Azure · vakohl · Nov 25, 2024 · Nov 25, 2024 · Nov 26, 2024 · Nov 27, 2024
@@ -27,7 +27,7 @@
         "displayName": "Alert Event ASIM parser for SentinelOne Singularity platform",
         "category": "ASIM",
         "FunctionAlias": "ASimAlertEventSentinelOneSingularity",
-        "query": "let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string)\n  [\n  \"Undefined\", \"Unknown\",\n  \"true_positive\", \"True Positive\",\n  \"suspicious\", \"True Positive\",\n  \"false_positive\", \"False Positive\"\n];\nlet ThreatCategoryArray = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet DetectionMethodLookup = datatable (\n    threatInfo_engines_s: string,\n    DetectionMethod: string\n)\n    [\n    \"Intrusion Detection\", \"Intrusion Detection\",\n    \"User-Defined Blocklist\", \"User Defined Blocked List\",\n    \"Reputation\", \"Reputation\"\n];\nlet parser = (\n    disabled: bool=false) {\n    SentinelOne_CL\n    | where not(disabled)\n    | where event_name_s in (\"Threats.\")\n    // Mapping Inspection Fields\n    | extend \n      AlertId = threatInfo_threatId_s,\n      AlertName = threatInfo_threatName_s,\n      AlertStatus = iif(threatInfo_incidentStatus_s == \"resolved\", \"Closed\", \"Active\"),\n      AlertOriginalStatus = threatInfo_incidentStatus_s,\n      Names = extract_all('\"name\":\"([^\"]+)\"', dynamic([1]), indicators_s),\n      ThreatId = threatInfo_threatId_s,\n      ThreatName = threatInfo_threatName_s,\n      ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n      ThreatLastReportedTime = threatInfo_updatedAt_t,\n      ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, \"\"),\n      ThreatOriginalCategory = threatInfo_classification_s\n  | extend\n      AttackTechniques = tostring(extract_all('\"(T[0-9]+\\\\.[0-9]+|T[0-9]+)\"', dynamic([1]), tostring(Names))),\n      AttackTactics = tostring(extract_all('\"([^T][^0-9]+)\"', dynamic([1]), tostring(Names)))\n  | project-away Names\n  | lookup DetectionMethodLookup on threatInfo_engines_s\n  | extend analystVerdict_s = threatInfo_analystVerdict_s\n  | lookup AlertVerdictLookup on analystVerdict_s\n    // Mapping Dvc Fields\n    | extend \n        DvcHostname = agentRealtimeInfo_agentComputerName_s,\n        DvcOs =  agentRealtimeInfo_agentOsName_s,\n        DvcOsVersion =  agentRealtimeInfo_agentOsRevision_s,\n        DvcId =  agentRealtimeInfo_agentId_s,\n        DvcIdType = \"Other\",\n        DvcDomain = agentRealtimeInfo_agentDomain_s,\n        DvcDomainType = \"Windows\",\n        DvcIpAddr = agentDetectionInfo_agentIpV4_s\n    // Mapping Process Entity\n    | extend\n        ProcessCommandLine = threatInfo_maliciousProcessArguments_s,\n        ProcessName = threatInfo_originatorProcess_s\n    // Mapping File Fields\n    | extend \n        FileMD5 = threatInfo_md5_g,\n        FileSHA1 = threatInfo_sha1_s,\n        FileSHA256 = threatInfo_sha256_s,\n        FilePath=threatInfo_filePath_s,\n        FileSize = threatInfo_fileSize_d\n    // Mapping User Fields\n    | extend \n        Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s)\n    | extend UsernameType = _ASIM_GetUsernameType(Username)\n    // Event Fields\n    | extend\n        EventType = 'Alert',\n        EventOriginalType = event_name_s,\n        EventUid = threatInfo_threatId_s,\n        EventCount = int(1),\n        EventEndTime = TimeGenerated,\n        EventStartTime = TimeGenerated,\n        EventProduct = 'Singularity',\n        EventVendor = 'SentinelOne',\n        EventSchemaVersion = '0.1',\n        EventSchema = \"AlertEvent\"\n    | extend EventSubType = \"Threat\"\n    // Aliases\n    | extend\n        IpAddr = DvcIpAddr,\n        User = Username,\n        Hostname = DvcHostname\n    | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d\n};\nparser (\n    disabled = disabled\n)",
+        "query": "let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string)\n  [\n  \"Undefined\", \"Unknown\",\n  \"true_positive\", \"True Positive\",\n  \"suspicious\", \"True Positive\",\n  \"false_positive\", \"False Positive\"\n];\nlet ThreatCategoryArray = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet DetectionMethodLookup = datatable (\n    threatInfo_engines_s: string,\n    DetectionMethod: string\n)\n    [\n    \"Intrusion Detection\", \"Intrusion Detection\",\n    \"User-Defined Blocklist\", \"User Defined Blocked List\",\n    \"Reputation\", \"Reputation\"\n];\nlet parser = (\n    disabled: bool=false) {\n    SentinelOne_CL\n    | where not(disabled)\n    | where event_name_s in (\"Threats.\")\n    // Mapping Inspection Fields\n    | extend \n      AlertId = threatInfo_threatId_s,\n      AlertName = threatInfo_threatName_s,\n      AlertStatus = iif(threatInfo_incidentStatus_s == \"resolved\", \"Closed\", \"Active\"),\n      AlertOriginalStatus = threatInfo_incidentStatus_s,\n      Names = extract_all('\"name\":\"([^\"]+)\"', dynamic([1]), indicators_s),\n      ThreatId = threatInfo_threatId_s,\n      ThreatName = threatInfo_threatName_s,\n      ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n      ThreatLastReportedTime = threatInfo_updatedAt_t,\n      ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, \"\"),\n      ThreatOriginalCategory = threatInfo_classification_s\n  | extend\n      AttackTechniques = tostring(extract_all('\"(T[0-9]+\\\\.[0-9]+|T[0-9]+)\"', dynamic([1]), tostring(Names))),\n      AttackTactics = tostring(extract_all('\"([^T][^0-9\",]+)\"', dynamic([1]), tostring(Names)))\n  | project-away Names\n  | lookup DetectionMethodLookup on threatInfo_engines_s\n  | extend analystVerdict_s = threatInfo_analystVerdict_s\n  | lookup AlertVerdictLookup on analystVerdict_s\n    // Mapping Dvc Fields\n    | extend \n        DvcHostname = agentRealtimeInfo_agentComputerName_s,\n        DvcOs =  agentRealtimeInfo_agentOsName_s,\n        DvcOsVersion =  agentRealtimeInfo_agentOsRevision_s,\n        DvcId =  agentRealtimeInfo_agentId_s,\n        DvcIdType = \"Other\",\n        DvcDomain = agentRealtimeInfo_agentDomain_s,\n        DvcDomainType = \"Windows\",\n        DvcIpAddr = agentDetectionInfo_agentIpV4_s\n    // Mapping Process Entity\n    | extend\n        ProcessCommandLine = threatInfo_maliciousProcessArguments_s,\n        ProcessName = threatInfo_originatorProcess_s\n    // Mapping File Fields\n    | extend \n        FileMD5 = threatInfo_md5_g,\n        FileSHA1 = threatInfo_sha1_s,\n        FileSHA256 = threatInfo_sha256_s,\n        FilePath=threatInfo_filePath_s,\n        FileSize = threatInfo_fileSize_d\n    // Mapping User Fields\n    | extend \n        Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s)\n    | extend UsernameType = _ASIM_GetUsernameType(Username)\n    // Event Fields\n    | extend\n        EventType = 'Alert',\n        EventOriginalType = event_name_s,\n        EventUid = threatInfo_threatId_s,\n        EventCount = int(1),\n        EventEndTime = TimeGenerated,\n        EventStartTime = TimeGenerated,\n        EventProduct = 'Singularity',\n        EventVendor = 'SentinelOne',\n        EventSchemaVersion = '0.1',\n        EventSchema = \"AlertEvent\"\n    | extend EventSubType = \"Threat\"\n    // Aliases\n    | extend\n        IpAddr = DvcIpAddr,\n        User = Username,\n        Hostname = DvcHostname\n    | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d\n};\nparser (\n    disabled = disabled\n)",
         "version": 1,
         "functionParameters": "disabled:bool=False"
       }