": "DataRuleQueryDetails",
"Type": "String"
},
{
"Name": "DataRuleQueryType",
"Type": "String"
},
{
"Name": "DataRuleSeverity",
"Type": "String"
},
{
"Name": "DataScopeId",
"Type": "Double"
},
{
"Name": "DataStatus",
"Type": "String"
},
{
"Name": "DataSystemUser",
"Type": "Double"
},
{
"Name": "DataTreatasthreat",
"Type": "String"
},
{
"Name": "DataUserId",
"Type": "Double"
},
{
"Name": "DataUserName",
"Type": "String"
},
{
"Name": "EventSubStatus",
"Type": "String"
},
{
"Name": "AgentId",
"Type": "String"
},
{
"Name": "DataComputerName",
"Type": "String"
},
{
"Name": "DataExternalIp",
"Type": "String"
},
{
"Name": "DataGroupName",
"Type": "String"
},
{
"Name": "DataSystem",
"Type": "Boolean"
},
{
"Name": "DataUuid",
"Type": "String"
},
{
"Name": "GroupId",
"Type": "String"
},
{
"Name": "GroupName",
"Type": "String"
},
{
"Name": "DataGroup",
"Type": "String"
},
{
"Name": "DataOptionalGroups",
"Type": "String"
},
{
"Name": "DataCreatedAt",
"Type": "DateTime"
},
{
"Name": "DataDownloadUrl",
"Type": "String"
},
{
"Name": "DataFilePath",
"Type": "String"
},
{
"Name": "DataFilename",
"Type": "String"
},
{
"Name": "DataUploadedFilename",
"Type": "String"
},
{
"Name": "Comments",
"Type": "String"
},
{
"Name": "DataNewValue",
"Type": "String"
},
{
"Name": "DataPolicyId",
"Type": "String"
},
{
"Name": "DataPolicyName",
"Type": "String"
},
{
"Name": "DataNewValueb",
"Type": "Boolean"
},
{
"Name": "DataShouldReboot",
"Type": "Boolean"
},
{
"Name": "DataRoleName",
"Type": "String"
},
{
"Name": "DataScopeLevelName",
"Type": "String"
},
{
"Name": "ActiveDirectoryComputerDistinguishedName",
"Type": "String"
},
{
"Name": "ActiveDirectoryComputerMemberOf",
"Type": "String"
},
{
"Name": "ActiveDirectoryLastUserDistinguishedName",
"Type": "String"
},
{
"Name": "ActiveDirectoryLastUserMemberOf",
"Type": "String"
},
{
"Name": "ActiveThreats",
"Type": "Double"
},
{
"Name": "AgentVersion",
"Type": "String"
},
{
"Name": "AllowRemoteShell",
"Type": "Boolean"
},
{
"Name": "AppsVulnerabilityStatus",
"Type": "String"
},
{
"Name": "ComputerName",
"Type": "String"
},
{
"Name": "ConsoleMigrationStatus",
"Type": "String"
},
{
"Name": "CoreCount",
"Type": "Double"
},
{
"Name": "CpuCount",
"Type": "Double"
},
{
"Name": "CpuId",
"Type": "String"
},
{
"Name": "Domain",
"Type": "String"
},
{
"Name": "EncryptedApplications",
"Type": "Boolean"
},
{
"Name": "ExternalId",
"Type": "String"
},
{
"Name": "ExternalIp",
"Type": "String"
},
{
"Name": "FirewallEnabled",
"Type": "Boolean"
},
{
"Name": "GroupIp",
"Type": "String"
},
{
"Name": "InRemoteShellSession",
"Type": "Boolean"
},
{
"Name": "Infected",
"Type": "Boolean"
},
{
"Name": "InstallerType",
"Type": "String"
},
{
"Name": "IsActive",
"Type": "Boolean"
},
{
"Name": "IsDecommissioned",
"Type": "Boolean"
},
{
"Name": "IsPendingUninstall",
"Type": "Boolean"
},
{
"Name": "IsUninstalled",
"Type": "Boolean"
},
{
"Name": "IsUpToDate",
"Type": "Boolean"
},
{
"Name": "LastActiveDate",
"Type": "DateTime"
},
{
"Name": "LastIpToMgmt",
"Type": "String"
},
{
"Name": "LastLoggedInUserName",
"Type": "String"
},
{
"Name": "LicenseKey",
"Type": "String"
},
{
"Name": "LocationEnabled",
"Type": "Boolean"
},
{
"Name": "LocationType",
"Type": "String"
},
{
"Name": "Locations",
"Type": "String"
},
{
"Name": "MachineType",
"Type": "String"
},
{
"Name": "MitigationMode",
"Type": "String"
},
{
"Name": "MitigationModeSuspicious",
"Type": "String"
},
{
"Name": "ModelName",
"Type": "String"
},
{
"Name": "NetworkInterfaces",
"Type": "String"
},
{
"Name": "NetworkQuarantineEnabled",
"Type": "Boolean"
},
{
"Name": "NetworkStatus",
"Type": "String"
},
{
"Name": "OperationalState",
"Type": "String"
},
{
"Name": "OsArch",
"Type": "String"
},
{
"Name": "DvcOs",
"Type": "String"
},
{
"Name": "OsRevision",
"Type": "String"
},
{
"Name": "OsStartTime",
"Type": "DateTime"
},
{
"Name": "OsType",
"Type": "String"
},
{
"Name": "RangerStatus",
"Type": "String"
},
{
"Name": "RangerVersion",
"Type": "String"
},
{
"Name": "RegisteredAt",
"Type": "DateTime"
},
{
"Name": "RemoteProfilingState",
"Type": "String"
},
{
"Name": "ScanFinishedAt",
"Type": "DateTime"
},
{
"Name": "ScanStartedAt",
"Type": "DateTime"
},
{
"Name": "ScanStatus",
"Type": "String"
},
{
"Name": "ThreatRebootRequired",
"Type": "Boolean"
},
{
"Name": "TotalMemory",
"Type": "Double"
},
{
"Name": "UserActionsNeeded",
"Type": "String"
},
{
"Name": "Uuid",
"Type": "String"
},
{
"Name": "Creator",
"Type": "String"
},
{
"Name": "CreatorId",
"Type": "String"
},
{
"Name": "Inherits",
"Type": "Boolean"
},
{
"Name": "IsDefault",
"Type": "Boolean"
},
{
"Name": "Name",
"Type": "String"
},
{
"Name": "RegistrationToken",
"Type": "String"
},
{
"Name": "TotalAgents",
"Type": "Double"
},
{
"Name": "Type",
"Type": "String"
}
]
}

1
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Просмотреть файл

@ -101,6 +101,7 @@
"SecurityEvents",
"SemperisDSP",
"SenservaPro",
"SentinelOne",
"SlackAuditAPI",
"SonicWallFirewall",
"SonraiDataConnector",

43
Solutions/SentinelOne/Analytic Rules/SentinelOneAdminLoginNewIP.yaml Executable file
Просмотреть файл

@ -0,0 +1,43 @@
id: 382f37b3-b49a-492f-b436-a4717c8c5c3e
name: Sentinel One - Admin login from new location
description: |
'Detects admin user login from new location (IP address).'
severity: Medium
requiredDataConnectors:
- connectorId: SentinelOne
dataTypes:
- SentinelOne
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- PrivilegeEscalation
relevantTechniques:
- T1078
query: |
SentinelOne
| where ActivityType == 27
| where DataRole =~ 'Admin'
| extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage)
| where isnotempty(SrcIpAddr)
| summarize ip_lst = makeset(SrcIpAddr) by UserName
| join (SentinelOne
| where ActivityType == 27
| where DataRole =~ 'Admin'
| extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage)
| where isnotempty(SrcIpAddr)) on UserName
| where ip_lst !has SrcIpAddr
| extend AccountCustomEntity = UserName, IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

28
Solutions/SentinelOne/Analytic Rules/SentinelOneAgentUninstalled.yaml Executable file
Просмотреть файл

@ -0,0 +1,28 @@
id: 4ad87e4a-d045-4c6b-9652-c9de27fcb442
name: Sentinel One - Agent uninstalled from host
description: |
'Detects when agent was uninstalled from host.'
severity: Medium
requiredDataConnectors:
- connectorId: SentinelOne
dataTypes:
- SentinelOne
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1070
query: |
SentinelOne
| where ActivityType == 31
| extend HostCustomEntity = DataComputerName
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostCustomEntity
version: 1.0.0
kind: Scheduled

30
Solutions/SentinelOne/Analytic Rules/SentinelOneAlertFromCustomRule.yaml Executable file
Просмотреть файл

@ -0,0 +1,30 @@
id: 5f37de91-ff2b-45fb-9eda-49e9f76a3942
name: Sentinel One - Alert from custom rule
description: |
'Detects when alert from custom rule received.'
severity: Medium
requiredDataConnectors:
- connectorId: SentinelOne
dataTypes:
- SentinelOne
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1204
query: |
SentinelOne
| where ActivityType == 3608
| extend RuleName = extract(@'Custom Rule:\s(.*?)\sin Group', 1, EventOriginalMessage)
| extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage)
| extend HostCustomEntity = DstHostname
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostCustomEntity
version: 1.0.0
kind: Scheduled

33
Solutions/SentinelOne/Analytic Rules/SentinelOneBlacklistHashDeleted.yaml Executable file
Просмотреть файл

@ -0,0 +1,33 @@
id: de339761-2298-4b37-8f1b-80ebd4f0b5f6
name: Sentinel One - Blacklist hash deleted
description: |
'Detects when blacklist hash was deleted.'
severity: Medium
requiredDataConnectors:
- connectorId: SentinelOne
dataTypes:
- SentinelOne
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1070
query: |
SentinelOne
| where ActivityType == 3020
| project EventCreationTime, UserName, Hash=EventSubStatus
| extend AccountCustomEntity = UserName, HashCustomEntity = Hash
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
- entityType: FileHash
fieldMappings:
- identifier: Value
columnName: HashCustomEntity
version: 1.0.0
kind: Scheduled

29
Solutions/SentinelOne/Analytic Rules/SentinelOneExclusionAdded.yaml Executable file
Просмотреть файл

@ -0,0 +1,29 @@
id: 4224409f-a7bf-45eb-a931-922d79575a05
name: Sentinel One - Exclusion added
description: |
'Detects when new exclusion added.'
severity: Medium
requiredDataConnectors:
- connectorId: SentinelOne
dataTypes:
- SentinelOne
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1070
query: |
SentinelOne
| where EventOriginalMessage has_all ('added', 'exclusion')
| project EventCreationTime, UserName, EventOriginalMessage
| extend AccountCustomEntity = UserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled

32
Solutions/SentinelOne/Analytic Rules/SentinelOneMultipleAlertsOnHost.yaml Executable file
Просмотреть файл

@ -0,0 +1,32 @@
id: 47e427e6-61bc-4e24-8d16-a12871b9f939
name: Sentinel One - Multipl alerts on host
description: |
'Detects when multiple alerts received from same host.'
severity: Medium
requiredDataConnectors:
- connectorId: SentinelOne
dataTypes:
- SentinelOne
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T11204
query: |
SentinelOne
| where ActivityType == 3608
| extend RuleName = extract(@'Custom Rule:\s(.*?)\sin Group', 1, EventOriginalMessage)
| extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage)
| summarize count() by DstHostname, bin(TimeGenerated, 15m)
| where count_ > 1
| extend HostCustomEntity = DstHostname
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostCustomEntity
version: 1.0.0
kind: Scheduled

28
Solutions/SentinelOne/Analytic Rules/SentinelOneNewAdmin.yaml Executable file
Просмотреть файл

@ -0,0 +1,28 @@
id: e73d293d-966c-47ec-b8e0-95255755f12c
name: Sentinel One - New admin created
description: |
'Detects when new admin user is created.'
severity: Medium
requiredDataConnectors:
- connectorId: SentinelOne
dataTypes:
- SentinelOne
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1078
query: |
SentinelOne
| where ActivityType == 23
| extend AccountCustomEntity = UserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled

29
Solutions/SentinelOne/Analytic Rules/SentinelOneRuleDeleted.yaml Executable file
Просмотреть файл

@ -0,0 +1,29 @@
id: e171b587-22bd-46ec-b96c-7c99024847a7
name: Sentinel One - Rule deleted
description: |
'Detects when a rule was deleted.'
severity: Medium
requiredDataConnectors:
- connectorId: SentinelOne
dataTypes:
- SentinelOne
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1070
query: |
SentinelOne
| where ActivityType == 3602
| project EventCreationTime, DataRuleName, DataRuleQueryDetails, DataUserName
| extend AccountCustomEntity = DataUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled

29
Solutions/SentinelOne/Analytic Rules/SentinelOneRuleDisabled.yaml Executable file
Просмотреть файл

@ -0,0 +1,29 @@
id: 84e210dd-8982-4398-b6f3-264fd72d036c
name: Sentinel One - Rule disabled
description: |
'Detects when a rule was disabled.'
severity: Medium
requiredDataConnectors:
- connectorId: SentinelOne
dataTypes:
- SentinelOne
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1070
query: |
SentinelOne
| where ActivityType == 3603
| project EventCreationTime, DataRuleName, DataRuleQueryDetails, DataUserName
| extend AccountCustomEntity = DataUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled

32
Solutions/SentinelOne/Analytic Rules/SentinelOneSameCustomRuleHitOnDiffHosts.yaml Executable file
Просмотреть файл

@ -0,0 +1,32 @@
id: 5586d378-1bce-4d9b-9ac8-e7271c9d5a9a
name: Sentinel One - Same custom rule triggered on different hosts
description: |
'Detects when same custom rule was triggered on different hosts.'
severity: Medium
requiredDataConnectors:
- connectorId: SentinelOne
dataTypes:
- SentinelOne
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T11204
query: |
SentinelOne
| where ActivityType == 3608
| extend RuleName = extract(@'Custom Rule:\s(.*?)\sin Group', 1, EventOriginalMessage)
| extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage)
| summarize hosts = makeset(DstHostname) by RuleName, bin(TimeGenerated, 15m)
| where array_length(hosts) > 1
| extend HostCustomEntity = hosts
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostCustomEntity
version: 1.0.0
kind: Scheduled

32
Solutions/SentinelOne/Analytic Rules/SentinelOneViewAgentPassphrase.yaml Executable file
Просмотреть файл

@ -0,0 +1,32 @@
id: 51999097-60f4-42c0-bee8-fa28160e5583
name: Sentinel One - User viewed agent's passphrase
description: |
'Detects when a user viewed agent's passphrase.'
severity: Medium
requiredDataConnectors:
- connectorId: SentinelOne
dataTypes:
- SentinelOne
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1555
query: |
SentinelOne
| where ActivityType == 64
| extend AccountCustomEntity = UserName, HostCustomEntity = DataComputerName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostCustomEntity
version: 1.0.0
kind: Scheduled

26
Solutions/SentinelOne/Hunting Queries/SentinelOneAgentNotUpdated.yaml Executable file
Просмотреть файл

@ -0,0 +1,26 @@
id: 7fc83c11-1d80-4d1e-9d4b-4f48bbf77abe
name: Sentinel One - Agent not updated
description: |
'Query shows agent which are not updated to the latest version.'
severity: Low
requiredDataConnectors:
- connectorId: SentinelOne
dataTypes:
- SentinelOne
tactics:
- DefenseEvasion
relevantTechniques:
- T1070
query: |
//Latest agent version can be checked in Management Console>Sentinels>Packages
let upd_ver = dynamic(['21.7.4.1043', '21.7.4.5853', '21.10.3.3', '21.12.1.5913'])
SentinelOne
| where TimeGenerated > ago(24h)
| where EventType =~ 'Agents.'
| where AgentVersion !in ('upd_ver')
| extend HostCustomEntity = ComputerName
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostCustomEntity

25
Solutions/SentinelOne/Hunting Queries/SentinelOneAgentStatus.yaml Executable file
Просмотреть файл

@ -0,0 +1,25 @@
id: 4b2ed4b6-10bf-4b2c-b31e-ae51b575dfd4
name: Sentinel One - Agent status
description: |
'Query shows agent properties.'
severity: Low
requiredDataConnectors:
- connectorId: SentinelOne
dataTypes:
- SentinelOne
tactics:
- DefenseEvasion
relevantTechniques:
- T1070
query: |
SentinelOne
| where TimeGenerated > ago(24h)
| where EventType =~ 'Agents.'
| extend Properties = pack('IsActive', IsActive,'ActiveThreats',ActiveThreats,'FirewallEnabled',FirewallEnabled,'Infected',Infected,'IsUpToDate',IsUpToDate,'MitigationMode',MitigationMode,'MitigationModeSuspicious',MitigationModeSuspicious,'NetworkStatus',NetworkStatus)
| summarize max(TimeGenerated) by ComputerName, tostring(Properties)
| extend HostCustomEntity = ComputerName
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostCustomEntity

25
Solutions/SentinelOne/Hunting Queries/SentinelOneAlertTriggers.yaml Executable file
Просмотреть файл

@ -0,0 +1,25 @@
id: 660e92b5-1ef6-471f-b753-44a34af82c41
name: Sentinel One - Alert triggers (files, processes, strings)
description: |
'Query shows alert triggers (e.g. files, processes, etc.).'
severity: High
requiredDataConnectors:
- connectorId: SentinelOne
dataTypes:
- SentinelOne
tactics:
- InitialAccess
relevantTechniques:
- T1204
query: |
SentinelOne
| where TimeGenerated > ago(24h)
| where ActivityType == 3608
| order by EventCreationTime
| extend trigger = extract(@'Alert created for\s+(.*?)\sfrom Custom', 1, EventOriginalMessage)
| extend MalwareCustomEntity = trigger
entityMappings:
- entityType: Malware
fieldMappings:
- identifier: Name
columnName: MalwareCustomEntity

29
Solutions/SentinelOne/Hunting Queries/SentinelOneHostNotScanned.yaml Executable file
Просмотреть файл

@ -0,0 +1,29 @@
id: e45ff570-e8a6-4f8e-9c08-7ee92ef86060
name: Sentinel One - Hosts not scanned recently
description: |
'Query searches for hosts wich were not scanned recently.'
severity: Low
requiredDataConnectors:
- connectorId: SentinelOne
dataTypes:
- SentinelOne
tactics:
- DefenseEvasion
relevantTechniques:
- T1070
query: |
let scanned_agents = SentinelOne
| where TimeGenerated > ago(24h)
| where ActivityType == 92
| order by TimeGenerated
| summarize makeset(DataComputerName);
SentinelOne
| where TimeGenerated > ago(24h)
| where EventType =~ 'Agents.'
| where ComputerName !in (scanned_agents)
| extend HostCustomEntity = ComputerName
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostCustomEntity

25
Solutions/SentinelOne/Hunting Queries/SentinelOneNewRules.yaml Executable file
Просмотреть файл

@ -0,0 +1,25 @@
id: 9c3a38e4-0975-4f96-82ee-90ce68bec76a
name: Sentinel One - New rules
description: |
'Query shows new rules.'
severity: Low
requiredDataConnectors:
- connectorId: SentinelOne
dataTypes:
- SentinelOne
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
SentinelOne
| where TimeGenerated > ago(24h)
| where ActivityType == 3600
| order by EventCreationTime
| project EventCreationTime, DataRuleName, DataRuleQueryDetails, DataStatus, DataUserName
| extend AccountCustomEntity = DataUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

25
Solutions/SentinelOne/Hunting Queries/SentinelOneRulesDeleted.yaml Executable file
Просмотреть файл

@ -0,0 +1,25 @@
id: 8d1ca735-e29a-4bea-a2ec-93162790b686
name: Sentinel One - Deleted rules
description: |
'Query shows deleted rules.'
severity: Low
requiredDataConnectors:
- connectorId: SentinelOne
dataTypes:
- SentinelOne
tactics:
- DefenseEvasion
relevantTechniques:
- T1070
query: |
SentinelOne
| where TimeGenerated > ago(24h)
| where ActivityType == 3602
| order by EventCreationTime
| project EventCreationTime, DataRuleName, DataRuleQueryDetails, DataStatus, DataUserName
| extend AccountCustomEntity = DataUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

25
Solutions/SentinelOne/Hunting Queries/SentinelOneScannedHosts.yaml Executable file
Просмотреть файл

@ -0,0 +1,25 @@
id: 17c77743-8bdb-4d29-a3cb-a7a08676122f
name: Sentinel One - Scanned hosts
description: |
'Query searches for hosts with completed full scan.'
severity: Low
requiredDataConnectors:
- connectorId: SentinelOne
dataTypes:
- SentinelOne
tactics:
- DefenseEvasion
relevantTechniques:
- T1070
query: |
SentinelOne
| where TimeGenerated > ago(24h)
| where ActivityType == 92
| order by TimeGenerated
| project EventCreationTime, DataComputerName
| extend HostCustomEntity = DataComputerName
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostCustomEntity

25
Solutions/SentinelOne/Hunting Queries/SentinelOneSourcesByAlertCount.yaml Executable file
Просмотреть файл

@ -0,0 +1,25 @@
id: acd0a127-461e-48c8-96fa-27d14595abe0
name: Sentinel One - Sources by alert count
description: |
'Query shows sources (hosts) by alert count.'
severity: High
requiredDataConnectors:
- connectorId: SentinelOne
dataTypes:
- SentinelOne
tactics:
- InitialAccess
relevantTechniques:
- T1204
query: |
SentinelOne
| where TimeGenerated > ago(24h)
| where ActivityType == 3608
| extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage)
| summarize count() by DstHostname
| extend HostCustomEntity = DstHostname
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostCustomEntity

23
Solutions/SentinelOne/Hunting Queries/SentinelOneUninstalledAgents.yaml Executable file
Просмотреть файл

@ -0,0 +1,23 @@
id: f3a7cedd-6fc3-4661-a0ad-c1738e531917
name: Sentinel One - Uninstalled agents
description: |
'Query shows uninstalled agents.'
severity: Low
requiredDataConnectors:
- connectorId: SentinelOne
dataTypes:
- SentinelOne
tactics:
- DefenseEvasion
relevantTechniques:
- T1070
query: |
SentinelOne
| where TimeGenerated > ago(24h)
| where ActivityType == 31
| extend HostCustomEntity = DataComputerName
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostCustomEntity

29
Solutions/SentinelOne/Hunting Queries/SentinelOneUsersByAlertCount.yaml Executable file
Просмотреть файл

@ -0,0 +1,29 @@
id: 56500e23-4e64-45a5-a444-98a1acb2f700
name: Sentinel One - Users by alert count
description: |
'Query shows users by alert count.'
severity: High
requiredDataConnectors:
- connectorId: SentinelOne
dataTypes:
- SentinelOne
tactics:
- InitialAccess
relevantTechniques:
- T1204
query: |
SentinelOne
| where TimeGenerated > ago(24h)
| where ActivityType == 3608
| extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage)
| join (SentinelOne
| where EventType =~ 'Agents.'
| where isnotempty(LastLoggedInUserName)
| project DstHostname=ComputerName, LastLoggedInUserName) on DstHostname
| summarize count() by LastLoggedInUserName
| extend AccountCustomEntity = LastLoggedInUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

Двоичные данные
Solutions/SentinelOne/Workbooks/Images/SentinelOneBlack.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 252 KiB

Двоичные данные
Solutions/SentinelOne/Workbooks/Images/SentinelOneWhite.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 265 KiB

335
Solutions/SentinelOne/Workbooks/SentinelOne.json Normal file
Просмотреть файл

@ -0,0 +1,335 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "**NOTE**: This data connector depends on a parser based on Kusto Function **SentinelOne** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-sentinelone-parser)"
},
"name": "text - 8"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "cd8447d9-b096-4673-92d8-2a1e8291a125",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"description": "Sets the time name for analysis",
"value": {
"durationMs": 604800000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 900000
},
{
"durationMs": 3600000
},
{
"durationMs": 86400000
},
{
"durationMs": 604800000
},
{
"durationMs": 2592000000
},
{
"durationMs": 7776000000
}
]
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelOne\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
"size": 0,
"title": "Events over time",
"color": "orange",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart",
"graphSettings": {
"type": 0
}
},
"customWidth": "50",
"name": "query - 12",
"styleSettings": {
"maxWidth": "55"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelOne\r\n| where EventType =~ 'Agents.'\r\n| summarize count() by AgentVersion\r\n\r\n",
"size": 3,
"title": "Agents by version",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"tileSettings": {
"titleContent": {
"columnMatch": "Title",
"formatter": 1
},
"leftContent": {
"columnMatch": "e_count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "purple"
}
},
"showBorder": false
}
},
"customWidth": "35",
"name": "query - 0",
"styleSettings": {
"maxWidth": "30"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let usr1 = SentinelOne\n| where isnotempty(UserName)\n| project usr=UserName;\nlet usr2 = SentinelOne\n| where isnotempty(DataUserName)\n| project usr=DataUserName;\nlet all_usr =\nunion isfuzzy=true usr1, usr2\n| summarize cnt = dcount(usr)\n| extend title = 'Users';\nlet agnt = SentinelOne\n| where isnotempty(AgentId)\n| summarize cnt = dcount(AgentId)\n| extend title = 'Agents';\nlet alerts = SentinelOne\n| where ActivityType == 3608\n| summarize cnt = count()\n| extend title = 'Alerts';\nunion isfuzzy=true all_usr, agnt, alerts",
"size": 3,
"title": "SentinelOne Summary",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "title",
"formatter": 1
},
"leftContent": {
"columnMatch": "cnt",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"showBorder": false
}
},
"customWidth": "15",
"name": "query - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelOne\r\n | where ActivityType == 27\r\n | where DataRole =~ 'Admin'\r\n | extend SrcIpAddr = extract(@'Address\\s(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})', 1, EventOriginalMessage)\r\n | where isnotempty(SrcIpAddr)\r\n | summarize Events=count() by SrcIpAddr",
"size": 3,
"title": "Admin Sources",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "35",
"name": "query - 3",
"styleSettings": {
"margin": "10",
"padding": "10"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelOne\r\n| where isnotempty(DataRole)\r\n| where DataRole =~ 'Admin'\r\n| order by EventCreationTime\r\n| limit 100\r\n| project EventCreationTime, User=case(isnotempty(UserName), UserName, DataUserName), Action=EventOriginalMessage",
"size": 1,
"title": "Admin activities",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"filter": true
},
"sortBy": []
},
"customWidth": "55",
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelOne\r\n| where ActivityType == 3608\r\n| extend RuleName = extract(@'Custom Rule:\\s(.*?)\\sin Group', 1, EventOriginalMessage)\r\n| summarize Hits=count() by RuleName\r\n| top 10 by Hits\r\n",
"size": 1,
"title": "Top rules fired",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Hits",
"formatter": 8,
"formatOptions": {
"palette": "redGreen"
}
}
],
"rowLimit": 50
}
},
"customWidth": "40",
"name": "query - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelOne\r\n| where ActivityType == 3608\r\n| extend AlertTrigger = extract(@'Alert created for\\s+(.*?)\\sfrom Custom', 1, EventOriginalMessage)\r\n| summarize Events=count() by AlertTrigger\r\n",
"size": 3,
"title": "Alert triggers",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "30",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelOne\n| where ActivityType == 3608\n| extend Host = extract(@'detected on\\s(\\S+)\\.', 1, EventOriginalMessage)\n| summarize AlertCount=count() by Host\n",
"size": 1,
"title": "Hosts by alert count",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table"
},
"customWidth": "30",
"name": "query - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelOne\r\n| where ActivityType == 3002\r\n| order by EventCreationTime\r\n| project Hash=EventSubStatus",
"size": 1,
"title": "Recent black hashes",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Hash",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "100%"
}
}
],
"rowLimit": 100,
"filter": true
}
},
"customWidth": "30",
"name": "query - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelOne\n| where ActivityType == 3608\n| order by EventCreationTime\n| extend AlertRule = extract(@'Custom Rule:\\s(.*?)\\sin Group', 1, EventOriginalMessage)\n| extend AffectedHost = extract(@'detected on\\s(\\S+)\\.', 1, EventOriginalMessage)\n| project EventCreationTime, AffectedHost, AlertRule",
"size": 1,
"title": "Latest alerts",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table"
},
"customWidth": "70",
"name": "query - 11"
}
],
"fromTemplateId": "sentinel-SentinelOneWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}