From bf7816ddb0a092052118f2310dd0e961add0105b Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Thu, 23 Oct 2025 10:13:14 +0200 Subject: [PATCH 01/23] [CI] Run all system benchmarks in test packages --- scripts/test-check-packages.sh | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/scripts/test-check-packages.sh b/scripts/test-check-packages.sh index 3c325c7b0c..0e6f44c6d6 100755 --- a/scripts/test-check-packages.sh +++ b/scripts/test-check-packages.sh @@ -71,8 +71,17 @@ export SERVERLESS=${SERVERLESS:-"false"} run_system_benchmark() { local package_name="$1" local package_path="$2" - echo "--- Run system benchmarks for package ${package_name}" - elastic-package benchmark system -C "$package_path" --benchmark logs-benchmark -v --defer-cleanup 1s + + local benchmark_file_path="" + local benchmark_filename="" + local benchmark_name="" + + for benchmark_file_path in $(find "${package_path}/_dev/benchmark/system/" -maxdepth 1 -mindepth 1 -type f -name "*.yml" ) ; do + benchmark_filename="$(basename "${benchmark_file_path}")" + benchmark_name="${benchmark_filename%.*}" + echo "--- Run system benchmarks for package ${package_name} - ${benchmark_name}" + elastic-package benchmark system -C "$package_path" --benchmark "${benchmark_name}" -v --defer-cleanup 1s + done } run_serverless_tests() { From 3dcbab5c5042debba6d289cb3ad63747a076082c Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Thu, 23 Oct 2025 10:26:16 +0200 Subject: [PATCH 02/23] Disable orka steps - to be reverted --- .buildkite/pipeline.trigger.integration.tests.sh | 16 ++++++++-------- .buildkite/pipeline.yml | 16 ++++++++-------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.buildkite/pipeline.trigger.integration.tests.sh b/.buildkite/pipeline.trigger.integration.tests.sh index 5dffc5d0e3..fd98fcbc56 100755 --- a/.buildkite/pipeline.trigger.integration.tests.sh +++ b/.buildkite/pipeline.trigger.integration.tests.sh @@ -163,14 +163,14 @@ popd > /dev/null # TODO: Missing docker & docker-compose in MACOS ARM agent image, skip installation of packages in the meantime. # If docker and docker-compose are available for this platform/architecture, it could be added a step to test the stack commands (or even replace this one). -echo " - label: \":macos: :go: Integration test: build-zip\"" -echo " command: ./.buildkite/scripts/integration_tests.sh -t test-build-zip" -echo " agents:" -echo " provider: \"orka\"" -echo " imagePrefix: \"${MACOS_ARM_AGENT_IMAGE}\"" -echo " artifact_paths:" -echo " - build/elastic-stack-dump/build-zip/logs/*.log" -echo " - build/packages/*.sig" +# echo " - label: \":macos: :go: Integration test: build-zip\"" +# echo " command: ./.buildkite/scripts/integration_tests.sh -t test-build-zip" +# echo " agents:" +# echo " provider: \"orka\"" +# echo " imagePrefix: \"${MACOS_ARM_AGENT_IMAGE}\"" +# echo " artifact_paths:" +# echo " - build/elastic-stack-dump/build-zip/logs/*.log" +# echo " - build/packages/*.sig" echo " - label: \":go: Integration test: build-install-zip\"" echo " command: ./.buildkite/scripts/integration_tests.sh -t test-build-install-zip" diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml index 6bb1b2b376..1c3361dd5f 100644 --- a/.buildkite/pipeline.yml +++ b/.buildkite/pipeline.yml @@ -54,14 +54,14 @@ steps: artifact_paths: - "TEST-unit-windows.xml" - - label: ":macos: Run unit tests" - key: unit-tests-mac-arm - command: ".buildkite/scripts/unit_tests_macos_arm.sh" - agents: - provider: "orka" - imagePrefix: "${MACOS_ARM_AGENT_IMAGE}" - artifact_paths: - - "build/test-results/*.xml" + # - label: ":macos: Run unit tests" + # key: unit-tests-mac-arm + # command: ".buildkite/scripts/unit_tests_macos_arm.sh" + # agents: + # provider: "orka" + # imagePrefix: "${MACOS_ARM_AGENT_IMAGE}" + # artifact_paths: + # - "build/test-results/*.xml" - wait: ~ continue_on_failure: true From 67e81917cd160c69bc7cb7a04aadd72f2faab87c Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Thu, 23 Oct 2025 12:04:43 +0200 Subject: [PATCH 03/23] Add test package with system benchmark with two inputs in manifest --- scripts/test-check-packages.sh | 2 +- .../_dev/benchmark/system/alert-benchmark.yml | 25 + .../system/alert-benchmark/config.yml | 237 +++ .../system/alert-benchmark/fields.yml | 160 ++ .../system/alert-benchmark/template.ndjson | 260 +++ .../system/deploy/docker/docker-compose.yml | 15 + .../system/deploy/docker/files/config.yml | 1889 +++++++++++++++++ .../_dev/build/build.yml | 3 + .../_dev/build/docs/README.md | 70 + .../_dev/deploy/docker/docker-compose.yml | 15 + .../_dev/deploy/docker/files/config.yml | 1889 +++++++++++++++++ .../changelog.yml | 320 +++ .../_dev/benchmark/pipeline/alert-sample.log | 3 + .../alert/_dev/benchmark/pipeline/config.yml | 1 + .../_dev/test/pipeline/test-common-config.yml | 3 + .../test/pipeline/test-pipeline-alert.log | 3 + .../test-pipeline-alert.log-expected.json | 573 +++++ .../alert/_dev/test/policy/test-all.expected | 164 ++ .../alert/_dev/test/policy/test-all.yml | 103 + .../_dev/test/policy/test-default.expected | 69 + .../alert/_dev/test/policy/test-default.yml | 12 + .../_dev/test/system/test-default-config.yml | 11 + .../alert/agent/stream/httpjson.yml.hbs | 61 + .../elasticsearch/ingest_pipeline/default.yml | 839 ++++++++ .../data_stream/alert/fields/agent.yml | 39 + .../data_stream/alert/fields/base-fields.yml | 20 + .../data_stream/alert/fields/fields.yml | 267 +++ .../data_stream/alert/manifest.yml | 49 + .../data_stream/alert/sample_event.json | 276 +++ .../docs/README.md | 428 ++++ .../manifest.yml | 153 ++ .../validation.yml | 4 + 32 files changed, 7962 insertions(+), 1 deletion(-) create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark.yml create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark/config.yml create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark/fields.yml create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark/template.ndjson create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/deploy/docker/docker-compose.yml create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/deploy/docker/files/config.yml create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/_dev/build/build.yml create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/_dev/build/docs/README.md create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/_dev/deploy/docker/docker-compose.yml create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/_dev/deploy/docker/files/config.yml create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/changelog.yml create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/benchmark/pipeline/alert-sample.log create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/benchmark/pipeline/config.yml create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/pipeline/test-common-config.yml create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/policy/test-all.expected create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/policy/test-all.yml create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/policy/test-default.expected create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/policy/test-default.yml create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/system/test-default-config.yml create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/agent/stream/httpjson.yml.hbs create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/fields/agent.yml create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/fields/base-fields.yml create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/fields/fields.yml create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/manifest.yml create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/sample_event.json create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/docs/README.md create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/manifest.yml create mode 100644 test/packages/benchmarks/system_benchmark_sentinel_one/validation.yml diff --git a/scripts/test-check-packages.sh b/scripts/test-check-packages.sh index 0e6f44c6d6..2b8c50df32 100755 --- a/scripts/test-check-packages.sh +++ b/scripts/test-check-packages.sh @@ -176,7 +176,7 @@ for d in test/packages/${PACKAGE_TEST_TYPE}/${PACKAGE_UNDER_TEST}/; do pipeline_benchmark|use_pipeline_tests) run_pipeline_benchmark "${package_to_test}" "$d" ;; - system_benchmark) + system_benchmark*) run_system_benchmark "${package_to_test}" "$d" ;; esac diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark.yml new file mode 100644 index 0000000000..31af5ee7a1 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark.yml @@ -0,0 +1,25 @@ +--- +description: Benchmark 100000 alert events ingested +input: httpjson +# policy_template: sentinel_one +vars: + url: "http://svc-sentinel_one:8080/" + api_token: xxxx + enable_request_tracer: true +data_stream: + name: alert + vars: + preserve_original_event: true +warmup_time_period: 2s +corpora: + input_service: + name: sentinel_one + generator: + total_events: 100000 + template: + path: ./alert-benchmark/template.ndjson + type: gotext + config: + path: ./alert-benchmark/config.yml + fields: + path: ./alert-benchmark/fields.yml diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark/config.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark/config.yml new file mode 100644 index 0000000000..a5c42b74e5 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark/config.yml @@ -0,0 +1,237 @@ +fields: + - name: port + range: + min: 0 + max: 65535 + cardinality: 100000 + - name: ipAddress + cardinality: 100000 + + # agent data + - name: agentInfo.accountId + range: + min: 100000000000000000 + max: 999999999999999999 + cardinality: 10 + - name: agentInfo.machineType + enum: + - server + - desktop + - unknown + - name: agentInfo.name + cardinality: 10000 + - name: agentInfo.osFamily + enum: + - linux + - windows + - macos + - unix + - android + - ios + - name: agentInfo.osName + enum: + - Ubuntu 20.04 LTS + - CentOS 8 + - Red Hat Enterprise Linux 8 + - Windows 10 + - Windows 11 + - macOS Monterey + - Fedora 33 + - Android 11 + - iOS 14 + - name: agentInfo.osRevision + range: + min: 1 + max: 1000 + cardinality: 100 + - name: agentInfo.siteId + range: + min: 100000000000000000 + max: 999999999999999999 + cardinality: 10 + - name: agentInfo.uuid + cardinality: 100000 + - name: agentInfo.version + enum: + - 2.0.0.0 + - 2.0.0.1 + - 2.0.1.0 + - 2.0.1.1 + - 2.1.0.0 + - 2.1.0.1 + - 2.1.1.0 + - 2.1.1.1 + - name: agentInfo.id + range: + min: 100000000000000000 + max: 999999999999999999 + cardinality: 10000 + + # alert data + - name: alertInfo.alertId + range: + min: 100000000000000000 + max: 999999999999999999 + cardinality: 50000 + - name: alertInfo.analystVerdict + enum: + - False positive + - Suspicious + - True positive + - Undefined + - name: alertInfo.createdAt + period: -24h + - name: alertInfo.dvEventId + cardinality: 100000 + - name: alertInfo.eventType + cardinality: 10000 + - name: alertInfo.hitType + enum: + - Correlation + - Events + - Scheduled + - UEBAFirstSeen + - name: alertInfo.incidentStatus + enum: + - In progress + - Resolved + - Unresolved + - name: alertInfo.indicatorCategory + cardinality: 100 + - name: alertInfo.indicatorDescription + cardinality: 10000 + - name: alertInfo.indicatorName + cardinality: 10000 + - name: alertInfo.loginAccountSid + cardinality: 100 + - name: alertInfo.loginsUserName + cardinality: 10000 + - name: alertInfo.reportedAt + period: -24h + - name: alertInfo.source + value: STAR + - name: alertInfo.tiIndicatorComparisonMethod + cardinality: 100 + - name: alertInfo.updatedAt + period: -24h + +# process data + - name: process.integrityLevel + enum: + - high + - low + - medium + - system + - unknown + - untrusted + - name: process.subsystem + enum: + - sys_win32 + - unknown + - wsl + - name: process.effectiveUser + cardinality: 10000 + - name: process.fileHashMd5 + cardinality: 100000 + - name: process.fileHashSha1 + cardinality: 100000 + - name: process.fileHashSha256 + cardinality: 100000 + - name: process.filePath + cardinality: 100000 + - name: process.fileSignerIdentity + cardinality: 1000 + - name: process.loginUser + cardinality: 10000 + - name: process.name + cardinality: 1000 + - name: process.pid + cardinality: 1000 + - name: process.pidStarttime + period: -24h + - name: process.realUser + cardinality: 10000 + - name: process.storyline + cardinality: 10000 + - name: process.uniqueId + cardinality: 10000 + - name: process.user + cardinality: 10000 + + - name: process.tgtFileCreatedAt + period: -24h + - name: process.tgtFileHashSha1 + cardinality: 100000 + - name: process.tgtFileHashSha256 + cardinality: 100000 + - name: process.tgtFileId + cardinality: 100000 + - name: process.tgtFileIsSigned + enum: + - signed + - unsigned + - name: process.tgtFileModifiedAt + period: -24h + - name: process.tgtFileOldPath + cardinality: 100 + - name: process.tgtFilePath + cardinality: 10000 + - name: process.tgtProcCmdLine + cardinality: 10000 + - name: process.tgtProcImagePath + cardinality: 10000 + - name: process.tgtProcName + cardinality: 10000 + - name: process.tgtProcPid + cardinality: 10000 + - name: process.tgtProcSignedStatus + enum: + - signed + - unsigned + - name: process.tgtProcStorylineId + cardinality: 100000 + - name: process.tgtProcUid + cardinality: 100000 + - name: process.tgtProcessStartTime + period: -24h + +# rule data + - name: ruleInfo.queryLang + enum: + - "1.0" + - "2.0" + - name: ruleInfo.queryType + enum: + - correlation + - events + - scheduled + - uebafirstseen + - name: scopeLevel + enum: + - account + - global + - group + - site + - name: ruleInfo.severity + enum: + - Critical + - High + - Info + - Low + - Medium + - name: ruleInfo.treatAsThreat + enum: + - Malicious + - Suspicious + - UNDEFINED + - name: ruleInfo.description + cardinality: 10000 + - name: ruleInfo.id + range: + min: 100000000000000000 + max: 999999999999999999 + cardinality: 10000 + - name: ruleInfo.name + cardinality: 10000 + - name: ruleInfo.s1ql + cardinality: 10000 diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark/fields.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark/fields.yml new file mode 100644 index 0000000000..2155091b8b --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark/fields.yml @@ -0,0 +1,160 @@ +- name: domain + type: keyword +- name: ipAddress + type: ip +- name: port + type: long +- name: timestamp + type: date +- name: agentInfo + type: group + fields: + - name: accountId + type: long + - name: id + type: long + - name: infected + type: boolean + - name: isActive + type: boolean + - name: isDecommissioned + type: boolean + - name: machineType + type: keyword + - name: name + type: keyword + - name: osFamily + type: keyword + - name: osName + type: keyword + - name: osRevision + type: long + - name: siteId + type: long + - name: uuid + type: keyword + - name: version + type: keyword +- name: alertInfo + type: group + fields: + - name: alertId + type: long + - name: analystVerdict + type: keyword + - name: createdAt + type: date + - name: dvEventId + type: keyword + - name: eventType + type: keyword + - name: hitType + type: keyword + - name: incidentStatus + type: keyword + - name: indicatorCategory + type: keyword + - name: indicatorDescription + type: text + - name: indicatorName + type: keyword + - name: isEdr + type: boolean + - name: reportedAt + type: date + - name: source + type: keyword + - name: updatedAt + type: date +- name: ruleInfo + type: group + fields: + - name: id + type: long + - name: name + type: keyword + - name: s1ql + type: keyword + - name: description + type: text + - name: queryLang + type: keyword + - name: queryType + type: keyword + - name: scopeLevel + type: keyword + - name: severity + type: keyword + - name: treatAsThreat + type: keyword +- name: process + type: group + fields: + - name: integrityLevel + type: keyword + - name: subsystem + type: keyword + - name: commandline + type: keyword + - name: effectiveUser + type: keyword + - name: fileHashMd5 + type: keyword + - name: fileHashSha1 + type: keyword + - name: fileHashSha256 + type: keyword + - name: filePath + type: keyword + - name: fileSignerIdentity + type: keyword + - name: loginUser + type: keyword + - name: name + type: keyword + - name: pid + type: keyword + - name: pidStarttime + type: date + - name: realUser + type: keyword + - name: storyline + type: keyword + - name: uniqueId + type: keyword + - name: user + type: keyword + - name: tgtFileCreatedAt + type: date + - name: tgtFileHashSha1 + type: keyword + - name: tgtFileHashSha256 + type: keyword + - name: tgtFileId + type: keyword + - name: tgtFileIsSigned + type: keyword + - name: tgtFileModifiedAt + type: date + - name: tgtFileOldPath + type: keyword + - name: tgtFilePath + type: keyword + - name: tgtProcCmdLine + type: keyword + - name: tgtProcessStartTime + type: date + - name: tgtProcImagePath + type: keyword + - name: tgtProcIntegrityLevel + type: keyword + - name: tgtProcName + type: keyword + - name: tgtProcPid + type: keyword + - name: tgtProcSignedStatus + type: keyword + - name: tgtProcStorylineId + type: keyword + - name: tgtProcUid + type: keyword diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark/template.ndjson b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark/template.ndjson new file mode 100644 index 0000000000..3daf057591 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark/template.ndjson @@ -0,0 +1,260 @@ +{{- $timestamp := generate "timestamp" }} +{{- /* Agent Data */ -}} +{{- $accountId := generate "agentInfo.accountId" }} +{{- $agentId := generate "agentInfo.id" }} +{{- $infected := generate "agentInfo.infected" }} +{{- $isActive := generate "agentInfo.isActive" }} +{{- $isDecommissioned := generate "agentInfo.isDecommissioned" }} +{{- $machineType := generate "agentInfo.machineType" }} +{{- $agentName := generate "agentInfo.name" }} +{{- $osFamily := generate "agentInfo.osFamily" }} +{{- $osName := generate "agentInfo.osName" }} +{{- $osRevision := generate "agentInfo.osRevision" }} +{{- $siteId := generate "agentInfo.siteId" }} +{{- $uuid := generate "agentInfo.uuid" }} +{{- $version := generate "agentInfo.version" }} +{{- /* Alert Data */ -}} +{{- $alertId := generate "alertInfo.alertId" }} +{{- $analystVerdict := generate "alertInfo.analystVerdict" }} +{{- $createdAt := generate "alertInfo.createdAt" | date "2006-01-02T15:04:05.000000Z" }} +{{- $dvEventId := generate "alertInfo.dvEventId" }} +{{- $eventType := generate "alertInfo.eventType" }} +{{- $hitType := generate "alertInfo.hitType" }} +{{- $incidentStatus := generate "alertInfo.incidentStatus" }} +{{- $indicatorCategory := generate "alertInfo.indicatorCategory" }} +{{- $indicatorDescription := generate "alertInfo.indicatorDescription" }} +{{- $indicatorName := generate "alertInfo.indicatorName" }} +{{- $isEdr := generate "alertInfo.isEdr" }} +{{- $reportedAt := generate "alertInfo.reportedAt" | date "2006-01-02T15:04:05.000000Z" }} +{{- $source := generate "alertInfo.source" }} +{{- $updatedAt := generate "alertInfo.updatedAt" | date "2006-01-02T15:04:05.000000Z" }} +{{- $ipAddress := generate "ipAddress" }} +{{- $port := generate "port" }} +{{- $domain := generate "domain" }} +{{- /* Process Data */ -}} +{{- $effectiveUser := generate "process.effectiveUser" }} +{{- $fileHashMd5 := generate "process.fileHashMd5" }} +{{- $fileHashSha1 := generate "process.fileHashSha1" }} +{{- $fileHashSha256 := generate "process.fileHashSha256" }} +{{- $filePath := generate "process.filePath" }} +{{- $fileSignerIdentity := generate "process.fileSignerIdentity" }} +{{- $integrityLevel := generate "process.integrityLevel" }} +{{- $loginUser := generate "process.loginUser" }} +{{- $pid := generate "process.pid" }} +{{- $processName := generate "process.name" }} +{{- $pidStarttime := generate "process.pidStarttime" | date "2006-01-02T15:04:05.000000Z" }} +{{- $realUser := generate "process.realUser" }} +{{- $storyline := generate "process.storyline" }} +{{- $subsystem := generate "process.subsystem" }} +{{- $tgtFileCreatedAt := generate "process.tgtFileCreatedAt" | date "2006-01-02T15:04:05.000000Z" }} +{{- $tgtFileHashSha1 := generate "process.tgtFileHashSha1" }} +{{- $tgtFileHashSha256 := generate "process.tgtFileHashSha256" }} +{{- $tgtFileId := generate "process.tgtFileId" }} +{{- $tgtFileIsSigned := generate "process.tgtFileIsSigned" }} +{{- $tgtFileModifiedAt := generate "process.tgtFileModifiedAt" | date "2006-01-02T15:04:05.000000Z" }} +{{- $tgtFileOldPath := generate "process.tgtFileOldPath" }} +{{- $tgtFilePath := generate "process.tgtFilePath" }} +{{- $tgtProcCmdLine := generate "process.tgtProcCmdLine" }} +{{- $tgtProcImagePath := generate "process.tgtProcImagePath" }} +{{- $tgtProcIntegrityLevel := generate "process.tgtProcIntegrityLevel" }} +{{- $tgtProcName := generate "process.tgtProcName" }} +{{- $tgtProcPid := generate "process.tgtProcPid" }} +{{- $tgtProcSignedStatus := generate "process.tgtProcSignedStatus" }} +{{- $tgtProcStorylineId := generate "process.tgtProcStorylineId" }} +{{- $tgtProcUid := generate "process.tgtProcUid" }} +{{- $tgtProcessStartTime := generate "process.tgtProcessStartTime" | date "2006-01-02T15:04:05.000000Z" }} +{{- $uniqueId := generate "process.uniqueId" }} +{{- $user := generate "process.user" }} +{{- /* Rule Data */ -}} +{{- $description := generate "ruleInfo.description" }} +{{- $ruleId := generate "ruleInfo.id" }} +{{- $ruleName := generate "ruleInfo.name" }} +{{- $queryLang := generate "ruleInfo.queryLang" }} +{{- $queryType := generate "ruleInfo.queryType" }} +{{- $s1ql := generate "ruleInfo.s1ql" }} +{{- $scopeLevel := generate "ruleInfo.scopeLevel" }} +{{- $severity := generate "ruleInfo.severity" }} +{{- $treatAsThreat := generate "ruleInfo.treatAsThreat" }} +{{- /* +{ + "agentDetectionInfo": { + "accountId": "{{ $accountId }}", + "machineType": "{{ $machineType }}", + "name": "{{ $agentName }}", + "osFamily": "{{ $osFamily }}", + "osName": "{{ $osName }}", + "osRevision": "{{ $osRevision }}", + "siteId": "{{ $siteId }}", + "uuid": "{{ $uuid }}", + "version": "{{ $version }}" + }, + "agentRealtimeInfo": { + "id": "{{ $agentId }}", + "infected": {{ $infected }}, + "isActive": {{ $isActive }}, + "isDecommissioned": {{ $isDecommissioned }}, + "machineType": "{{ $machineType }}", + "name": "{{ $agentName }}", + "os": "{{ $osFamily }}", + "uuid": "{{ $uuid }}" + }, + "alertInfo": { + "alertId": "{{ $alertId }}", + "analystVerdict": "{{ $analystVerdict }}", + "createdAt": "{{ $createdAt }}", + "dnsRequest": "type: 1 {{ $domain }}", + "dnsResponse": "{{ $ipAddress }};", + "dstIp": "{{ $ipAddress }}", + "dstPort": "{{ $port }}", + "dvEventId": "{{ $dvEventId }}", + "eventType": "{{ $eventType }}", + "hitType": "{{ $hitType }}", + "incidentStatus": "{{ $incidentStatus }}", + "indicatorCategory": "{{ $indicatorCategory }}", + "indicatorDescription": "{{ $indicatorDescription }}", + "indicatorName": "{{ $indicatorName }}", + "isEdr": {{ $isEdr }}, + "loginAccountDomain": null, + "loginAccountSid": null, + "loginIsAdministratorEquivalent": null, + "loginIsSuccessful": null, + "loginType": null, + "loginsUserName": null, + "modulePath": null, + "moduleSha1": null, + "netEventDirection": null, + "registryKeyPath": null, + "registryOldValue": null, + "registryOldValueType": null, + "registryPath": null, + "registryValue": null, + "reportedAt": "{{ $reportedAt }}", + "source": "{{ $source }}", + "srcIp": "{{ $ipAddress }}", + "srcMachineIp": "{{ $ipAddress}}", + "srcPort": "{{ $port }}", + "tiIndicatorComparisonMethod": null, + "tiIndicatorSource": null, + "tiIndicatorType": null, + "tiIndicatorValue": null, + "updatedAt": "{{ $updatedAt }}" + }, + "containerInfo": { + "id": null, + "image": null, + "labels": null, + "name": null + }, + "kubernetesInfo": { + "cluster": null, + "controllerKind": null, + "controllerLabels": null, + "controllerName": null, + "namespace": null, + "namespaceLabels": null, + "node": null, + "pod": null, + "podLabels": null + }, + "ruleInfo": { + "description": "{{ $description }}", + "id": "{{ $ruleId }}", + "name": "{{ $ruleName }}", + "queryLang": "{{ $queryLang }}", + "queryType": "{{ $queryType }}", + "s1ql": "{{ $s1ql }}", + "scopeLevel": "{{ $scopeLevel }}", + "severity": "{{ $severity }}", + "treatAsThreat": "{{ $treatAsThreat }}" + }, + "sourceParentProcessInfo": { + "commandline": "{{ $filePath }}", + "effectiveUser": "{{ $effectiveUser }}", + "fileHashMd5": "{{ $fileHashMd5 }}", + "fileHashSha1": "{{ $fileHashSha1 }}", + "fileHashSha256": "{{ $fileHashSha256 }}", + "filePath": "{{ $filePath }}", + "fileSignerIdentity": "{{ $fileSignerIdentity }}", + "integrityLevel": "{{ $integrityLevel }}", + "loginUser": "{{ $loginUser }}", + "name": "{{ $processName }}", + "pid": "{{ $pid }}", + "pidStarttime": "{{ $pidStarttime }}", + "realUser": "{{ $realUser }}", + "storyline": "{{ $storyline }}", + "subsystem": "{{ $subsystem }}", + "uniqueId": "{{ $uniqueId }}", + "user": "{{ $user }}" + }, + "sourceProcessInfo": { + "commandline": "{{ $filePath }}", + "effectiveUser": "{{ $effectiveUser }}", + "fileHashMd5": "{{ $fileHashMd5 }}", + "fileHashSha1": "{{ $fileHashSha1 }}", + "fileHashSha256": "{{ $fileHashSha256 }}", + "filePath": "{{ $filePath }}", + "fileSignerIdentity": "{{ $fileSignerIdentity }}", + "integrityLevel": "{{ $integrityLevel }}", + "loginUser": "{{ $loginUser }}", + "name": "{{ $processName }}", + "pid": "{{ $pid }}", + "pidStarttime": "{{ $pidStarttime }}", + "realUser": "{{ $realUser }}", + "storyline": "{{ $storyline }}", + "subsystem": "{{ $subsystem }}", + "uniqueId": "{{ $uniqueId }}", + "user": "{{ $user }}" + }, + "targetProcessInfo": { + "tgtFileCreatedAt": "{{ $tgtFileCreatedAt }}", + "tgtFileHashSha1": "{{ $tgtFileHashSha1 }}", + "tgtFileHashSha256": "{{ $tgtFileHashSha256 }}", + "tgtFileId": "{{ $tgtFileId }}", + "tgtFileIsSigned": "{{ $tgtFileIsSigned }}", + "tgtFileModifiedAt": "{{ $tgtFileModifiedAt }}", + "tgtFileOldPath": "{{ $tgtFileOldPath }}", + "tgtFilePath": "{{ $tgtFilePath }}", + "tgtProcCmdLine": "{{ $tgtProcCmdLine }}", + "tgtProcImagePath": "{{ $tgtProcImagePath }}", + "tgtProcIntegrityLevel": "{{ $tgtProcIntegrityLevel }}", + "tgtProcName": "{{ $tgtProcName }}", + "tgtProcPid": "{{ $tgtProcPid }}", + "tgtProcSignedStatus": "{{ $tgtProcSignedStatus }}", + "tgtProcStorylineId": "{{ $tgtProcStorylineId }}", + "tgtProcUid": "{{ $tgtProcUid }}", + "tgtProcessStartTime": "{{ $tgtProcessStartTime }}" + } +} +*/ -}} +{ + "@timestamp": "{{ $timestamp.Format "2006-01-02T15:04:05.999999Z07:00" }}", + "agent": { + "ephemeral_id": "cdaaaabb-be7e-432f-816b-bda019fd7c15", + "id": "da6cb4c8-c84c-4c5f-97c7-f8586a098af4", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "sentinel_one.alert", + "namespace": "93724", + "type": "logs" + }, + "elastic_agent": { + "id": "da6cb4c8-c84c-4c5f-97c7-f8586a098af4", + "snapshot": false, + "version": "8.18.0" + }, + "message": "{\"agentDetectionInfo\":{\"accountId\":\"{{ $accountId }}\",\"machineType\":\"{{ $machineType }}\",\"name\":\"{{ $agentName }}\",\"osFamily\":\"{{ $osFamily }}\",\"osName\":\"{{ $osName }}\",\"osRevision\":\"{{ $osRevision }}\",\"siteId\":\"{{ $siteId }}\",\"uuid\":\"{{ $uuid }}\",\"version\":\"{{ $version }}\"},\"agentRealtimeInfo\":{\"id\":\"{{ $agentId }}\",\"infected\":{{ $infected }},\"isActive\":{{ $isActive }},\"isDecommissioned\":{{ $isDecommissioned }},\"machineType\":\"{{ $machineType }}\",\"name\":\"{{ $agentName }}\",\"os\":\"{{ $osFamily }}\",\"uuid\":\"{{ $uuid }}\"},\"alertInfo\":{\"alertId\":\"{{ $alertId }}\",\"analystVerdict\":\"{{ $analystVerdict }}\",\"createdAt\":\"{{ $createdAt }}\",\"dnsRequest\":\"type: 1 {{ $domain }}\",\"dnsResponse\":\"{{ $ipAddress }};\",\"dstIp\":\"{{ $ipAddress }}\",\"dstPort\":\"{{ $port }}\",\"dvEventId\":\"{{ $dvEventId }}\",\"eventType\":\"{{ $eventType }}\",\"hitType\":\"{{ $hitType }}\",\"incidentStatus\":\"{{ $incidentStatus }}\",\"indicatorCategory\":\"{{ $indicatorCategory }}\",\"indicatorDescription\":\"{{ $indicatorDescription }}\",\"indicatorName\":\"{{ $indicatorName }}\",\"isEdr\":{{ $isEdr }},\"loginAccountDomain\":null,\"loginAccountSid\":null,\"loginIsAdministratorEquivalent\":null,\"loginIsSuccessful\":null,\"loginType\":null,\"loginsUserName\":null,\"modulePath\":null,\"moduleSha1\":null,\"netEventDirection\":null,\"registryKeyPath\":null,\"registryOldValue\":null,\"registryOldValueType\":null,\"registryPath\":null,\"registryValue\":null,\"reportedAt\":\"{{ $reportedAt }}\",\"source\":\"{{ $source }}\",\"srcIp\":\"{{ $ipAddress }}\",\"srcMachineIp\":\"{{ $ipAddress}}\",\"srcPort\":\"{{ $port }}\",\"tiIndicatorComparisonMethod\":null,\"tiIndicatorSource\":null,\"tiIndicatorType\":null,\"tiIndicatorValue\":null,\"updatedAt\":\"{{ $updatedAt }}\"},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"ruleInfo\":{\"description\":\"{{ $description }}\",\"id\":\"{{ $ruleId }}\",\"name\":\"{{ $ruleName }}\",\"queryLang\":\"{{ $queryLang }}\",\"queryType\":\"{{ $queryType }}\",\"s1ql\":\"{{ $s1ql }}\",\"scopeLevel\":\"{{ $scopeLevel }}\",\"severity\":\"{{ $severity }}\",\"treatAsThreat\":\"{{ $treatAsThreat }}\"},\"sourceParentProcessInfo\":{\"commandline\":\"{{ $filePath }}\",\"effectiveUser\":\"{{ $effectiveUser }}\",\"fileHashMd5\":\"{{ $fileHashMd5 }}\",\"fileHashSha1\":\"{{ $fileHashSha1 }}\",\"fileHashSha256\":\"{{ $fileHashSha256 }}\",\"filePath\":\"{{ $filePath }}\",\"fileSignerIdentity\":\"{{ $fileSignerIdentity }}\",\"integrityLevel\":\"{{ $integrityLevel }}\",\"loginUser\":\"{{ $loginUser }}\",\"name\":\"{{ $processName }}\",\"pid\":\"{{ $pid }}\",\"pidStarttime\":\"{{ $pidStarttime }}\",\"realUser\":\"{{ $realUser }}\",\"storyline\":\"{{ $storyline }}\",\"subsystem\":\"{{ $subsystem }}\",\"uniqueId\":\"{{ $uniqueId }}\",\"user\":\"{{ $user }}\"},\"sourceProcessInfo\":{\"commandline\":\"{{ $filePath }}\",\"effectiveUser\":\"{{ $effectiveUser }}\",\"fileHashMd5\":\"{{ $fileHashMd5 }}\",\"fileHashSha1\":\"{{ $fileHashSha1 }}\",\"fileHashSha256\":\"{{ $fileHashSha256 }}\",\"filePath\":\"{{ $filePath }}\",\"fileSignerIdentity\":\"{{ $fileSignerIdentity }}\",\"integrityLevel\":\"{{ $integrityLevel }}\",\"loginUser\":\"{{ $loginUser }}\",\"name\":\"{{ $processName }}\",\"pid\":\"{{ $pid }}\",\"pidStarttime\":\"{{ $pidStarttime }}\",\"realUser\":\"{{ $realUser }}\",\"storyline\":\"{{ $storyline }}\",\"subsystem\":\"{{ $subsystem }}\",\"uniqueId\":\"{{ $uniqueId }}\",\"user\":\"{{ $user }}\"},\"targetProcessInfo\":{\"tgtFileCreatedAt\":\"{{ $tgtFileCreatedAt }}\",\"tgtFileHashSha1\":\"{{ $tgtFileHashSha1 }}\",\"tgtFileHashSha256\":\"{{ $tgtFileHashSha256 }}\",\"tgtFileId\":\"{{ $tgtFileId }}\",\"tgtFileIsSigned\":\"{{ $tgtFileIsSigned }}\",\"tgtFileModifiedAt\":\"{{ $tgtFileModifiedAt }}\",\"tgtFileOldPath\":\"{{ $tgtFileOldPath }}\",\"tgtFilePath\":\"{{ $tgtFilePath }}\",\"tgtProcCmdLine\":\"{{ $tgtProcCmdLine }}\",\"tgtProcImagePath\":\"{{ $tgtProcImagePath }}\",\"tgtProcIntegrityLevel\":\"{{ $tgtProcIntegrityLevel }}\",\"tgtProcName\":\"{{ $tgtProcName }}\",\"tgtProcPid\":\"{{ $tgtProcPid }}\",\"tgtProcSignedStatus\":\"{{ $tgtProcSignedStatus }}\",\"tgtProcStorylineId\":\"{{ $tgtProcStorylineId }}\",\"tgtProcUid\":\"{{ $tgtProcUid }}\",\"tgtProcessStartTime\":\"{{ $tgtProcessStartTime }}\"}}", + "event": { + "dataset": "sentinel_one.alert" + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "sentinel_one-alert" + ] +} diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/deploy/docker/docker-compose.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/deploy/docker/docker-compose.yml new file mode 100644 index 0000000000..48e601d938 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/deploy/docker/docker-compose.yml @@ -0,0 +1,15 @@ +version: "2.3" +services: + sentinel_one: + image: docker.elastic.co/observability/stream:v0.18.0 + hostname: sentinel_one + ports: + - 8080 + volumes: + - ./files:/files:ro + environment: + PORT: "8080" + command: + - http-server + - --addr=:8080 + - --config=/files/config.yml diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/deploy/docker/files/config.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/deploy/docker/files/config.yml new file mode 100644 index 0000000000..60a91a45e7 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/deploy/docker/files/config.yml @@ -0,0 +1,1889 @@ +rules: + - path: /web/api/v2.1/activities + methods: ["GET"] + query_params: + sortOrder: asc + cursor: efgh + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [], + "pagination": { + "nextCursor": null, + "totalItems": 4 + } + } + `}} + - path: /web/api/v2.1/activities + methods: ["GET"] + query_params: + sortOrder: asc + cursor: abcd + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [ + { + "accountId": "2234567890123456789", + "accountName": "Default5", + "activityType": 1234, + "agentId": null, + "agentUpdatedVersion": null, + "comments": "True", + "createdAt": "2022-04-21T05:14:08.925421Z", + "data": { + "accountName": "Default", + "byUser": "API", + "fullScopeDetails": "Account Default", + "fullScopeDetailsPath": "test/default", + "groupName": null, + "newValue": true, + "role": "Level", + "scopeLevel": "Account", + "scopeName": "Default", + "siteName": null, + "userScope": "account", + "username": "API" + }, + "description": "API", + "groupId": null, + "groupName": null, + "hash": null, + "id": "1234567890123456789", + "osFamily": null, + "primaryDescription": "The management user API enabled Two factor authentication on the user API.", + "secondaryDescription": null, + "siteId": null, + "siteName": null, + "threatId": null, + "updatedAt": "2022-04-18T05:14:08.922553Z", + "userId": "1234567890123456789" + }, + { + "accountId": "444567890123456789", + "accountName": "Default6", + "activityType": 1234, + "agentId": null, + "agentUpdatedVersion": null, + "comments": null, + "createdAt": "2022-04-22T05:14:09.240427Z", + "data": { + "accountName": "Default", + "fullScopeDetails": "Account Default", + "fullScopeDetailsPath": "test/default", + "groupName": null, + "ipAddress": "81.2.69.144", + "reason": null, + "role": "Level", + "scopeLevel": "Account", + "scopeName": "Default", + "siteName": null, + "source": "src", + "userScope": "account", + "username": "API" + }, + "description": null, + "groupId": null, + "groupName": null, + "hash": null, + "id": "1234567890123456789", + "osFamily": null, + "primaryDescription": "The management user API logged in to the management console with IP Address 81.2.69.144", + "secondaryDescription": null, + "siteId": null, + "siteName": null, + "threatId": null, + "updatedAt": "2022-04-18T05:14:09.238430Z", + "userId": "1234567890123456789" + } + ], + "pagination": { + "nextCursor": "efgh", + "totalItems": 4 + } + } + `}} + - path: /web/api/v2.1/activities + methods: ["GET"] + query_params: + sortOrder: asc + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [ + { + "accountId": "3214567890123456789", + "accountName": "Default12", + "activityType": 1234, + "agentId": null, + "agentUpdatedVersion": null, + "comments": "True", + "createdAt": "2022-04-19T05:14:08.925421Z", + "data": { + "accountName": "Default", + "byUser": "API", + "fullScopeDetails": "Account Default", + "fullScopeDetailsPath": "test/default", + "groupName": null, + "newValue": true, + "role": "Level", + "scopeLevel": "Account", + "scopeName": "Default", + "siteName": null, + "userScope": "account", + "username": "API" + }, + "description": "API", + "groupId": null, + "groupName": null, + "hash": null, + "id": "1234567890123456789", + "osFamily": null, + "primaryDescription": "The management user API enabled Two factor authentication on the user API.", + "secondaryDescription": null, + "siteId": null, + "siteName": null, + "threatId": null, + "updatedAt": "2022-04-18T05:14:08.922553Z", + "userId": "1234567890123456789" + }, + { + "accountId": "1114567890123456789", + "accountName": "Default4", + "activityType": 1234, + "agentId": null, + "agentUpdatedVersion": null, + "comments": null, + "createdAt": "2022-04-20T05:14:09.240427Z", + "data": { + "accountName": "Default", + "fullScopeDetails": "Account Default", + "fullScopeDetailsPath": "test/default", + "groupName": null, + "ipAddress": "81.2.69.144", + "reason": null, + "role": "Level", + "scopeLevel": "Account", + "scopeName": "Default", + "siteName": null, + "source": "src", + "userScope": "account", + "username": "API" + }, + "description": null, + "groupId": null, + "groupName": null, + "hash": null, + "id": "1234567890123456789", + "osFamily": null, + "primaryDescription": "The management user API logged in to the management console with IP Address 81.2.69.144", + "secondaryDescription": null, + "siteId": null, + "siteName": null, + "threatId": null, + "updatedAt": "2022-04-18T05:14:09.238430Z", + "userId": "1234567890123456789" + } + ], + "pagination": { + "nextCursor": "abcd", + "totalItems": 4 + } + } + `}} + - path: /web/api/v2.1/agents + methods: ["GET"] + query_params: + sortOrder: asc + cursor: efgh + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [], + "pagination": { + "nextCursor": null, + "totalItems": 2 + } + } + `}} + - path: /web/api/v2.1/agents + methods: ["GET"] + query_params: + sortOrder: asc + cursor: abcd + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [ + { + "accountId": "9898123451234512345", + "accountName": "DEF", + "activeDirectory": { + "computerDistinguishedName": null, + "computerMemberOf": [], + "lastUserDistinguishedName": null, + "lastUserMemberOf": [] + }, + "activeThreats": 7, + "agentVersion": "12.x.x.x", + "allowRemoteShell": true, + "appsVulnerabilityStatus": "not_applicable", + "cloudProviders": {}, + "computerName": "user-test", + "consoleMigrationStatus": "N/A", + "coreCount": 2, + "missingPermissions": [ + "user-action-needed-bluetooth-per", + "user_action_needed_fda" + ], + "cpuCount": 2, + "cpuId": "CPU Name", + "createdAt": "2022-03-19T09:12:00.519500Z", + "detectionState": null, + "domain": "WORKGROUP", + "encryptedApplications": false, + "externalId": "", + "externalIp": "81.2.69.143", + "firewallEnabled": true, + "firstFullModeTime": null, + "groupId": "1234567890123456789", + "groupIp": "81.2.69.144", + "groupName": "Default Group", + "id": "13491234512345", + "inRemoteShellSession": false, + "infected": true, + "installerType": ".msi", + "isActive": true, + "isDecommissioned": false, + "isPendingUninstall": false, + "isUninstalled": false, + "isUpToDate": true, + "lastActiveDate": "2022-03-17T09:51:28.506000Z", + "lastIpToMgmt": "81.2.69.145", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": true, + "locationType": "not_applicable", + "locations": null, + "machineType": "server", + "mitigationMode": "detect", + "mitigationModeSuspicious": "detect", + "modelName": "Compute Engine", + "networkInterfaces": [ + { + "gatewayIp": "81.2.69.145", + "gatewayMacAddress": "00-00-5E-00-53-00", + "id": "1234567890123456789", + "inet": [ + "81.2.69.144" + ], + "inet6": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ], + "name": "Ethernet", + "physical": "00-00-5E-00-53-00" + } + ], + "networkQuarantineEnabled": false, + "networkStatus": "connected", + "operationalState": "na", + "operationalStateExpiration": null, + "osArch": "64 bit", + "osName": "Linux Server", + "osRevision": "1234", + "osStartTime": "2022-04-06T08:27:14Z", + "osType": "linux", + "osUsername": null, + "rangerStatus": "Enabled", + "rangerVersion": "21.x.x.x", + "registeredAt": "2022-04-06T08:26:45.515278Z", + "remoteProfilingState": "disabled", + "remoteProfilingStateExpiration": null, + "scanAbortedAt": null, + "scanFinishedAt": "2022-04-06T09:18:21.090855Z", + "scanStartedAt": "2022-04-06T08:26:52.838047Z", + "scanStatus": "finished", + "siteId": "1234567890123456789", + "siteName": "Default site", + "storageName": null, + "storageType": null, + "tags": { + "sentinelone": [ + { + "assignedBy": "test-user", + "assignedAt": "2018-02-27T04:49:26.257525Z", + "key": "key123", + "assignedById": "123456789012345678", + "id": "123456789012345678", + "value": "value123" + } + ] + }, + "threatRebootRequired": false, + "totalMemory": 1234, + "updatedAt": "2022-04-07T08:31:47.481227Z", + "userActionsNeeded": [ + "reboot_needed" + ], + "uuid": "XXX35XXX8Xfb4aX0X1X8X12X343X8X30" + } + ], + "pagination": { + "nextCursor": "efgh", + "totalItems": 2 + } + } + `}} + - path: /web/api/v2.1/agents + methods: ["GET"] + query_params: + sortOrder: asc + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [ + { + "accountId": "892341123451234512345", + "accountName": "ABC", + "activeDirectory": { + "computerDistinguishedName": null, + "computerMemberOf": [], + "lastUserDistinguishedName": null, + "lastUserMemberOf": [] + }, + "activeThreats": 7, + "agentVersion": "12.x.x.x", + "allowRemoteShell": true, + "appsVulnerabilityStatus": "not_applicable", + "cloudProviders": {}, + "computerName": "user-test", + "consoleMigrationStatus": "N/A", + "coreCount": 2, + "missingPermissions": [ + "user-action-needed-bluetooth-per", + "user_action_needed_fda" + ], + "cpuCount": 2, + "cpuId": "CPU Name", + "createdAt": "2022-03-18T09:12:00.519500Z", + "detectionState": null, + "domain": "WORKGROUP", + "encryptedApplications": false, + "externalId": "", + "externalIp": "81.2.69.143", + "firewallEnabled": true, + "firstFullModeTime": null, + "groupId": "1234567890123456789", + "groupIp": "81.2.69.144", + "groupName": "Default Group", + "id": "13491234512345", + "inRemoteShellSession": false, + "infected": true, + "installerType": ".msi", + "isActive": true, + "isDecommissioned": false, + "isPendingUninstall": false, + "isUninstalled": false, + "isUpToDate": true, + "lastActiveDate": "2022-03-17T09:51:28.506000Z", + "lastIpToMgmt": "81.2.69.145", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": true, + "locationType": "not_applicable", + "locations": null, + "machineType": "server", + "mitigationMode": "detect", + "mitigationModeSuspicious": "detect", + "modelName": "Compute Engine", + "networkInterfaces": [ + { + "gatewayIp": "81.2.69.145", + "gatewayMacAddress": "00-00-5E-00-53-00", + "id": "1234567890123456789", + "inet": [ + "81.2.69.144" + ], + "inet6": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ], + "name": "Ethernet", + "physical": "00-00-5E-00-53-00" + } + ], + "networkQuarantineEnabled": false, + "networkStatus": "connected", + "operationalState": "na", + "operationalStateExpiration": null, + "osArch": "64 bit", + "osName": "Linux Server", + "osRevision": "1234", + "osStartTime": "2022-04-06T08:27:14Z", + "osType": "linux", + "osUsername": null, + "rangerStatus": "Enabled", + "rangerVersion": "21.x.x.x", + "registeredAt": "2022-04-06T08:26:45.515278Z", + "remoteProfilingState": "disabled", + "remoteProfilingStateExpiration": null, + "scanAbortedAt": null, + "scanFinishedAt": "2022-04-06T09:18:21.090855Z", + "scanStartedAt": "2022-04-06T08:26:52.838047Z", + "scanStatus": "finished", + "siteId": "1234567890123456789", + "siteName": "Default site", + "storageName": null, + "storageType": null, + "tags": { + "sentinelone": [ + { + "assignedBy": "test-user", + "assignedAt": "2018-02-27T04:49:26.257525Z", + "key": "key123", + "assignedById": "123456789012345678", + "id": "123456789012345678", + "value": "value123" + } + ] + }, + "threatRebootRequired": false, + "totalMemory": 1234, + "updatedAt": "2022-04-07T08:31:47.481227Z", + "userActionsNeeded": [ + "reboot_needed" + ], + "uuid": "XXX35XXX8Xfb4aX0X1X8X12X343X8X30" + } + ], + "pagination": { + "nextCursor": "abcd", + "totalItems": 2 + } + } + `}} + - path: /web/api/v2.1/cloud-detection/alerts + methods: ["GET"] + query_params: + sortOrder: asc + cursor: efgh + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [], + "pagination": { + "totalItems": 2, + "nextCursor": null + }, + "errors": [ + {} + ] + } + `}} + - path: /web/api/v2.1/cloud-detection/alerts + methods: ["GET"] + query_params: + sortOrder: asc + cursor: abcd + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [ + { + "targetProcessInfo": { + "tgtFileCreatedAt": "2018-02-28T05:49:26.257525Z", + "tgtFileIsSigned": "string", + "tgtFileOldPath": "string", + "tgtProcImagePath": "string", + "tgtProcSignedStatus": "string", + "tgtFileHashSha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", + "tgtProcStorylineId": "string", + "tgtProcPid": "12345", + "tgtProcCmdLine": "string", + "tgtProcName": "string", + "tgtFileModifiedAt": "2018-02-27T04:49:26.257525Z", + "tgtFileId": "string", + "tgtProcIntegrityLevel": "unknown", + "tgtFileHashSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "tgtProcUid": "string", + "tgtProcessStartTime": "2018-02-27T04:49:26.257525Z", + "tgtFilePath": "string" + }, + "alertInfo": { + "createdAt": "2018-02-28T06:49:26.257525Z", + "srcIp": "81.2.69.142", + "incidentStatus": "string", + "registryOldValue": "string", + "alertId": "123456789123456789", + "dstPort": "1234", + "indicatorName": "string", + "registryPath": "string", + "loginType": "string", + "dstIp": "81.2.69.144", + "updatedAt": "2018-02-27T04:49:26.257525Z", + "indicatorDescription": "string", + "loginsUserName": "string", + "loginIsSuccessful": "string", + "indicatorCategory": "string", + "modulePath": "string", + "loginAccountSid": "string", + "dnsResponse": "string", + "netEventDirection": "string", + "registryValue": "string", + "srcMachineIp": "81.2.69.142", + "registryOldValueType": "string", + "eventType": "info", + "analystVerdict": "string", + "dvEventId": "string", + "dnsRequest": "string", + "loginIsAdministratorEquivalent": "string", + "loginAccountDomain": "string", + "tiIndicatorType": "string", + "moduleSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "source": "string", + "srcPort": "1234", + "tiIndicatorValue": "string", + "tiIndicatorSource": "string", + "reportedAt": "2018-02-27T04:49:26.257525Z", + "registryKeyPath": "string", + "tiIndicatorComparisonMethod": "string", + "hitType": "Events" + }, + "sourceProcessInfo": { + "integrityLevel": "unknown", + "pid": "12345", + "fileHashMd5": "5d41402abc4b2a76b9719d911017c592", + "filePath": "string", + "fileSignerIdentity": "string", + "pidStarttime": "2018-02-27T04:49:26.257525Z", + "storyline": "string", + "fileHashSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "uniqueId": "string", + "user": "string", + "commandline": "string", + "name": "string", + "fileHashSha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", + "subsystem": "unknown" + }, + "ruleInfo": { + "severity": "Low", + "treatAsThreat": "UNDEFINED", + "id": "string", + "scopeLevel": "string", + "name": "string", + "description": "string" + }, + "sourceParentProcessInfo": { + "integrityLevel": "unknown", + "pid": "12345", + "fileHashMd5": "5d41402abc4b2a76b9719d911017c592", + "filePath": "string", + "fileSignerIdentity": "string", + "pidStarttime": "2018-02-27T04:49:26.257525Z", + "storyline": "string", + "fileHashSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "uniqueId": "string", + "user": "string", + "commandline": "string", + "name": "string", + "fileHashSha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", + "subsystem": "unknown" + }, + "agentDetectionInfo": { + "osFamily": "string", + "uuid": "string", + "osName": "string", + "version": "3.x.x.x", + "siteId": "123456789123456789", + "name": "string", + "machineType": "string", + "osRevision": "string" + }, + "kubernetesInfo": { + "controllerName": "string", + "node": "string", + "namespace": "string", + "namespaceLabels": "string", + "pod": "string", + "controllerLabels": "string", + "controllerKind": "string", + "cluster": "string", + "podLabels": "string" + }, + "containerInfo": { + "id": "string", + "name": "string", + "image": "string", + "labels": "string" + } + } + ], + "pagination": { + "totalItems": 2, + "nextCursor": "efgh" + }, + "errors": [ + {} + ] + } + `}} + - path: /web/api/v2.1/cloud-detection/alerts + methods: ["GET"] + query_params: + sortOrder: asc + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: | + {{ minify_json ` + { + "data": [ + { + "targetProcessInfo": { + "tgtFileCreatedAt": "2018-02-27T04:49:26.257525Z", + "tgtFileIsSigned": "string", + "tgtFileOldPath": "string", + "tgtProcImagePath": "string", + "tgtProcSignedStatus": "string", + "tgtFileHashSha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", + "tgtProcStorylineId": "string", + "tgtProcPid": "12345", + "tgtProcCmdLine": "string", + "tgtProcName": "string", + "tgtFileModifiedAt": "2018-02-27T04:49:26.257525Z", + "tgtFileId": "string", + "tgtProcIntegrityLevel": "unknown", + "tgtFileHashSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "tgtProcUid": "string", + "tgtProcessStartTime": "2018-02-27T04:49:26.257525Z", + "tgtFilePath": "string" + }, + "alertInfo": { + "createdAt": "2018-02-27T04:49:26.257525Z", + "srcIp": "81.2.69.142", + "incidentStatus": "open", + "registryOldValue": "string", + "alertId": "888456789123456789", + "dstPort": "1234", + "indicatorName": "string", + "registryPath": "string", + "loginType": "login", + "dstIp": "81.2.69.144", + "updatedAt": "2018-02-27T04:49:26.257525Z", + "indicatorDescription": "string", + "loginsUserName": "string", + "loginIsSuccessful": "string", + "indicatorCategory": "string", + "modulePath": "string", + "loginAccountSid": "string", + "dnsResponse": "string", + "netEventDirection": "string", + "registryValue": "string", + "srcMachineIp": "81.2.69.142", + "registryOldValueType": "string", + "eventType": "info", + "analystVerdict": "string", + "dvEventId": "string", + "dnsRequest": "string", + "loginIsAdministratorEquivalent": "string", + "loginAccountDomain": "string", + "tiIndicatorType": "string", + "moduleSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "source": "string", + "srcPort": "1234", + "tiIndicatorValue": "string", + "tiIndicatorSource": "string", + "reportedAt": "2018-02-27T04:49:26.257525Z", + "registryKeyPath": "string", + "tiIndicatorComparisonMethod": "string", + "hitType": "Events" + }, + "sourceProcessInfo": { + "integrityLevel": "unknown", + "pid": "12345", + "fileHashMd5": "5d41402abc4b2a76b9719d911017c592", + "filePath": "string", + "fileSignerIdentity": "string", + "pidStarttime": "2018-02-27T04:49:26.257525Z", + "storyline": "string", + "fileHashSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "uniqueId": "string", + "user": "string", + "commandline": "string", + "name": "string", + "fileHashSha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", + "subsystem": "unknown" + }, + "ruleInfo": { + "severity": "Low", + "treatAsThreat": "UNDEFINED", + "id": "string", + "scopeLevel": "string", + "name": "string", + "description": "string" + }, + "sourceParentProcessInfo": { + "integrityLevel": "unknown", + "pid": "12345", + "fileHashMd5": "5d41402abc4b2a76b9719d911017c592", + "filePath": "string", + "fileSignerIdentity": "string", + "pidStarttime": "2018-02-27T04:49:26.257525Z", + "storyline": "string", + "fileHashSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "uniqueId": "string", + "user": "string", + "commandline": "string", + "name": "string", + "fileHashSha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", + "subsystem": "unknown" + }, + "agentDetectionInfo": { + "osFamily": "string", + "uuid": "string", + "osName": "string", + "version": "3.x.x.x", + "siteId": "123456789123456789", + "name": "string", + "machineType": "string", + "osRevision": "string" + }, + "kubernetesInfo": { + "controllerName": "string", + "node": "string", + "namespace": "string", + "namespaceLabels": "string", + "pod": "string", + "controllerLabels": "string", + "controllerKind": "string", + "cluster": "string", + "podLabels": "string" + }, + "containerInfo": { + "id": "string", + "name": "string", + "image": "string", + "labels": "string" + } + } + ], + "pagination": { + "totalItems": 2, + "nextCursor": "abcd" + }, + "errors": [ + {} + ] + } + `}} + - path: /web/api/v2.1/groups + methods: ["GET"] + query_params: + sortOrder: asc + cursor: efgh + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [], + "pagination": { + "nextCursor": null, + "totalItems": 4 + } + } + `}} + - path: /web/api/v2.1/groups + methods: ["GET"] + query_params: + sortOrder: asc + cursor: abcd + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [ + { + "createdAt": "2022-04-07T16:01:56.928383Z", + "creator": "Test User3", + "creatorId": "09099890123456789", + "filterId": null, + "filterName": null, + "id": "18989567890123456789", + "inherits": true, + "isDefault": true, + "name": "Default Group", + "rank": null, + "registrationToken": "eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=", + "siteId": "1234567890123456789", + "totalAgents": 1, + "type": "static", + "updatedAt": "2022-04-08T16:01:57.564266Z" + }, + { + "createdAt": "2022-04-08T16:01:56.928383Z", + "creator": "Test Use4r", + "creatorId": "08884567890123456789", + "filterId": null, + "filterName": null, + "id": "11134567890123456789", + "inherits": true, + "isDefault": true, + "name": "Default Group", + "rank": null, + "registrationToken": "eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=", + "siteId": "1234567890123456789", + "totalAgents": 1, + "type": "static", + "updatedAt": "2022-04-09T16:01:57.564266Z" + } + ], + "pagination": { + "nextCursor": "efgh", + "totalItems": 4 + } + } + `}} + - path: /web/api/v2.1/groups + methods: ["GET"] + query_params: + sortOrder: asc + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [ + { + "createdAt": "2022-04-05T16:01:56.928383Z", + "creator": "Test User", + "creatorId": "1234567890123456789", + "filterId": null, + "filterName": null, + "id": "1234567890123456789", + "inherits": true, + "isDefault": true, + "name": "Default Group", + "rank": null, + "registrationToken": "eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=", + "siteId": "1234567890123456789", + "totalAgents": 1, + "type": "static", + "updatedAt": "2022-04-05T16:01:57.564266Z" + }, + { + "createdAt": "2022-04-06T16:01:56.928383Z", + "creator": "Test User1", + "creatorId": "3334567890123456789", + "filterId": null, + "filterName": null, + "id": "1333367890123456789", + "inherits": true, + "isDefault": true, + "name": "Default Group", + "rank": null, + "registrationToken": "eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=", + "siteId": "1234567890123456789", + "totalAgents": 1, + "type": "static", + "updatedAt": "2022-04-05T16:01:57.564266Z" + } + ], + "pagination": { + "nextCursor": "abcd", + "totalItems": 4 + } + } + `}} + - path: /web/api/v2.1/threats + methods: ["GET"] + query_params: + sortOrder: asc + cursor: efgh + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [], + "pagination": { + "nextCursor": null, + "totalItems": 2 + } + } + `}} + - path: /web/api/v2.1/threats + methods: ["GET"] + query_params: + sortOrder: asc + cursor: abcd + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [ + { + "agentDetectionInfo": { + "accountId": "111245567890123456789", + "accountName": "Default2", + "agentDetectionState": null, + "agentDomain": "WORKGROUP", + "agentIpV4": "127.0.0.1", + "agentIpV6": "2a02:cf40::", + "agentLastLoggedInUpn": null, + "agentLastLoggedInUserMail": null, + "agentLastLoggedInUserName": "", + "agentMitigationMode": "protect", + "agentOsName": "linux", + "agentOsRevision": "1234", + "agentRegisteredAt": "2022-04-08T08:26:45.515278Z", + "agentUuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", + "agentVersion": "21.x.x", + "cloudProviders": {}, + "externalIp": "81.2.69.143", + "groupId": "1444567890123456789", + "groupName": "Default Group", + "siteId": "1234567890123456789", + "siteName": "Default site" + }, + "agentRealtimeInfo": { + "accountId": "1456567890123456789", + "accountName": "Default2", + "activeThreats": 8, + "agentComputerName": "test-LINUX", + "agentDecommissionedAt": null, + "agentDomain": "WORKGROUP", + "agentId": "1234567890123456789", + "agentInfected": true, + "agentIsActive": true, + "agentIsDecommissioned": false, + "agentMachineType": "server", + "agentMitigationMode": "detect", + "agentNetworkStatus": "connected", + "agentOsName": "linux", + "agentOsRevision": "1234", + "agentOsType": "linux", + "agentUuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", + "agentVersion": "21.x.x.1234", + "groupId": "1234567890123456789", + "groupName": "Default Group", + "networkInterfaces": [ + { + "id": "1234567890123456789", + "inet": [ + "10.0.0.1" + ], + "inet6": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ], + "name": "Ethernet", + "physical": "DE:AD:00:00:BE:EF" + } + ], + "operationalState": "na", + "rebootRequired": false, + "scanAbortedAt": null, + "scanFinishedAt": "2022-04-09T09:18:21.090855Z", + "scanStartedAt": "2022-04-09T08:26:52.838047Z", + "scanStatus": "finished", + "siteId": "1234567890123456789", + "siteName": "Default site", + "storageName": null, + "storageType": null, + "userActionsNeeded": [] + }, + "containerInfo": { + "id": null, + "image": null, + "labels": null, + "name": null + }, + "id": "1234567890123456789", + "indicators": [], + "kubernetesInfo": { + "cluster": null, + "controllerKind": null, + "controllerLabels": null, + "controllerName": null, + "namespace": null, + "namespaceLabels": null, + "node": null, + "pod": null, + "podLabels": null + }, + "mitigationStatus": [ + { + "action": "unquarantine", + "actionsCounters": { + "failed": 0, + "notFound": 0, + "pendingReboot": 0, + "success": 1, + "total": 1 + }, + "agentSupportsReport": true, + "groupNotFound": false, + "lastUpdate": "2022-04-06T08:54:17.198002Z", + "latestReport": "/threats/mitigation-report", + "mitigationEndedAt": "2022-04-06T08:54:17.101000Z", + "mitigationStartedAt": "2022-04-06T08:54:17.101000Z", + "status": "success" + }, + { + "action": "kill", + "actionsCounters": null, + "agentSupportsReport": true, + "groupNotFound": false, + "lastUpdate": "2022-04-06T08:45:55.303355Z", + "latestReport": null, + "mitigationEndedAt": "2022-04-06T08:45:55.297364Z", + "mitigationStartedAt": "2022-04-06T08:45:55.297363Z", + "status": "success" + } + ], + "threatInfo": { + "analystVerdict": "undefined", + "analystVerdictDescription": "Undefined", + "automaticallyResolved": false, + "browserType": null, + "certificateId": "", + "classification": "Trojan", + "classificationSource": "Cloud", + "cloudFilesHashVerdict": "black", + "collectionId": "1234567890123456789", + "confidenceLevel": "malicious", + "createdAt": "2022-04-06T08:45:54.519988Z", + "detectionEngines": [ + { + "key": "sentinelone_cloud", + "title": "SentinelOne Cloud" + } + ], + "detectionType": "static", + "engines": [ + "SentinelOne Cloud" + ], + "externalTicketExists": false, + "externalTicketId": null, + "failedActions": false, + "fileExtension": "EXE", + "fileExtensionType": "Executable", + "filePath": "default.exe", + "fileSize": 1234, + "fileVerificationType": "NotSigned", + "identifiedAt": "2022-04-06T08:45:53.968000Z", + "incidentStatus": "unresolved", + "incidentStatusDescription": "Unresolved", + "initiatedBy": "agent_policy", + "initiatedByDescription": "Agent Policy", + "initiatingUserId": null, + "initiatingUsername": null, + "isFileless": false, + "isValidCertificate": false, + "maliciousProcessArguments": null, + "md5": null, + "mitigatedPreemptively": false, + "mitigationStatus": "not_mitigated", + "mitigationStatusDescription": "Not mitigated", + "originatorProcess": "default.exe", + "pendingActions": false, + "processUser": "test user", + "publisherName": "", + "reachedEventsLimit": false, + "rebootRequired": false, + "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "sha256": null, + "storyline": "D0XXXXXXXXXXAF4D", + "threatId": "1234567890123456789", + "threatName": "default.exe", + "updatedAt": "2022-04-06T08:54:17.194122Z" + }, + "whiteningOptions": [ + "hash" + ] + } + ], + "pagination": { + "nextCursor": "efgh", + "totalItems": 2 + } + } + `}} + - path: /web/api/v2.1/threats + methods: ["GET"] + query_params: + sortOrder: asc + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [ + { + "agentDetectionInfo": { + "accountId": "1234567890123456789", + "accountName": "Default", + "agentDetectionState": null, + "agentDomain": "WORKGROUP", + "agentIpV4": "10.0.0.1", + "agentIpV6": "2a02:cf40::", + "agentLastLoggedInUpn": null, + "agentLastLoggedInUserMail": null, + "agentLastLoggedInUserName": "", + "agentMitigationMode": "protect", + "agentOsName": "linux", + "agentOsRevision": "1234", + "agentRegisteredAt": "2022-04-06T08:26:45.515278Z", + "agentUuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", + "agentVersion": "21.x.x", + "cloudProviders": {}, + "externalIp": "81.2.69.143", + "groupId": "1234567890123456789", + "groupName": "Default Group", + "siteId": "1234567890123456789", + "siteName": "Default site" + }, + "agentRealtimeInfo": { + "accountId": "1234567890123456789", + "accountName": "Default", + "activeThreats": 7, + "agentComputerName": "test-LINUX", + "agentDecommissionedAt": null, + "agentDomain": "WORKGROUP", + "agentId": "1234567890123456789", + "agentInfected": true, + "agentIsActive": true, + "agentIsDecommissioned": false, + "agentMachineType": "server", + "agentMitigationMode": "detect", + "agentNetworkStatus": "connected", + "agentOsName": "linux", + "agentOsRevision": "1234", + "agentOsType": "linux", + "agentUuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", + "agentVersion": "21.x.x.1234", + "groupId": "1234567890123456789", + "groupName": "Default Group", + "networkInterfaces": [ + { + "id": "1234567890123456789", + "inet": [ + "10.0.0.1" + ], + "inet6": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ], + "name": "Ethernet", + "physical": "DE:AD:00:00:BE:EF" + } + ], + "operationalState": "na", + "rebootRequired": false, + "scanAbortedAt": null, + "scanFinishedAt": "2022-04-06T09:18:21.090855Z", + "scanStartedAt": "2022-04-06T08:26:52.838047Z", + "scanStatus": "finished", + "siteId": "1234567890123456789", + "siteName": "Default site", + "storageName": null, + "storageType": null, + "userActionsNeeded": [] + }, + "containerInfo": { + "id": null, + "image": null, + "labels": null, + "name": null + }, + "id": "1234567890123456789", + "indicators": [], + "kubernetesInfo": { + "cluster": null, + "controllerKind": null, + "controllerLabels": null, + "controllerName": null, + "namespace": null, + "namespaceLabels": null, + "node": null, + "pod": null, + "podLabels": null + }, + "mitigationStatus": [ + { + "action": "unquarantine", + "actionsCounters": { + "failed": 0, + "notFound": 0, + "pendingReboot": 0, + "success": 1, + "total": 1 + }, + "agentSupportsReport": true, + "groupNotFound": false, + "lastUpdate": "2022-04-06T08:54:17.198002Z", + "latestReport": "/threats/mitigation-report", + "mitigationEndedAt": "2022-04-06T08:54:17.101000Z", + "mitigationStartedAt": "2022-04-06T08:54:17.101000Z", + "status": "success" + }, + { + "action": "kill", + "actionsCounters": null, + "agentSupportsReport": true, + "groupNotFound": false, + "lastUpdate": "2022-04-06T08:45:55.303355Z", + "latestReport": null, + "mitigationEndedAt": "2022-04-06T08:45:55.297364Z", + "mitigationStartedAt": "2022-04-06T08:45:55.297363Z", + "status": "success" + } + ], + "threatInfo": { + "analystVerdict": "undefined", + "analystVerdictDescription": "Undefined", + "automaticallyResolved": false, + "browserType": null, + "certificateId": "", + "classification": "Trojan", + "classificationSource": "Cloud", + "cloudFilesHashVerdict": "black", + "collectionId": "1234567890123456789", + "confidenceLevel": "malicious", + "createdAt": "2022-04-06T08:45:54.519988Z", + "detectionEngines": [ + { + "key": "sentinelone_cloud", + "title": "SentinelOne Cloud" + } + ], + "detectionType": "static", + "engines": [ + "SentinelOne Cloud" + ], + "externalTicketExists": false, + "externalTicketId": null, + "failedActions": false, + "fileExtension": "EXE", + "fileExtensionType": "Executable", + "filePath": "default.exe", + "fileSize": 1234, + "fileVerificationType": "NotSigned", + "identifiedAt": "2022-04-06T08:45:53.968000Z", + "incidentStatus": "unresolved", + "incidentStatusDescription": "Unresolved", + "initiatedBy": "agent_policy", + "initiatedByDescription": "Agent Policy", + "initiatingUserId": null, + "initiatingUsername": null, + "isFileless": false, + "isValidCertificate": false, + "maliciousProcessArguments": null, + "md5": null, + "mitigatedPreemptively": false, + "mitigationStatus": "not_mitigated", + "mitigationStatusDescription": "Not mitigated", + "originatorProcess": "default.exe", + "pendingActions": false, + "processUser": "test user", + "publisherName": "", + "reachedEventsLimit": false, + "rebootRequired": false, + "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "sha256": null, + "storyline": "D0XXXXXXXXXXAF4D", + "threatId": "1234567890123456789", + "threatName": "default.exe", + "updatedAt": "2022-04-06T08:55:17.194122Z" + }, + "whiteningOptions": [ + "hash" + ] + } + ], + "pagination": { + "nextCursor": "abcd", + "totalItems": 2 + } + } + `}} + - path: /web/api/v2.1/application-management/inventory + methods: ['GET'] + query_params: + skipCount: "true" + limit: 2 + cursor: abcd + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "applicationName": "Elastic Agent", + "applicationVendor": "Elastic", + "applicationVersionsCount": 1, + "endpointsCount": 1, + "estimate": false + }, + { + "applicationName": "Git", + "applicationVendor": "The Git Development Community", + "applicationVersionsCount": 1, + "endpointsCount": 1, + "estimate": false + } + ], + "pagination": { + "nextCursor": "efgh", + "totalItems": 0 + } + } + `}} + - path: /web/api/v2.1/application-management/inventory + methods: ['GET'] + query_params: + skipCount: "true" + limit: 2 + cursor: efgh + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [], + "pagination": { + "nextCursor": null, + "totalItems": 0 + } + } + `}} + - path: /web/api/v2.1/application-management/inventory + methods: ['GET'] + query_params: + skipCount: "true" + limit: 2 + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "applicationName": "7-Zip", + "applicationVendor": "Igor Pavlov", + "applicationVersionsCount": 1, + "endpointsCount": 1, + "estimate": false + }, + { + "applicationName": "Brave", + "applicationVendor": "Brave Software Inc", + "applicationVersionsCount": 1, + "endpointsCount": 1, + "estimate": false + } + ], + "pagination": { + "nextCursor": "abcd", + "totalItems": 0 + } + } + `}} + - path: /web/api/v2.1/application-management/inventory/endpoints + methods: ['GET'] + query_params: + applicationName: Git + applicationVendor: The Git Development Community + skipCount: "true" + limit: 2 + cursor: xxxxx + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [], + "pagination": { + "nextCursor": null, + "totalItems": 0 + } + } + `}} + - path: /web/api/v2.1/application-management/inventory/endpoints + methods: ['GET'] + query_params: + applicationName: 7-Zip + applicationVendor: Igor Pavlov + skipCount: "true" + limit: 2 + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "accountName": "7-Zip", + "applicationInstallationDate": "2025-04-13T10:45:01Z", + "applicationInstallationPath": null, + "applicationName": "Igor Pavlov", + "coreCount": 2, + "cpe": "cpe:2.3:a:abc:igor:8.17.3:*:*:*:*:*:*:*", + "cpuCount": 1, + "detectionDate": "2025-06-19T18:00:51.166610Z", + "endpointId": "216970508828266268", + "endpointName": "srv-win-defend-03", + "endpointType": "server", + "endpointUuid": "eb655be8be894dae97711ebb9a9091ae", + "fileSize": 517364, + "groupName": "Default Group", + "id": "2218357748550497214", + "osArch": "64 bit", + "osName": "Windows Server 2022 Datacenter", + "osType": "windows", + "osVersion": "Windows Server 2022 Datacenter 20348", + "siteName": "Default site", + "version": "8.17.3" + } + ], + "pagination": { + "nextCursor": null, + "totalItems": 1 + } + } + `}} + - path: /web/api/v2.1/application-management/inventory/endpoints + methods: ['GET'] + query_params: + applicationName: Brave + applicationVendor: Brave Software Inc + skipCount: "true" + limit: 2 + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "accountName": "Brave", + "applicationInstallationDate": "2025-03-13T10:45:01Z", + "applicationInstallationPath": null, + "applicationName": "Brave Software Inc", + "coreCount": 2, + "cpe": "cpe:2.3:a:elastic:elastic_agent:8.17.3:*:*:*:*:*:*:*", + "cpuCount": 1, + "detectionDate": "2025-05-19T18:00:51.166610Z", + "endpointId": "2169705024028266268", + "endpointName": "srv-win-defend-03", + "endpointType": "server", + "endpointUuid": "eb655be8be894dae97711ebb9a9091ae", + "fileSize": 517364, + "groupName": "Default Group", + "id": "2218357748550497214", + "osArch": "64 bit", + "osName": "Windows Server 2022 Datacenter", + "osType": "windows", + "osVersion": "Windows Server 2022 Datacenter 20348", + "siteName": "Default site", + "version": "8.17.3" + } + ], + "pagination": { + "nextCursor": null, + "totalItems": 1 + } + } + `}} + - path: /web/api/v2.1/application-management/inventory/endpoints + methods: ['GET'] + query_params: + applicationName: Elastic Agent + applicationVendor: Elastic + skipCount: "true" + limit: 2 + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "accountName": "Elastic", + "applicationInstallationDate": "2025-03-13T10:45:01Z", + "applicationInstallationPath": null, + "applicationName": "Elastic Agent", + "coreCount": 2, + "cpe": "cpe:2.3:a:elastic:elastic_agent:8.17.3:*:*:*:*:*:*:*", + "cpuCount": 1, + "detectionDate": "2025-05-19T18:00:51.166610Z", + "endpointId": "2169705024028266268", + "endpointName": "srv-win-defend-03", + "endpointType": "server", + "endpointUuid": "eb655be8be894dae97711ebb9a9091ae", + "fileSize": 517364, + "groupName": "Default Group", + "id": "2218357748550497214", + "osArch": "64 bit", + "osName": "Windows Server 2022 Datacenter", + "osType": "windows", + "osVersion": "Windows Server 2022 Datacenter 20348", + "siteName": "Default site", + "version": "8.17.3" + } + ], + "pagination": { + "nextCursor": null, + "totalItems": 1 + } + } + `}} + - path: /web/api/v2.1/application-management/inventory/endpoints + methods: ['GET'] + query_params: + applicationName: Git + applicationVendor: The Git Development Community + skipCount: "true" + limit: 2 + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "accountName": "Git", + "applicationInstallationDate": "2025-08-13T10:45:01Z", + "applicationInstallationPath": null, + "applicationName": "The Git Development Community", + "coreCount": 2, + "cpe": "cpe:2.3:a:elastic:git:8.17.3:*:*:*:*:*:*:*", + "cpuCount": 1, + "detectionDate": "2025-05-29T18:00:51.166610Z", + "endpointId": "2169705024028266268", + "endpointName": "srv-win-defend-05", + "endpointType": "server", + "endpointUuid": "eb65e894dae97711ebb9a9091ae", + "fileSize": 517364, + "groupName": "Default Group", + "id": "22183577485514", + "osArch": "64 bit", + "osName": "Windows Server 2022 Datacenter", + "osType": "windows", + "osVersion": "Windows Server 2022 Datacenter 20348", + "siteName": "Default site", + "version": "8.17.3" + } + ], + "pagination": { + "nextCursor": "xxxxx", + "totalItems": 1 + } + } + `}} + - path: /web/api/v2.1/application-management/risks + methods: ['GET'] + query_params: + limit: 2 + cursor: null + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "application": "7-Zip 22.01", + "applicationName": "7-Zip", + "applicationVendor": "Igor Pavlov", + "applicationVersion": "22.01", + "baseScore": "7.00", + "cveId": "CVE-2025-0411", + "cvssVersion": "3.1", + "daysDetected": 59, + "detectionDate": "2025-06-02T04:46:51.710569Z", + "endpointId": "2162143406517023959", + "endpointName": "test_endpoint", + "endpointType": "desktop", + "id": "2228104980801805822", + "lastScanDate": "2025-07-29T19:25:47Z", + "lastScanResult": "Succeeded", + "markType": "", + "markedBy": null, + "markedDate": null, + "osType": "windows", + "publishedDate": "2025-01-20T07:04:04Z", + "reason": null, + "severity": "HIGH", + "status": "Detected" + }, + { + "application": "7-Zip 22.01", + "applicationName": "7-Zip", + "applicationVendor": "Igor Pavlov", + "applicationVersion": "22.01", + "baseScore": "7.80", + "cveId": "CVE-2024-11477", + "cvssVersion": "3.1", + "daysDetected": 59, + "detectionDate": "2025-06-02T04:46:51.710578Z", + "endpointId": "2162143406517023959", + "endpointName": "example_endpoint", + "endpointType": "desktop", + "id": "2228104981028298282", + "lastScanDate": "2025-07-29T19:25:47Z", + "lastScanResult": "Succeeded", + "markType": "", + "markedBy": null, + "markedDate": null, + "osType": "windows", + "publishedDate": "2024-11-21T06:42:16Z", + "reason": null, + "severity": "HIGH", + "status": "Detected" + } + ], + "pagination": { + "nextCursor": "page2", + "totalItems": 5 + } + } + `}} + - path: /web/api/v2.1/application-management/risks + methods: ['GET'] + query_params: + limit: 2 + cursor: page2 + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "application": "Microsoft Edge 112.0.1722.68", + "applicationName": "Microsoft Edge", + "applicationVendor": "Microsoft Corporation", + "applicationVersion": "112.0.1722.68", + "baseScore": "4.30", + "cveId": "CVE-2024-29057", + "cvssVersion": "3.1", + "daysDetected": 59, + "detectionDate": "2025-06-02T04:46:51.710587Z", + "endpointId": "2162143406517023959", + "endpointName": "DESKTOP-example", + "endpointType": "desktop", + "id": "2228104981036686896", + "lastScanDate": "2025-07-29T19:25:47Z", + "lastScanResult": "Succeeded", + "markType": "", + "markedBy": null, + "markedDate": null, + "osType": "windows", + "publishedDate": "2024-03-22T22:15:00Z", + "reason": null, + "severity": "MEDIUM", + "status": "Detected" + }, + { + "application": "Microsoft Edge 112.0.1722.68", + "applicationName": "Microsoft Edge", + "applicationVendor": "Microsoft Corporation", + "applicationVersion": "112.0.1722.68", + "baseScore": "6.10", + "cveId": "CVE-2024-38156", + "cvssVersion": "3.1", + "daysDetected": 59, + "detectionDate": "2025-06-02T04:46:51.710591Z", + "endpointId": "2162143406517023959", + "endpointName": "DESKTOP-test", + "endpointType": "desktop", + "id": "2228104981070241336", + "lastScanDate": "2025-07-29T19:25:47Z", + "lastScanResult": "Succeeded", + "markType": "", + "markedBy": null, + "markedDate": null, + "osType": "windows", + "publishedDate": "2024-07-18T05:39:23Z", + "reason": null, + "severity": "MEDIUM", + "status": "Detected" + } + ], + "pagination": { + "nextCursor": "page3", + "totalItems": 5 + } + } + `}} + - path: /web/api/v2.1/application-management/risks + methods: ['GET'] + query_params: + limit: 2 + cursor: page3 + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "application": "Microsoft Edge 112.0.1722.68", + "applicationName": "Microsoft Edge", + "applicationVendor": "Microsoft Corporation", + "applicationVersion": "112.0.1722.68", + "baseScore": "6.50", + "cveId": "CVE-2024-38222", + "cvssVersion": "3.1", + "daysDetected": 59, + "detectionDate": "2025-06-02T04:46:51.710593Z", + "endpointId": "2162143406517023959", + "endpointName": "DESKTOP-R1E2DQ2", + "endpointType": "desktop", + "id": "2228104981095407166", + "lastScanDate": "2025-07-29T19:25:47Z", + "lastScanResult": "Succeeded", + "markType": "", + "markedBy": null, + "markedDate": null, + "osType": "windows", + "publishedDate": "2024-08-13T18:27:28Z", + "reason": null, + "severity": "MEDIUM", + "status": "Detected" + } + ], + "pagination": { + "nextCursor": null, + "totalItems": 5 + } + } + `}} diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/build/build.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/build/build.yml new file mode 100644 index 0000000000..2bfcfc223b --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: "git@v8.11.0" diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/build/docs/README.md b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/build/docs/README.md new file mode 100644 index 0000000000..9db643e333 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/build/docs/README.md @@ -0,0 +1,70 @@ +# SentinelOne + +The [SentinelOne](https://www.sentinelone.com/) integration collects and parses data from SentinelOne REST APIs. This integration also offers the capability to perform response actions on SentinelOne hosts directly through the Elastic Security interface (introduced with v8.12.0). Additional configuration is required; for detailed guidance, refer to [documentation](https://www.elastic.co/guide/en/security/current/response-actions-config.html). + +## Agentless Enabled Integration +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. + +## Compatibility + +This module has been tested against `SentinelOne Management Console API version 2.1`. + +## API token + +To collect data from SentinelOne APIs, you must have an API token. To create an API token, follow these steps: + + 1. Log in to the **SentinelOne Management Console** as an **Admin**. + ![SentinelOne dashboards](../img/sentinel-one-dashboard.png) + 2. Navigate to **Logged User Account** from top right panel in the navigation bar. + 3. Click **My User**. + 4. In the API token section, navigate to **Actions** > **API Token Operators** > **Generate API Token**. + ![SentinelOne generate API token ](../img/sentinel-one-api-token-generate.png) + 5. Enter the MFA code, if enabled. + ![SentinelOne generate MFA Code ](../img/sentinel-one-mfa-code.png) + 6. You will see the API token on the screen. + +**Permissions Required for the Role Attached to the User** + +| **Data Stream** | **Permission** | +|-------------------|---------------------------------| +| Activity | Activity -> view | +| Agent | Endpoints -> view | +| Alert | STAR Rule Alerts -> view | +| Application | Applications -> view | +| Application Risk | Applications -> viewRisks | +| Group | Groups -> view | +| Threat | Threats -> view | + +## Note + +The **alert** data stream depends on STAR Custom Rules. STAR Custom Rules are supported in Cloud environments, but are not supported in on-premises environments. Because of this, the **alert** data stream is not supported in on-premises environments. + +## Troubleshooting + +- The API token generated by the user is time-limited. The user must reconfigure a new API token before it expires. + - For console users, the default expiration time limit is 30 days. + - For service users, the expiration time limit is the same as the duration specified while generating the API token. + +## Alert severity mapping + +The values used in `event.severity` are consistent with Elastic Detection Rules. + +| Severity Name | `event.severity` | +|---------------|:----------------:| +| Low | 21 | +| Medium | 47 | +| High | 73 | +| Critical | 99 | + +## Logs + +### alert + +This is the `alert` dataset. + +{{event "alert"}} + +{{fields "alert"}} + diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/deploy/docker/docker-compose.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 0000000000..48e601d938 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,15 @@ +version: "2.3" +services: + sentinel_one: + image: docker.elastic.co/observability/stream:v0.18.0 + hostname: sentinel_one + ports: + - 8080 + volumes: + - ./files:/files:ro + environment: + PORT: "8080" + command: + - http-server + - --addr=:8080 + - --config=/files/config.yml diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/deploy/docker/files/config.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/deploy/docker/files/config.yml new file mode 100644 index 0000000000..60a91a45e7 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/deploy/docker/files/config.yml @@ -0,0 +1,1889 @@ +rules: + - path: /web/api/v2.1/activities + methods: ["GET"] + query_params: + sortOrder: asc + cursor: efgh + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [], + "pagination": { + "nextCursor": null, + "totalItems": 4 + } + } + `}} + - path: /web/api/v2.1/activities + methods: ["GET"] + query_params: + sortOrder: asc + cursor: abcd + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [ + { + "accountId": "2234567890123456789", + "accountName": "Default5", + "activityType": 1234, + "agentId": null, + "agentUpdatedVersion": null, + "comments": "True", + "createdAt": "2022-04-21T05:14:08.925421Z", + "data": { + "accountName": "Default", + "byUser": "API", + "fullScopeDetails": "Account Default", + "fullScopeDetailsPath": "test/default", + "groupName": null, + "newValue": true, + "role": "Level", + "scopeLevel": "Account", + "scopeName": "Default", + "siteName": null, + "userScope": "account", + "username": "API" + }, + "description": "API", + "groupId": null, + "groupName": null, + "hash": null, + "id": "1234567890123456789", + "osFamily": null, + "primaryDescription": "The management user API enabled Two factor authentication on the user API.", + "secondaryDescription": null, + "siteId": null, + "siteName": null, + "threatId": null, + "updatedAt": "2022-04-18T05:14:08.922553Z", + "userId": "1234567890123456789" + }, + { + "accountId": "444567890123456789", + "accountName": "Default6", + "activityType": 1234, + "agentId": null, + "agentUpdatedVersion": null, + "comments": null, + "createdAt": "2022-04-22T05:14:09.240427Z", + "data": { + "accountName": "Default", + "fullScopeDetails": "Account Default", + "fullScopeDetailsPath": "test/default", + "groupName": null, + "ipAddress": "81.2.69.144", + "reason": null, + "role": "Level", + "scopeLevel": "Account", + "scopeName": "Default", + "siteName": null, + "source": "src", + "userScope": "account", + "username": "API" + }, + "description": null, + "groupId": null, + "groupName": null, + "hash": null, + "id": "1234567890123456789", + "osFamily": null, + "primaryDescription": "The management user API logged in to the management console with IP Address 81.2.69.144", + "secondaryDescription": null, + "siteId": null, + "siteName": null, + "threatId": null, + "updatedAt": "2022-04-18T05:14:09.238430Z", + "userId": "1234567890123456789" + } + ], + "pagination": { + "nextCursor": "efgh", + "totalItems": 4 + } + } + `}} + - path: /web/api/v2.1/activities + methods: ["GET"] + query_params: + sortOrder: asc + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [ + { + "accountId": "3214567890123456789", + "accountName": "Default12", + "activityType": 1234, + "agentId": null, + "agentUpdatedVersion": null, + "comments": "True", + "createdAt": "2022-04-19T05:14:08.925421Z", + "data": { + "accountName": "Default", + "byUser": "API", + "fullScopeDetails": "Account Default", + "fullScopeDetailsPath": "test/default", + "groupName": null, + "newValue": true, + "role": "Level", + "scopeLevel": "Account", + "scopeName": "Default", + "siteName": null, + "userScope": "account", + "username": "API" + }, + "description": "API", + "groupId": null, + "groupName": null, + "hash": null, + "id": "1234567890123456789", + "osFamily": null, + "primaryDescription": "The management user API enabled Two factor authentication on the user API.", + "secondaryDescription": null, + "siteId": null, + "siteName": null, + "threatId": null, + "updatedAt": "2022-04-18T05:14:08.922553Z", + "userId": "1234567890123456789" + }, + { + "accountId": "1114567890123456789", + "accountName": "Default4", + "activityType": 1234, + "agentId": null, + "agentUpdatedVersion": null, + "comments": null, + "createdAt": "2022-04-20T05:14:09.240427Z", + "data": { + "accountName": "Default", + "fullScopeDetails": "Account Default", + "fullScopeDetailsPath": "test/default", + "groupName": null, + "ipAddress": "81.2.69.144", + "reason": null, + "role": "Level", + "scopeLevel": "Account", + "scopeName": "Default", + "siteName": null, + "source": "src", + "userScope": "account", + "username": "API" + }, + "description": null, + "groupId": null, + "groupName": null, + "hash": null, + "id": "1234567890123456789", + "osFamily": null, + "primaryDescription": "The management user API logged in to the management console with IP Address 81.2.69.144", + "secondaryDescription": null, + "siteId": null, + "siteName": null, + "threatId": null, + "updatedAt": "2022-04-18T05:14:09.238430Z", + "userId": "1234567890123456789" + } + ], + "pagination": { + "nextCursor": "abcd", + "totalItems": 4 + } + } + `}} + - path: /web/api/v2.1/agents + methods: ["GET"] + query_params: + sortOrder: asc + cursor: efgh + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [], + "pagination": { + "nextCursor": null, + "totalItems": 2 + } + } + `}} + - path: /web/api/v2.1/agents + methods: ["GET"] + query_params: + sortOrder: asc + cursor: abcd + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [ + { + "accountId": "9898123451234512345", + "accountName": "DEF", + "activeDirectory": { + "computerDistinguishedName": null, + "computerMemberOf": [], + "lastUserDistinguishedName": null, + "lastUserMemberOf": [] + }, + "activeThreats": 7, + "agentVersion": "12.x.x.x", + "allowRemoteShell": true, + "appsVulnerabilityStatus": "not_applicable", + "cloudProviders": {}, + "computerName": "user-test", + "consoleMigrationStatus": "N/A", + "coreCount": 2, + "missingPermissions": [ + "user-action-needed-bluetooth-per", + "user_action_needed_fda" + ], + "cpuCount": 2, + "cpuId": "CPU Name", + "createdAt": "2022-03-19T09:12:00.519500Z", + "detectionState": null, + "domain": "WORKGROUP", + "encryptedApplications": false, + "externalId": "", + "externalIp": "81.2.69.143", + "firewallEnabled": true, + "firstFullModeTime": null, + "groupId": "1234567890123456789", + "groupIp": "81.2.69.144", + "groupName": "Default Group", + "id": "13491234512345", + "inRemoteShellSession": false, + "infected": true, + "installerType": ".msi", + "isActive": true, + "isDecommissioned": false, + "isPendingUninstall": false, + "isUninstalled": false, + "isUpToDate": true, + "lastActiveDate": "2022-03-17T09:51:28.506000Z", + "lastIpToMgmt": "81.2.69.145", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": true, + "locationType": "not_applicable", + "locations": null, + "machineType": "server", + "mitigationMode": "detect", + "mitigationModeSuspicious": "detect", + "modelName": "Compute Engine", + "networkInterfaces": [ + { + "gatewayIp": "81.2.69.145", + "gatewayMacAddress": "00-00-5E-00-53-00", + "id": "1234567890123456789", + "inet": [ + "81.2.69.144" + ], + "inet6": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ], + "name": "Ethernet", + "physical": "00-00-5E-00-53-00" + } + ], + "networkQuarantineEnabled": false, + "networkStatus": "connected", + "operationalState": "na", + "operationalStateExpiration": null, + "osArch": "64 bit", + "osName": "Linux Server", + "osRevision": "1234", + "osStartTime": "2022-04-06T08:27:14Z", + "osType": "linux", + "osUsername": null, + "rangerStatus": "Enabled", + "rangerVersion": "21.x.x.x", + "registeredAt": "2022-04-06T08:26:45.515278Z", + "remoteProfilingState": "disabled", + "remoteProfilingStateExpiration": null, + "scanAbortedAt": null, + "scanFinishedAt": "2022-04-06T09:18:21.090855Z", + "scanStartedAt": "2022-04-06T08:26:52.838047Z", + "scanStatus": "finished", + "siteId": "1234567890123456789", + "siteName": "Default site", + "storageName": null, + "storageType": null, + "tags": { + "sentinelone": [ + { + "assignedBy": "test-user", + "assignedAt": "2018-02-27T04:49:26.257525Z", + "key": "key123", + "assignedById": "123456789012345678", + "id": "123456789012345678", + "value": "value123" + } + ] + }, + "threatRebootRequired": false, + "totalMemory": 1234, + "updatedAt": "2022-04-07T08:31:47.481227Z", + "userActionsNeeded": [ + "reboot_needed" + ], + "uuid": "XXX35XXX8Xfb4aX0X1X8X12X343X8X30" + } + ], + "pagination": { + "nextCursor": "efgh", + "totalItems": 2 + } + } + `}} + - path: /web/api/v2.1/agents + methods: ["GET"] + query_params: + sortOrder: asc + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [ + { + "accountId": "892341123451234512345", + "accountName": "ABC", + "activeDirectory": { + "computerDistinguishedName": null, + "computerMemberOf": [], + "lastUserDistinguishedName": null, + "lastUserMemberOf": [] + }, + "activeThreats": 7, + "agentVersion": "12.x.x.x", + "allowRemoteShell": true, + "appsVulnerabilityStatus": "not_applicable", + "cloudProviders": {}, + "computerName": "user-test", + "consoleMigrationStatus": "N/A", + "coreCount": 2, + "missingPermissions": [ + "user-action-needed-bluetooth-per", + "user_action_needed_fda" + ], + "cpuCount": 2, + "cpuId": "CPU Name", + "createdAt": "2022-03-18T09:12:00.519500Z", + "detectionState": null, + "domain": "WORKGROUP", + "encryptedApplications": false, + "externalId": "", + "externalIp": "81.2.69.143", + "firewallEnabled": true, + "firstFullModeTime": null, + "groupId": "1234567890123456789", + "groupIp": "81.2.69.144", + "groupName": "Default Group", + "id": "13491234512345", + "inRemoteShellSession": false, + "infected": true, + "installerType": ".msi", + "isActive": true, + "isDecommissioned": false, + "isPendingUninstall": false, + "isUninstalled": false, + "isUpToDate": true, + "lastActiveDate": "2022-03-17T09:51:28.506000Z", + "lastIpToMgmt": "81.2.69.145", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": true, + "locationType": "not_applicable", + "locations": null, + "machineType": "server", + "mitigationMode": "detect", + "mitigationModeSuspicious": "detect", + "modelName": "Compute Engine", + "networkInterfaces": [ + { + "gatewayIp": "81.2.69.145", + "gatewayMacAddress": "00-00-5E-00-53-00", + "id": "1234567890123456789", + "inet": [ + "81.2.69.144" + ], + "inet6": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ], + "name": "Ethernet", + "physical": "00-00-5E-00-53-00" + } + ], + "networkQuarantineEnabled": false, + "networkStatus": "connected", + "operationalState": "na", + "operationalStateExpiration": null, + "osArch": "64 bit", + "osName": "Linux Server", + "osRevision": "1234", + "osStartTime": "2022-04-06T08:27:14Z", + "osType": "linux", + "osUsername": null, + "rangerStatus": "Enabled", + "rangerVersion": "21.x.x.x", + "registeredAt": "2022-04-06T08:26:45.515278Z", + "remoteProfilingState": "disabled", + "remoteProfilingStateExpiration": null, + "scanAbortedAt": null, + "scanFinishedAt": "2022-04-06T09:18:21.090855Z", + "scanStartedAt": "2022-04-06T08:26:52.838047Z", + "scanStatus": "finished", + "siteId": "1234567890123456789", + "siteName": "Default site", + "storageName": null, + "storageType": null, + "tags": { + "sentinelone": [ + { + "assignedBy": "test-user", + "assignedAt": "2018-02-27T04:49:26.257525Z", + "key": "key123", + "assignedById": "123456789012345678", + "id": "123456789012345678", + "value": "value123" + } + ] + }, + "threatRebootRequired": false, + "totalMemory": 1234, + "updatedAt": "2022-04-07T08:31:47.481227Z", + "userActionsNeeded": [ + "reboot_needed" + ], + "uuid": "XXX35XXX8Xfb4aX0X1X8X12X343X8X30" + } + ], + "pagination": { + "nextCursor": "abcd", + "totalItems": 2 + } + } + `}} + - path: /web/api/v2.1/cloud-detection/alerts + methods: ["GET"] + query_params: + sortOrder: asc + cursor: efgh + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [], + "pagination": { + "totalItems": 2, + "nextCursor": null + }, + "errors": [ + {} + ] + } + `}} + - path: /web/api/v2.1/cloud-detection/alerts + methods: ["GET"] + query_params: + sortOrder: asc + cursor: abcd + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [ + { + "targetProcessInfo": { + "tgtFileCreatedAt": "2018-02-28T05:49:26.257525Z", + "tgtFileIsSigned": "string", + "tgtFileOldPath": "string", + "tgtProcImagePath": "string", + "tgtProcSignedStatus": "string", + "tgtFileHashSha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", + "tgtProcStorylineId": "string", + "tgtProcPid": "12345", + "tgtProcCmdLine": "string", + "tgtProcName": "string", + "tgtFileModifiedAt": "2018-02-27T04:49:26.257525Z", + "tgtFileId": "string", + "tgtProcIntegrityLevel": "unknown", + "tgtFileHashSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "tgtProcUid": "string", + "tgtProcessStartTime": "2018-02-27T04:49:26.257525Z", + "tgtFilePath": "string" + }, + "alertInfo": { + "createdAt": "2018-02-28T06:49:26.257525Z", + "srcIp": "81.2.69.142", + "incidentStatus": "string", + "registryOldValue": "string", + "alertId": "123456789123456789", + "dstPort": "1234", + "indicatorName": "string", + "registryPath": "string", + "loginType": "string", + "dstIp": "81.2.69.144", + "updatedAt": "2018-02-27T04:49:26.257525Z", + "indicatorDescription": "string", + "loginsUserName": "string", + "loginIsSuccessful": "string", + "indicatorCategory": "string", + "modulePath": "string", + "loginAccountSid": "string", + "dnsResponse": "string", + "netEventDirection": "string", + "registryValue": "string", + "srcMachineIp": "81.2.69.142", + "registryOldValueType": "string", + "eventType": "info", + "analystVerdict": "string", + "dvEventId": "string", + "dnsRequest": "string", + "loginIsAdministratorEquivalent": "string", + "loginAccountDomain": "string", + "tiIndicatorType": "string", + "moduleSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "source": "string", + "srcPort": "1234", + "tiIndicatorValue": "string", + "tiIndicatorSource": "string", + "reportedAt": "2018-02-27T04:49:26.257525Z", + "registryKeyPath": "string", + "tiIndicatorComparisonMethod": "string", + "hitType": "Events" + }, + "sourceProcessInfo": { + "integrityLevel": "unknown", + "pid": "12345", + "fileHashMd5": "5d41402abc4b2a76b9719d911017c592", + "filePath": "string", + "fileSignerIdentity": "string", + "pidStarttime": "2018-02-27T04:49:26.257525Z", + "storyline": "string", + "fileHashSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "uniqueId": "string", + "user": "string", + "commandline": "string", + "name": "string", + "fileHashSha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", + "subsystem": "unknown" + }, + "ruleInfo": { + "severity": "Low", + "treatAsThreat": "UNDEFINED", + "id": "string", + "scopeLevel": "string", + "name": "string", + "description": "string" + }, + "sourceParentProcessInfo": { + "integrityLevel": "unknown", + "pid": "12345", + "fileHashMd5": "5d41402abc4b2a76b9719d911017c592", + "filePath": "string", + "fileSignerIdentity": "string", + "pidStarttime": "2018-02-27T04:49:26.257525Z", + "storyline": "string", + "fileHashSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "uniqueId": "string", + "user": "string", + "commandline": "string", + "name": "string", + "fileHashSha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", + "subsystem": "unknown" + }, + "agentDetectionInfo": { + "osFamily": "string", + "uuid": "string", + "osName": "string", + "version": "3.x.x.x", + "siteId": "123456789123456789", + "name": "string", + "machineType": "string", + "osRevision": "string" + }, + "kubernetesInfo": { + "controllerName": "string", + "node": "string", + "namespace": "string", + "namespaceLabels": "string", + "pod": "string", + "controllerLabels": "string", + "controllerKind": "string", + "cluster": "string", + "podLabels": "string" + }, + "containerInfo": { + "id": "string", + "name": "string", + "image": "string", + "labels": "string" + } + } + ], + "pagination": { + "totalItems": 2, + "nextCursor": "efgh" + }, + "errors": [ + {} + ] + } + `}} + - path: /web/api/v2.1/cloud-detection/alerts + methods: ["GET"] + query_params: + sortOrder: asc + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: | + {{ minify_json ` + { + "data": [ + { + "targetProcessInfo": { + "tgtFileCreatedAt": "2018-02-27T04:49:26.257525Z", + "tgtFileIsSigned": "string", + "tgtFileOldPath": "string", + "tgtProcImagePath": "string", + "tgtProcSignedStatus": "string", + "tgtFileHashSha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", + "tgtProcStorylineId": "string", + "tgtProcPid": "12345", + "tgtProcCmdLine": "string", + "tgtProcName": "string", + "tgtFileModifiedAt": "2018-02-27T04:49:26.257525Z", + "tgtFileId": "string", + "tgtProcIntegrityLevel": "unknown", + "tgtFileHashSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "tgtProcUid": "string", + "tgtProcessStartTime": "2018-02-27T04:49:26.257525Z", + "tgtFilePath": "string" + }, + "alertInfo": { + "createdAt": "2018-02-27T04:49:26.257525Z", + "srcIp": "81.2.69.142", + "incidentStatus": "open", + "registryOldValue": "string", + "alertId": "888456789123456789", + "dstPort": "1234", + "indicatorName": "string", + "registryPath": "string", + "loginType": "login", + "dstIp": "81.2.69.144", + "updatedAt": "2018-02-27T04:49:26.257525Z", + "indicatorDescription": "string", + "loginsUserName": "string", + "loginIsSuccessful": "string", + "indicatorCategory": "string", + "modulePath": "string", + "loginAccountSid": "string", + "dnsResponse": "string", + "netEventDirection": "string", + "registryValue": "string", + "srcMachineIp": "81.2.69.142", + "registryOldValueType": "string", + "eventType": "info", + "analystVerdict": "string", + "dvEventId": "string", + "dnsRequest": "string", + "loginIsAdministratorEquivalent": "string", + "loginAccountDomain": "string", + "tiIndicatorType": "string", + "moduleSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "source": "string", + "srcPort": "1234", + "tiIndicatorValue": "string", + "tiIndicatorSource": "string", + "reportedAt": "2018-02-27T04:49:26.257525Z", + "registryKeyPath": "string", + "tiIndicatorComparisonMethod": "string", + "hitType": "Events" + }, + "sourceProcessInfo": { + "integrityLevel": "unknown", + "pid": "12345", + "fileHashMd5": "5d41402abc4b2a76b9719d911017c592", + "filePath": "string", + "fileSignerIdentity": "string", + "pidStarttime": "2018-02-27T04:49:26.257525Z", + "storyline": "string", + "fileHashSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "uniqueId": "string", + "user": "string", + "commandline": "string", + "name": "string", + "fileHashSha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", + "subsystem": "unknown" + }, + "ruleInfo": { + "severity": "Low", + "treatAsThreat": "UNDEFINED", + "id": "string", + "scopeLevel": "string", + "name": "string", + "description": "string" + }, + "sourceParentProcessInfo": { + "integrityLevel": "unknown", + "pid": "12345", + "fileHashMd5": "5d41402abc4b2a76b9719d911017c592", + "filePath": "string", + "fileSignerIdentity": "string", + "pidStarttime": "2018-02-27T04:49:26.257525Z", + "storyline": "string", + "fileHashSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "uniqueId": "string", + "user": "string", + "commandline": "string", + "name": "string", + "fileHashSha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", + "subsystem": "unknown" + }, + "agentDetectionInfo": { + "osFamily": "string", + "uuid": "string", + "osName": "string", + "version": "3.x.x.x", + "siteId": "123456789123456789", + "name": "string", + "machineType": "string", + "osRevision": "string" + }, + "kubernetesInfo": { + "controllerName": "string", + "node": "string", + "namespace": "string", + "namespaceLabels": "string", + "pod": "string", + "controllerLabels": "string", + "controllerKind": "string", + "cluster": "string", + "podLabels": "string" + }, + "containerInfo": { + "id": "string", + "name": "string", + "image": "string", + "labels": "string" + } + } + ], + "pagination": { + "totalItems": 2, + "nextCursor": "abcd" + }, + "errors": [ + {} + ] + } + `}} + - path: /web/api/v2.1/groups + methods: ["GET"] + query_params: + sortOrder: asc + cursor: efgh + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [], + "pagination": { + "nextCursor": null, + "totalItems": 4 + } + } + `}} + - path: /web/api/v2.1/groups + methods: ["GET"] + query_params: + sortOrder: asc + cursor: abcd + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [ + { + "createdAt": "2022-04-07T16:01:56.928383Z", + "creator": "Test User3", + "creatorId": "09099890123456789", + "filterId": null, + "filterName": null, + "id": "18989567890123456789", + "inherits": true, + "isDefault": true, + "name": "Default Group", + "rank": null, + "registrationToken": "eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=", + "siteId": "1234567890123456789", + "totalAgents": 1, + "type": "static", + "updatedAt": "2022-04-08T16:01:57.564266Z" + }, + { + "createdAt": "2022-04-08T16:01:56.928383Z", + "creator": "Test Use4r", + "creatorId": "08884567890123456789", + "filterId": null, + "filterName": null, + "id": "11134567890123456789", + "inherits": true, + "isDefault": true, + "name": "Default Group", + "rank": null, + "registrationToken": "eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=", + "siteId": "1234567890123456789", + "totalAgents": 1, + "type": "static", + "updatedAt": "2022-04-09T16:01:57.564266Z" + } + ], + "pagination": { + "nextCursor": "efgh", + "totalItems": 4 + } + } + `}} + - path: /web/api/v2.1/groups + methods: ["GET"] + query_params: + sortOrder: asc + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [ + { + "createdAt": "2022-04-05T16:01:56.928383Z", + "creator": "Test User", + "creatorId": "1234567890123456789", + "filterId": null, + "filterName": null, + "id": "1234567890123456789", + "inherits": true, + "isDefault": true, + "name": "Default Group", + "rank": null, + "registrationToken": "eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=", + "siteId": "1234567890123456789", + "totalAgents": 1, + "type": "static", + "updatedAt": "2022-04-05T16:01:57.564266Z" + }, + { + "createdAt": "2022-04-06T16:01:56.928383Z", + "creator": "Test User1", + "creatorId": "3334567890123456789", + "filterId": null, + "filterName": null, + "id": "1333367890123456789", + "inherits": true, + "isDefault": true, + "name": "Default Group", + "rank": null, + "registrationToken": "eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=", + "siteId": "1234567890123456789", + "totalAgents": 1, + "type": "static", + "updatedAt": "2022-04-05T16:01:57.564266Z" + } + ], + "pagination": { + "nextCursor": "abcd", + "totalItems": 4 + } + } + `}} + - path: /web/api/v2.1/threats + methods: ["GET"] + query_params: + sortOrder: asc + cursor: efgh + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [], + "pagination": { + "nextCursor": null, + "totalItems": 2 + } + } + `}} + - path: /web/api/v2.1/threats + methods: ["GET"] + query_params: + sortOrder: asc + cursor: abcd + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [ + { + "agentDetectionInfo": { + "accountId": "111245567890123456789", + "accountName": "Default2", + "agentDetectionState": null, + "agentDomain": "WORKGROUP", + "agentIpV4": "127.0.0.1", + "agentIpV6": "2a02:cf40::", + "agentLastLoggedInUpn": null, + "agentLastLoggedInUserMail": null, + "agentLastLoggedInUserName": "", + "agentMitigationMode": "protect", + "agentOsName": "linux", + "agentOsRevision": "1234", + "agentRegisteredAt": "2022-04-08T08:26:45.515278Z", + "agentUuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", + "agentVersion": "21.x.x", + "cloudProviders": {}, + "externalIp": "81.2.69.143", + "groupId": "1444567890123456789", + "groupName": "Default Group", + "siteId": "1234567890123456789", + "siteName": "Default site" + }, + "agentRealtimeInfo": { + "accountId": "1456567890123456789", + "accountName": "Default2", + "activeThreats": 8, + "agentComputerName": "test-LINUX", + "agentDecommissionedAt": null, + "agentDomain": "WORKGROUP", + "agentId": "1234567890123456789", + "agentInfected": true, + "agentIsActive": true, + "agentIsDecommissioned": false, + "agentMachineType": "server", + "agentMitigationMode": "detect", + "agentNetworkStatus": "connected", + "agentOsName": "linux", + "agentOsRevision": "1234", + "agentOsType": "linux", + "agentUuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", + "agentVersion": "21.x.x.1234", + "groupId": "1234567890123456789", + "groupName": "Default Group", + "networkInterfaces": [ + { + "id": "1234567890123456789", + "inet": [ + "10.0.0.1" + ], + "inet6": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ], + "name": "Ethernet", + "physical": "DE:AD:00:00:BE:EF" + } + ], + "operationalState": "na", + "rebootRequired": false, + "scanAbortedAt": null, + "scanFinishedAt": "2022-04-09T09:18:21.090855Z", + "scanStartedAt": "2022-04-09T08:26:52.838047Z", + "scanStatus": "finished", + "siteId": "1234567890123456789", + "siteName": "Default site", + "storageName": null, + "storageType": null, + "userActionsNeeded": [] + }, + "containerInfo": { + "id": null, + "image": null, + "labels": null, + "name": null + }, + "id": "1234567890123456789", + "indicators": [], + "kubernetesInfo": { + "cluster": null, + "controllerKind": null, + "controllerLabels": null, + "controllerName": null, + "namespace": null, + "namespaceLabels": null, + "node": null, + "pod": null, + "podLabels": null + }, + "mitigationStatus": [ + { + "action": "unquarantine", + "actionsCounters": { + "failed": 0, + "notFound": 0, + "pendingReboot": 0, + "success": 1, + "total": 1 + }, + "agentSupportsReport": true, + "groupNotFound": false, + "lastUpdate": "2022-04-06T08:54:17.198002Z", + "latestReport": "/threats/mitigation-report", + "mitigationEndedAt": "2022-04-06T08:54:17.101000Z", + "mitigationStartedAt": "2022-04-06T08:54:17.101000Z", + "status": "success" + }, + { + "action": "kill", + "actionsCounters": null, + "agentSupportsReport": true, + "groupNotFound": false, + "lastUpdate": "2022-04-06T08:45:55.303355Z", + "latestReport": null, + "mitigationEndedAt": "2022-04-06T08:45:55.297364Z", + "mitigationStartedAt": "2022-04-06T08:45:55.297363Z", + "status": "success" + } + ], + "threatInfo": { + "analystVerdict": "undefined", + "analystVerdictDescription": "Undefined", + "automaticallyResolved": false, + "browserType": null, + "certificateId": "", + "classification": "Trojan", + "classificationSource": "Cloud", + "cloudFilesHashVerdict": "black", + "collectionId": "1234567890123456789", + "confidenceLevel": "malicious", + "createdAt": "2022-04-06T08:45:54.519988Z", + "detectionEngines": [ + { + "key": "sentinelone_cloud", + "title": "SentinelOne Cloud" + } + ], + "detectionType": "static", + "engines": [ + "SentinelOne Cloud" + ], + "externalTicketExists": false, + "externalTicketId": null, + "failedActions": false, + "fileExtension": "EXE", + "fileExtensionType": "Executable", + "filePath": "default.exe", + "fileSize": 1234, + "fileVerificationType": "NotSigned", + "identifiedAt": "2022-04-06T08:45:53.968000Z", + "incidentStatus": "unresolved", + "incidentStatusDescription": "Unresolved", + "initiatedBy": "agent_policy", + "initiatedByDescription": "Agent Policy", + "initiatingUserId": null, + "initiatingUsername": null, + "isFileless": false, + "isValidCertificate": false, + "maliciousProcessArguments": null, + "md5": null, + "mitigatedPreemptively": false, + "mitigationStatus": "not_mitigated", + "mitigationStatusDescription": "Not mitigated", + "originatorProcess": "default.exe", + "pendingActions": false, + "processUser": "test user", + "publisherName": "", + "reachedEventsLimit": false, + "rebootRequired": false, + "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "sha256": null, + "storyline": "D0XXXXXXXXXXAF4D", + "threatId": "1234567890123456789", + "threatName": "default.exe", + "updatedAt": "2022-04-06T08:54:17.194122Z" + }, + "whiteningOptions": [ + "hash" + ] + } + ], + "pagination": { + "nextCursor": "efgh", + "totalItems": 2 + } + } + `}} + - path: /web/api/v2.1/threats + methods: ["GET"] + query_params: + sortOrder: asc + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [ + { + "agentDetectionInfo": { + "accountId": "1234567890123456789", + "accountName": "Default", + "agentDetectionState": null, + "agentDomain": "WORKGROUP", + "agentIpV4": "10.0.0.1", + "agentIpV6": "2a02:cf40::", + "agentLastLoggedInUpn": null, + "agentLastLoggedInUserMail": null, + "agentLastLoggedInUserName": "", + "agentMitigationMode": "protect", + "agentOsName": "linux", + "agentOsRevision": "1234", + "agentRegisteredAt": "2022-04-06T08:26:45.515278Z", + "agentUuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", + "agentVersion": "21.x.x", + "cloudProviders": {}, + "externalIp": "81.2.69.143", + "groupId": "1234567890123456789", + "groupName": "Default Group", + "siteId": "1234567890123456789", + "siteName": "Default site" + }, + "agentRealtimeInfo": { + "accountId": "1234567890123456789", + "accountName": "Default", + "activeThreats": 7, + "agentComputerName": "test-LINUX", + "agentDecommissionedAt": null, + "agentDomain": "WORKGROUP", + "agentId": "1234567890123456789", + "agentInfected": true, + "agentIsActive": true, + "agentIsDecommissioned": false, + "agentMachineType": "server", + "agentMitigationMode": "detect", + "agentNetworkStatus": "connected", + "agentOsName": "linux", + "agentOsRevision": "1234", + "agentOsType": "linux", + "agentUuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", + "agentVersion": "21.x.x.1234", + "groupId": "1234567890123456789", + "groupName": "Default Group", + "networkInterfaces": [ + { + "id": "1234567890123456789", + "inet": [ + "10.0.0.1" + ], + "inet6": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ], + "name": "Ethernet", + "physical": "DE:AD:00:00:BE:EF" + } + ], + "operationalState": "na", + "rebootRequired": false, + "scanAbortedAt": null, + "scanFinishedAt": "2022-04-06T09:18:21.090855Z", + "scanStartedAt": "2022-04-06T08:26:52.838047Z", + "scanStatus": "finished", + "siteId": "1234567890123456789", + "siteName": "Default site", + "storageName": null, + "storageType": null, + "userActionsNeeded": [] + }, + "containerInfo": { + "id": null, + "image": null, + "labels": null, + "name": null + }, + "id": "1234567890123456789", + "indicators": [], + "kubernetesInfo": { + "cluster": null, + "controllerKind": null, + "controllerLabels": null, + "controllerName": null, + "namespace": null, + "namespaceLabels": null, + "node": null, + "pod": null, + "podLabels": null + }, + "mitigationStatus": [ + { + "action": "unquarantine", + "actionsCounters": { + "failed": 0, + "notFound": 0, + "pendingReboot": 0, + "success": 1, + "total": 1 + }, + "agentSupportsReport": true, + "groupNotFound": false, + "lastUpdate": "2022-04-06T08:54:17.198002Z", + "latestReport": "/threats/mitigation-report", + "mitigationEndedAt": "2022-04-06T08:54:17.101000Z", + "mitigationStartedAt": "2022-04-06T08:54:17.101000Z", + "status": "success" + }, + { + "action": "kill", + "actionsCounters": null, + "agentSupportsReport": true, + "groupNotFound": false, + "lastUpdate": "2022-04-06T08:45:55.303355Z", + "latestReport": null, + "mitigationEndedAt": "2022-04-06T08:45:55.297364Z", + "mitigationStartedAt": "2022-04-06T08:45:55.297363Z", + "status": "success" + } + ], + "threatInfo": { + "analystVerdict": "undefined", + "analystVerdictDescription": "Undefined", + "automaticallyResolved": false, + "browserType": null, + "certificateId": "", + "classification": "Trojan", + "classificationSource": "Cloud", + "cloudFilesHashVerdict": "black", + "collectionId": "1234567890123456789", + "confidenceLevel": "malicious", + "createdAt": "2022-04-06T08:45:54.519988Z", + "detectionEngines": [ + { + "key": "sentinelone_cloud", + "title": "SentinelOne Cloud" + } + ], + "detectionType": "static", + "engines": [ + "SentinelOne Cloud" + ], + "externalTicketExists": false, + "externalTicketId": null, + "failedActions": false, + "fileExtension": "EXE", + "fileExtensionType": "Executable", + "filePath": "default.exe", + "fileSize": 1234, + "fileVerificationType": "NotSigned", + "identifiedAt": "2022-04-06T08:45:53.968000Z", + "incidentStatus": "unresolved", + "incidentStatusDescription": "Unresolved", + "initiatedBy": "agent_policy", + "initiatedByDescription": "Agent Policy", + "initiatingUserId": null, + "initiatingUsername": null, + "isFileless": false, + "isValidCertificate": false, + "maliciousProcessArguments": null, + "md5": null, + "mitigatedPreemptively": false, + "mitigationStatus": "not_mitigated", + "mitigationStatusDescription": "Not mitigated", + "originatorProcess": "default.exe", + "pendingActions": false, + "processUser": "test user", + "publisherName": "", + "reachedEventsLimit": false, + "rebootRequired": false, + "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "sha256": null, + "storyline": "D0XXXXXXXXXXAF4D", + "threatId": "1234567890123456789", + "threatName": "default.exe", + "updatedAt": "2022-04-06T08:55:17.194122Z" + }, + "whiteningOptions": [ + "hash" + ] + } + ], + "pagination": { + "nextCursor": "abcd", + "totalItems": 2 + } + } + `}} + - path: /web/api/v2.1/application-management/inventory + methods: ['GET'] + query_params: + skipCount: "true" + limit: 2 + cursor: abcd + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "applicationName": "Elastic Agent", + "applicationVendor": "Elastic", + "applicationVersionsCount": 1, + "endpointsCount": 1, + "estimate": false + }, + { + "applicationName": "Git", + "applicationVendor": "The Git Development Community", + "applicationVersionsCount": 1, + "endpointsCount": 1, + "estimate": false + } + ], + "pagination": { + "nextCursor": "efgh", + "totalItems": 0 + } + } + `}} + - path: /web/api/v2.1/application-management/inventory + methods: ['GET'] + query_params: + skipCount: "true" + limit: 2 + cursor: efgh + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [], + "pagination": { + "nextCursor": null, + "totalItems": 0 + } + } + `}} + - path: /web/api/v2.1/application-management/inventory + methods: ['GET'] + query_params: + skipCount: "true" + limit: 2 + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "applicationName": "7-Zip", + "applicationVendor": "Igor Pavlov", + "applicationVersionsCount": 1, + "endpointsCount": 1, + "estimate": false + }, + { + "applicationName": "Brave", + "applicationVendor": "Brave Software Inc", + "applicationVersionsCount": 1, + "endpointsCount": 1, + "estimate": false + } + ], + "pagination": { + "nextCursor": "abcd", + "totalItems": 0 + } + } + `}} + - path: /web/api/v2.1/application-management/inventory/endpoints + methods: ['GET'] + query_params: + applicationName: Git + applicationVendor: The Git Development Community + skipCount: "true" + limit: 2 + cursor: xxxxx + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [], + "pagination": { + "nextCursor": null, + "totalItems": 0 + } + } + `}} + - path: /web/api/v2.1/application-management/inventory/endpoints + methods: ['GET'] + query_params: + applicationName: 7-Zip + applicationVendor: Igor Pavlov + skipCount: "true" + limit: 2 + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "accountName": "7-Zip", + "applicationInstallationDate": "2025-04-13T10:45:01Z", + "applicationInstallationPath": null, + "applicationName": "Igor Pavlov", + "coreCount": 2, + "cpe": "cpe:2.3:a:abc:igor:8.17.3:*:*:*:*:*:*:*", + "cpuCount": 1, + "detectionDate": "2025-06-19T18:00:51.166610Z", + "endpointId": "216970508828266268", + "endpointName": "srv-win-defend-03", + "endpointType": "server", + "endpointUuid": "eb655be8be894dae97711ebb9a9091ae", + "fileSize": 517364, + "groupName": "Default Group", + "id": "2218357748550497214", + "osArch": "64 bit", + "osName": "Windows Server 2022 Datacenter", + "osType": "windows", + "osVersion": "Windows Server 2022 Datacenter 20348", + "siteName": "Default site", + "version": "8.17.3" + } + ], + "pagination": { + "nextCursor": null, + "totalItems": 1 + } + } + `}} + - path: /web/api/v2.1/application-management/inventory/endpoints + methods: ['GET'] + query_params: + applicationName: Brave + applicationVendor: Brave Software Inc + skipCount: "true" + limit: 2 + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "accountName": "Brave", + "applicationInstallationDate": "2025-03-13T10:45:01Z", + "applicationInstallationPath": null, + "applicationName": "Brave Software Inc", + "coreCount": 2, + "cpe": "cpe:2.3:a:elastic:elastic_agent:8.17.3:*:*:*:*:*:*:*", + "cpuCount": 1, + "detectionDate": "2025-05-19T18:00:51.166610Z", + "endpointId": "2169705024028266268", + "endpointName": "srv-win-defend-03", + "endpointType": "server", + "endpointUuid": "eb655be8be894dae97711ebb9a9091ae", + "fileSize": 517364, + "groupName": "Default Group", + "id": "2218357748550497214", + "osArch": "64 bit", + "osName": "Windows Server 2022 Datacenter", + "osType": "windows", + "osVersion": "Windows Server 2022 Datacenter 20348", + "siteName": "Default site", + "version": "8.17.3" + } + ], + "pagination": { + "nextCursor": null, + "totalItems": 1 + } + } + `}} + - path: /web/api/v2.1/application-management/inventory/endpoints + methods: ['GET'] + query_params: + applicationName: Elastic Agent + applicationVendor: Elastic + skipCount: "true" + limit: 2 + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "accountName": "Elastic", + "applicationInstallationDate": "2025-03-13T10:45:01Z", + "applicationInstallationPath": null, + "applicationName": "Elastic Agent", + "coreCount": 2, + "cpe": "cpe:2.3:a:elastic:elastic_agent:8.17.3:*:*:*:*:*:*:*", + "cpuCount": 1, + "detectionDate": "2025-05-19T18:00:51.166610Z", + "endpointId": "2169705024028266268", + "endpointName": "srv-win-defend-03", + "endpointType": "server", + "endpointUuid": "eb655be8be894dae97711ebb9a9091ae", + "fileSize": 517364, + "groupName": "Default Group", + "id": "2218357748550497214", + "osArch": "64 bit", + "osName": "Windows Server 2022 Datacenter", + "osType": "windows", + "osVersion": "Windows Server 2022 Datacenter 20348", + "siteName": "Default site", + "version": "8.17.3" + } + ], + "pagination": { + "nextCursor": null, + "totalItems": 1 + } + } + `}} + - path: /web/api/v2.1/application-management/inventory/endpoints + methods: ['GET'] + query_params: + applicationName: Git + applicationVendor: The Git Development Community + skipCount: "true" + limit: 2 + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "accountName": "Git", + "applicationInstallationDate": "2025-08-13T10:45:01Z", + "applicationInstallationPath": null, + "applicationName": "The Git Development Community", + "coreCount": 2, + "cpe": "cpe:2.3:a:elastic:git:8.17.3:*:*:*:*:*:*:*", + "cpuCount": 1, + "detectionDate": "2025-05-29T18:00:51.166610Z", + "endpointId": "2169705024028266268", + "endpointName": "srv-win-defend-05", + "endpointType": "server", + "endpointUuid": "eb65e894dae97711ebb9a9091ae", + "fileSize": 517364, + "groupName": "Default Group", + "id": "22183577485514", + "osArch": "64 bit", + "osName": "Windows Server 2022 Datacenter", + "osType": "windows", + "osVersion": "Windows Server 2022 Datacenter 20348", + "siteName": "Default site", + "version": "8.17.3" + } + ], + "pagination": { + "nextCursor": "xxxxx", + "totalItems": 1 + } + } + `}} + - path: /web/api/v2.1/application-management/risks + methods: ['GET'] + query_params: + limit: 2 + cursor: null + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "application": "7-Zip 22.01", + "applicationName": "7-Zip", + "applicationVendor": "Igor Pavlov", + "applicationVersion": "22.01", + "baseScore": "7.00", + "cveId": "CVE-2025-0411", + "cvssVersion": "3.1", + "daysDetected": 59, + "detectionDate": "2025-06-02T04:46:51.710569Z", + "endpointId": "2162143406517023959", + "endpointName": "test_endpoint", + "endpointType": "desktop", + "id": "2228104980801805822", + "lastScanDate": "2025-07-29T19:25:47Z", + "lastScanResult": "Succeeded", + "markType": "", + "markedBy": null, + "markedDate": null, + "osType": "windows", + "publishedDate": "2025-01-20T07:04:04Z", + "reason": null, + "severity": "HIGH", + "status": "Detected" + }, + { + "application": "7-Zip 22.01", + "applicationName": "7-Zip", + "applicationVendor": "Igor Pavlov", + "applicationVersion": "22.01", + "baseScore": "7.80", + "cveId": "CVE-2024-11477", + "cvssVersion": "3.1", + "daysDetected": 59, + "detectionDate": "2025-06-02T04:46:51.710578Z", + "endpointId": "2162143406517023959", + "endpointName": "example_endpoint", + "endpointType": "desktop", + "id": "2228104981028298282", + "lastScanDate": "2025-07-29T19:25:47Z", + "lastScanResult": "Succeeded", + "markType": "", + "markedBy": null, + "markedDate": null, + "osType": "windows", + "publishedDate": "2024-11-21T06:42:16Z", + "reason": null, + "severity": "HIGH", + "status": "Detected" + } + ], + "pagination": { + "nextCursor": "page2", + "totalItems": 5 + } + } + `}} + - path: /web/api/v2.1/application-management/risks + methods: ['GET'] + query_params: + limit: 2 + cursor: page2 + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "application": "Microsoft Edge 112.0.1722.68", + "applicationName": "Microsoft Edge", + "applicationVendor": "Microsoft Corporation", + "applicationVersion": "112.0.1722.68", + "baseScore": "4.30", + "cveId": "CVE-2024-29057", + "cvssVersion": "3.1", + "daysDetected": 59, + "detectionDate": "2025-06-02T04:46:51.710587Z", + "endpointId": "2162143406517023959", + "endpointName": "DESKTOP-example", + "endpointType": "desktop", + "id": "2228104981036686896", + "lastScanDate": "2025-07-29T19:25:47Z", + "lastScanResult": "Succeeded", + "markType": "", + "markedBy": null, + "markedDate": null, + "osType": "windows", + "publishedDate": "2024-03-22T22:15:00Z", + "reason": null, + "severity": "MEDIUM", + "status": "Detected" + }, + { + "application": "Microsoft Edge 112.0.1722.68", + "applicationName": "Microsoft Edge", + "applicationVendor": "Microsoft Corporation", + "applicationVersion": "112.0.1722.68", + "baseScore": "6.10", + "cveId": "CVE-2024-38156", + "cvssVersion": "3.1", + "daysDetected": 59, + "detectionDate": "2025-06-02T04:46:51.710591Z", + "endpointId": "2162143406517023959", + "endpointName": "DESKTOP-test", + "endpointType": "desktop", + "id": "2228104981070241336", + "lastScanDate": "2025-07-29T19:25:47Z", + "lastScanResult": "Succeeded", + "markType": "", + "markedBy": null, + "markedDate": null, + "osType": "windows", + "publishedDate": "2024-07-18T05:39:23Z", + "reason": null, + "severity": "MEDIUM", + "status": "Detected" + } + ], + "pagination": { + "nextCursor": "page3", + "totalItems": 5 + } + } + `}} + - path: /web/api/v2.1/application-management/risks + methods: ['GET'] + query_params: + limit: 2 + cursor: page3 + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "application": "Microsoft Edge 112.0.1722.68", + "applicationName": "Microsoft Edge", + "applicationVendor": "Microsoft Corporation", + "applicationVersion": "112.0.1722.68", + "baseScore": "6.50", + "cveId": "CVE-2024-38222", + "cvssVersion": "3.1", + "daysDetected": 59, + "detectionDate": "2025-06-02T04:46:51.710593Z", + "endpointId": "2162143406517023959", + "endpointName": "DESKTOP-R1E2DQ2", + "endpointType": "desktop", + "id": "2228104981095407166", + "lastScanDate": "2025-07-29T19:25:47Z", + "lastScanResult": "Succeeded", + "markType": "", + "markedBy": null, + "markedDate": null, + "osType": "windows", + "publishedDate": "2024-08-13T18:27:28Z", + "reason": null, + "severity": "MEDIUM", + "status": "Detected" + } + ], + "pagination": { + "nextCursor": null, + "totalItems": 5 + } + } + `}} diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/changelog.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/changelog.yml new file mode 100644 index 0000000000..86503ed4d8 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/changelog.yml @@ -0,0 +1,320 @@ +# newer versions go on top +- version: "1.41.0" + changes: + - description: Add configuration option to filter results by Site IDs in the application data stream, improve UI layout, and readme document. + type: enhancement + link: https://github.com/elastic/integrations/pull/15446 + - description: 'Enhanced error handling in the CEL program for API calls to prevent "no such key: batch_size" errors in the application risk data stream.' + type: bugfix + link: https://github.com/elastic/integrations/pull/15446 +- version: "1.40.0" + changes: + - description: Update deprecated visualization charts and implemented best practices in the existing dashboards. + type: enhancement + link: https://github.com/elastic/integrations/pull/15437 +- version: "1.39.0" + changes: + - description: Update README instructions for generating the API token. + type: enhancement + link: https://github.com/elastic/integrations/pull/15420 +- version: "1.38.0" + changes: + - description: Add support for application risk data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/14910 +- version: "1.37.0" + changes: + - description: Add support for application data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/14834 +- version: "1.36.0" + changes: + - description: Add configuration option to filter results by Site IDs. + type: enhancement + link: https://github.com/elastic/integrations/pull/14302 +- version: "1.35.1" + changes: + - description: Add temporary processor to remove the fields added by the Agentless policy. + type: bugfix + link: https://github.com/elastic/integrations/pull/14172 +- version: "1.35.0" + changes: + - description: Normalize `event.severity` values across EDR integrations. + type: enhancement + link: https://github.com/elastic/integrations/pull/13955 +- version: "1.34.2" + changes: + - description: Fix the `Activities by OS Family` visualization in the Activities dashboard. + type: bugfix + link: https://github.com/elastic/integrations/pull/13943 +- version: "1.34.1" + changes: + - description: Fix default request trace enabled behavior. + type: bugfix + link: https://github.com/elastic/integrations/pull/13712 +- version: "1.34.0" + changes: + - description: Populate ECS field `message` for threat, alert and activity datastreams. + type: enhancement + link: https://github.com/elastic/integrations/pull/13628 +- version: "1.33.0" + changes: + - description: Update `host.*` ECS mappings. + type: enhancement + link: https://github.com/elastic/integrations/pull/13373 +- version: "1.32.0" + changes: + - description: Updated integration logo. + type: enhancement + link: https://github.com/elastic/integrations/pull/12345 +- version: "1.31.1" + changes: + - description: Fix handling of events with empty string values. + type: bugfix + link: https://github.com/elastic/integrations/pull/13478 +- version: "1.31.0" + changes: + - description: Enable request trace log removal. + type: enhancement + link: https://github.com/elastic/integrations/pull/13452 +- version: "1.30.0" + changes: + - description: Add agentless deployment. + type: enhancement + link: https://github.com/elastic/integrations/pull/13107 +- version: "1.29.1" + changes: + - description: Updated SSL description in package manifest.yml to be uniform and to include links to documentation. + type: bugfix + link: https://github.com/elastic/integrations/pull/12781 +- version: "1.29.0" + changes: + - description: Update Kibana constraint to support 9.0.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/12593 +- version: "1.28.0" + changes: + - description: Handle comma-separated IP lists. + type: enhancement + link: https://github.com/elastic/integrations/pull/12702 + - description: Improve error handling. + type: enhancement + link: https://github.com/elastic/integrations/pull/12702 +- version: "1.27.0" + changes: + - description: Do not remove `event.original` in main ingest pipeline. + type: enhancement + link: https://github.com/elastic/integrations/pull/12076 +- version: "1.26.0" + changes: + - description: Add "preserve_original_event" tag to documents with `event.kind` set to "pipeline_error". + type: enhancement + link: https://github.com/elastic/integrations/pull/12046 +- version: "1.25.1" + changes: + - description: Document limitation for using the alert data stream in on-premises environments. + type: bugfix + link: https://github.com/elastic/integrations/pull/11036 +- version: "1.25.0" + changes: + - description: Add agent.* to alerts data. + type: enhancement + link: https://github.com/elastic/integrations/pull/10345 +- version: "1.24.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 +- version: "1.23.3" + changes: + - description: Fix sample event MAC address. + type: bugfix + link: https://github.com/elastic/integrations/pull/10186 +- version: "1.23.2" + changes: + - description: Change default interval to 30s for all data streams. + type: enhancement + link: https://github.com/elastic/integrations/pull/10103 +- version: "1.23.1" + changes: + - description: Fix sample event. + type: bugfix + link: https://github.com/elastic/integrations/pull/10136 +- version: "1.23.0" + changes: + - description: Make `host.ip` field conform to ECS field definition. + type: enhancement + link: https://github.com/elastic/integrations/pull/10120 +- version: "1.22.0" + changes: + - description: Add agent.id to all agent related data. + type: enhancement + link: https://github.com/elastic/integrations/pull/10102 +- version: "1.21.1" + changes: + - description: Fix Ingest Pipline Error in SentinelOne Package with k8s Elastic Agent. + type: bugfix + link: https://github.com/elastic/integrations/pull/9927 +- version: "1.21.0" + changes: + - description: Improve handling of empty responses. + type: enhancement + link: https://github.com/elastic/integrations/pull/9974 +- version: "1.20.0" + changes: + - description: Set sensitive values as secret and fix incorrect mappings. + type: enhancement + link: https://github.com/elastic/integrations/pull/9128 +- version: "1.19.2" + changes: + - description: Changed owners + type: enhancement + link: https://github.com/elastic/integrations/pull/8943 +- version: "1.19.1" + changes: + - description: Add information to README about support for response actions + type: enhancement + link: https://github.com/elastic/integrations/pull/8611 +- version: "1.19.0" + changes: + - description: Limit request tracer log count to five. + type: enhancement + link: https://github.com/elastic/integrations/pull/8489 +- version: 1.18.0 + changes: + - description: ECS version updated to 8.11.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/8436 +- version: "1.17.0" + changes: + - description: Improve 'event.original' check to avoid errors if set. + type: enhancement + link: https://github.com/elastic/integrations/pull/8269 +- version: "1.16.1" + changes: + - description: Add support for a missing field. + type: bugfix + link: https://github.com/elastic/integrations/pull/8270 +- version: 1.16.0 + changes: + - description: Update the package format_version to 3.0.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/8025 +- version: "1.15.0" + changes: + - description: Correct invalid ECS field usages at root-level. + type: bugfix + link: https://github.com/elastic/integrations/pull/7985 +- version: "1.14.0" + changes: + - description: ECS version updated to 8.10.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/7919 +- version: "1.13.0" + changes: + - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. + type: enhancement + link: https://github.com/elastic/integrations/pull/7789 +- version: "1.12.0" + changes: + - description: Update package to ECS 8.9.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/7110 +- version: "1.11.0" + changes: + - description: Convert dashboards to Lens. + type: enhancement + link: https://github.com/elastic/integrations/pull/6932 +- version: "1.10.0" + changes: + - description: Ensure event.kind is correctly set for pipeline errors. + type: enhancement + link: https://github.com/elastic/integrations/pull/6663 +- version: "1.9.0" + changes: + - description: Update package to ECS 8.8.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/6327 +- version: "1.8.0" + changes: + - description: Update package-spec version to 2.7.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/6297 +- version: "1.7.0" + changes: + - description: Add a new flag to enable request tracing + type: enhancement + link: https://github.com/elastic/integrations/pull/6115 +- version: "1.6.0" + changes: + - description: Update package to ECS 8.7.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/5765 +- version: "1.5.2" + changes: + - description: Added categories and/or subcategories. + type: enhancement + link: https://github.com/elastic/integrations/pull/5123 +- version: "1.5.1" + changes: + - description: Set event.id from SentinelOne Threat ID + type: enhancement + link: https://github.com/elastic/integrations/pull/4840 +- version: "1.5.0" + changes: + - description: Update package to ECS 8.6.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/4576 +- version: "1.4.0" + changes: + - description: Add an on_failure processor to the date processor and update the pagination termination condition. + type: enhancement + link: https://github.com/elastic/integrations/pull/4677 + - description: Update newValue field type in Activity data stream. + type: bugfix + link: https://github.com/elastic/integrations/pull/4677 +- version: "1.3.0" + changes: + - description: Update package to ECS 8.5.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/4285 +- version: "1.2.2" + changes: + - description: Ensure stability of related.hash array ordering. + type: bugfix + link: https://github.com/elastic/integrations/issues/4296 +- version: "1.2.1" + changes: + - description: Enrich the event.category, event.type, event.kind and event.outcome field based on activity. + type: bugfix + link: https://github.com/elastic/integrations/pull/3787 +- version: "1.2.0" + changes: + - description: Set event.kind to alert for Sentinel One Threats. + type: enhancement + link: https://github.com/elastic/integrations/pull/3669 +- version: "1.1.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3910 +- version: "1.0.0" + changes: + - description: Make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/3859 +- version: "0.2.1" + changes: + - description: Fix proxy URL documentation rendering. + type: bugfix + link: https://github.com/elastic/integrations/pull/3881 +- version: "0.2.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "0.1.0" + changes: + - description: Initial Release + type: enhancement + link: https://github.com/elastic/integrations/pull/3232 diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/benchmark/pipeline/alert-sample.log b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/benchmark/pipeline/alert-sample.log new file mode 100644 index 0000000000..e5f0ca3268 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/benchmark/pipeline/alert-sample.log @@ -0,0 +1,3 @@ +{"targetProcessInfo":{"tgtFileCreatedAt":"2018-02-27T04:49:26.257525Z","tgtFileIsSigned":"string","tgtFileOldPath":"string","tgtProcImagePath":"string","tgtProcSignedStatus":"string","tgtFileHashSha256":"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824","tgtProcStorylineId":"string","tgtProcPid":"12345","tgtProcCmdLine":"string","tgtProcName":"string","tgtFileModifiedAt":"2018-02-27T04:49:26.257525Z","tgtFileId":"string","tgtProcIntegrityLevel":"unknown","tgtFileHashSha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","tgtProcUid":"string","tgtProcessStartTime":"2018-02-27T04:49:26.257525Z","tgtFilePath":"string"},"alertInfo":{"createdAt":"2018-02-27T04:49:26.257525Z","srcIp":"81.2.69.142","incidentStatus":"string","registryOldValue":"string","alertId":"123456789123456789","dstPort":"1234","indicatorName":"string","registryPath":"string","loginType":"string","dstIp":"81.2.69.144","updatedAt":"2018-02-27T04:49:26.257525Z","indicatorDescription":"string","loginsUserName":"string","loginIsSuccessful":"string","indicatorCategory":"string","modulePath":"string","loginAccountSid":"string","dnsResponse":"string","netEventDirection":"string","registryValue":"string","srcMachineIp":"81.2.69.192","registryOldValueType":"string","eventType":"string","analystVerdict":"string","dvEventId":"string","dnsRequest":"string","loginIsAdministratorEquivalent":"string","loginAccountDomain":"string","tiIndicatorType":"string","moduleSha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","source":"string","srcPort":"1234","tiIndicatorValue":"string","tiIndicatorSource":"string","reportedAt":"2018-02-27T04:49:26.257525Z","registryKeyPath":"string","tiIndicatorComparisonMethod":"string","hitType":"Events"},"sourceProcessInfo":{"integrityLevel":"unknown","pid":"12345","fileHashMd5":"5d41402abc4b2a76b9719d911017c592","filePath":"string","fileSignerIdentity":"string","pidStarttime":"2018-02-27T04:49:26.257525Z","storyline":"string","fileHashSha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","uniqueId":"string","user":"string","commandline":"string","name":"string","fileHashSha256":"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824","subsystem":"unknown"},"ruleInfo":{"severity":"Low","treatAsThreat":"UNDEFINED","id":"string","scopeLevel":"string","name":"string","description":"string"},"sourceParentProcessInfo":{"integrityLevel":"unknown","pid":"12345","fileHashMd5":"5d41402abc4b2a76b9719d911017c592","filePath":"string","fileSignerIdentity":"string","pidStarttime":"2018-02-27T04:49:26.257525Z","storyline":"string","fileHashSha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","uniqueId":"string","user":"string","commandline":"string","name":"string","fileHashSha256":"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824","subsystem":"unknown"},"agentDetectionInfo":{"osFamily":"string","uuid":"string","osName":"string","version":"3.x.x.x","siteId":"123456789123456789","name":"string","machineType":"string","osRevision":"string"},"kubernetesInfo":{"controllerName":"string","node":"string","namespace":"string","namespaceLabels":"string","pod":"string","controllerLabels":"string","controllerKind":"string","cluster":"string","podLabels":"string"},"containerInfo":{"id":"string","name":"string","image":"string","labels":"string"}} +{"agentDetectionInfo":{"accountId":"123205378574369791","machineType":"server","name":"srv-win1","osFamily":"windows","osName":"Windows Server 2022 Datacenter","osRevision":"20348","siteId":"1402053568582768389","uuid":"0efd7bcfd285450885e05bd8d5bf2ba7","version":"23.4.4.223"},"agentRealtimeInfo":{"id":"1834780238610855645","infected":true,"isActive":true,"isDecommissioned":false,"machineType":"server","name":"srv-win1","os":"windows","uuid":"0efd7bcfd285450885e05bd8d5bf2ba7"},"alertInfo":{"alertId":"1985998272619999973","analystVerdict":"Undefined","createdAt":"2024-07-03T03:44:03.003000Z","dnsRequest":null,"dnsResponse":null,"dstIp":null,"dstPort":null,"dvEventId":"01J1VB26A8A7W9A4QZ3D8VQB8T_90","eventType":"PROCESSCREATION","hitType":"Events","incidentStatus":"Unresolved","indicatorCategory":null,"indicatorDescription":null,"indicatorName":null,"isEdr":true,"loginAccountDomain":null,"loginAccountSid":null,"loginIsAdministratorEquivalent":null,"loginIsSuccessful":null,"loginType":null,"loginsUserName":null,"modulePath":null,"moduleSha1":null,"netEventDirection":null,"registryKeyPath":null,"registryOldValue":null,"registryOldValueType":null,"registryPath":null,"registryValue":null,"reportedAt":"2024-07-03T03:44:03.128163Z","source":"STAR","srcIp":null,"srcMachineIp":null,"srcPort":null,"tiIndicatorComparisonMethod":null,"tiIndicatorSource":null,"tiIndicatorType":null,"tiIndicatorValue":null,"updatedAt":"2024-07-03T03:44:03.128163Z"},"containerInfo":{"id":null,"image":null,"labels":null,"name":null},"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"namespace":null,"namespaceLabels":null,"node":null,"pod":null,"podLabels":null},"ruleInfo":{"description":null,"id":"1412136126226508571","name":"test5","queryLang":"1.0","queryType":"events","s1ql":"SrcProcName = \"powershell.exe\"","scopeLevel":"site","severity":"Critical","treatAsThreat":"Suspicious"},"sourceParentProcessInfo":{"commandline":"C:\\Windows\\system32\\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun -cv:Fo0W4Ce9IE+s0TJH.2","effectiveUser":null,"fileHashMd5":"9e15f5602630802698afd17631b2f02c","fileHashSha1":"eaae4f4ac59d91a1e4fc84c86f5020759e451b3a","fileHashSha256":"c7cb93a6afe26dd2ca48241ca12fc76f45e2726441d7119443aaeac54444dcba","filePath":"C:\\Windows\\System32\\CompatTelRunner.exe","fileSignerIdentity":"MICROSOFT CORPORATION","integrityLevel":"system","loginUser":null,"name":"CompatTelRunner.exe","pid":"4884","pidStarttime":"2024-07-03T03:43:07.906000Z","realUser":null,"storyline":"CE8DD1F60F2447E2","subsystem":"sys_win32","uniqueId":"A5E3EEF60F2447E2","user":"NT AUTHORITY\\SYSTEM"},"sourceProcessInfo":{"commandline":"powershell.exe -ExecutionPolicy Restricted -Command $res = 0; if(get-vmswitch | Where {$_.NetAdapterInterfaceDescription -ne $null -and $_.NetAdapterInterfaceDescription -eq (Get-NetLbfoTeamNic).InterfaceDescription}){$res=1}; Write-Host \"Final result:\", $res","effectiveUser":null,"fileHashMd5":"0bc8a4cd1e07390bafd741e1fc0399a3","fileHashSha1":"a2d8d23854e33984c08dcf8b03edc619c9c5ec69","fileHashSha256":"75d6634a676fb0bea5bfd8d424e2bd4f685f3885853637ea143b2671a3bb76e9","filePath":"C:\\Windows\\System32\\WINDOWSPOWERSHELL\\V1.0\\powershell.exe","fileSignerIdentity":"MICROSOFT WINDOWS","integrityLevel":"system","loginUser":null,"name":"powershell.exe","pid":"1252","pidStarttime":"2024-07-03T03:43:24.307000Z","realUser":null,"storyline":"CE8DD1F60F2447E2","subsystem":"sys_win32","uniqueId":"E0E3EEF60F2447E2","user":"NT AUTHORITY\\SYSTEM"},"targetProcessInfo":{"tgtFileCreatedAt":"1970-01-01T00:00:00Z","tgtFileHashSha1":null,"tgtFileHashSha256":null,"tgtFileId":null,"tgtFileIsSigned":"signed","tgtFileModifiedAt":"1970-01-01T00:00:00Z","tgtFileOldPath":null,"tgtFilePath":null,"tgtProcCmdLine":"\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1","tgtProcImagePath":"C:\\Windows\\System32\\conhost.exe","tgtProcIntegrityLevel":"system","tgtProcName":"conhost.exe","tgtProcPid":"6472","tgtProcSignedStatus":"signed","tgtProcStorylineId":"CE8DD1F60F2447E2","tgtProcUid":"E1E3EEF60F2447E2","tgtProcessStartTime":"2024-07-03T03:43:24.318000Z"}} +{"agentDetectionInfo":{"accountId":"1232053768574369791","machineType":"server","name":"srv-win1","osFamily":"windows","osName":"Windows Server 2022 Datacenter","osRevision":"20348","siteId":"1402053568582768389","uuid":"0efd7bcfd285450885e05bd8d5bf2ba7","version":"23.4.4.223"},"agentRealtimeInfo":{"id":"1834780238610855645","infected":true,"isActive":true,"isDecommissioned":false,"machineType":"server","name":"srv-win1","os":"windows","uuid":"0efd7bcfd285450885e05bd8d5bf2ba7"},"alertInfo":{"alertId":"1985998274037674753","analystVerdict":"Undefined","createdAt":"2024-07-03T03:44:03.004000Z","dnsRequest":null,"dnsResponse":null,"dstIp":null,"dstPort":null,"dvEventId":"01J1VB26A8A7W9A4QZ3D8VQB8T_139","eventType":"PROCESSCREATION","hitType":"Events","incidentStatus":"Unresolved","indicatorCategory":null,"indicatorDescription":null,"indicatorName":null,"isEdr":true,"loginAccountDomain":null,"loginAccountSid":null,"loginIsAdministratorEquivalent":null,"loginIsSuccessful":null,"loginType":null,"loginsUserName":null,"modulePath":null,"moduleSha1":null,"netEventDirection":null,"registryKeyPath":null,"registryOldValue":null,"registryOldValueType":null,"registryPath":null,"registryValue":null,"reportedAt":"2024-07-03T03:44:03.296751Z","source":"STAR","srcIp":null,"srcMachineIp":null,"srcPort":null,"tiIndicatorComparisonMethod":null,"tiIndicatorSource":null,"tiIndicatorType":null,"tiIndicatorValue":null,"updatedAt":"2024-07-03T03:44:03.296751Z"},"containerInfo":{"id":null,"image":null,"labels":null,"name":null},"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"namespace":null,"namespaceLabels":null,"node":null,"pod":null,"podLabels":null},"ruleInfo":{"description":null,"id":"1412136126226508571","name":"test5","queryLang":"1.0","queryType":"events","s1ql":"SrcProcName = \"powershell.exe\"","scopeLevel":"site","severity":"Critical","treatAsThreat":"Suspicious"},"sourceParentProcessInfo":{"commandline":"C:\\Windows\\system32\\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun -cv:Fo0W4Ce9IE+s0TJH.2","effectiveUser":null,"fileHashMd5":"9e15f5602630802698afd17631b2f02c","fileHashSha1":"eaae4f4ac59d91a1e4fc84c86f5020759e451b3a","fileHashSha256":"c7cb93a6afe26dd2ca48241ca12fc76f45e2726441d7119443aaeac54444dcba","filePath":"C:\\Windows\\System32\\CompatTelRunner.exe","fileSignerIdentity":"MICROSOFT CORPORATION","integrityLevel":"system","loginUser":null,"name":"CompatTelRunner.exe","pid":"4884","pidStarttime":"2024-07-03T03:43:07.906000Z","realUser":null,"storyline":"CE8DD1F60F2447E2","subsystem":"sys_win32","uniqueId":"A5E3EEF60F2447E2","user":"NT AUTHORITY\\SYSTEM"},"sourceProcessInfo":{"commandline":"powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';","effectiveUser":null,"fileHashMd5":"0bc8a4cd1e07390bafd741e1fc0399a3","fileHashSha1":"a2d8d23854e33984c08dcf8b03edc619c9c5ec69","fileHashSha256":"75d6634a676fb0bea5bfd8d424e2bd4f685f3885853637ea143b2671a3bb76e9","filePath":"C:\\Windows\\System32\\WINDOWSPOWERSHELL\\V1.0\\powershell.exe","fileSignerIdentity":"MICROSOFT WINDOWS","integrityLevel":"system","loginUser":null,"name":"powershell.exe","pid":"4912","pidStarttime":"2024-07-03T03:43:28.323000Z","realUser":null,"storyline":"CE8DD1F60F2447E2","subsystem":"sys_win32","uniqueId":"E6E3EEF60F2447E2","user":"NT AUTHORITY\\SYSTEM"},"targetProcessInfo":{"tgtFileCreatedAt":"1970-01-01T00:00:00Z","tgtFileHashSha1":null,"tgtFileHashSha256":null,"tgtFileId":null,"tgtFileIsSigned":"signed","tgtFileModifiedAt":"1970-01-01T00:00:00Z","tgtFileOldPath":null,"tgtFilePath":null,"tgtProcCmdLine":"\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1","tgtProcImagePath":"C:\\Windows\\System32\\conhost.exe","tgtProcIntegrityLevel":"system","tgtProcName":"conhost.exe","tgtProcPid":"7144","tgtProcSignedStatus":"signed","tgtProcStorylineId":"CE8DD1F60F2447E2","tgtProcUid":"E7E3EEF60F2447E2","tgtProcessStartTime":"2024-07-03T03:43:28.330000Z"}} diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/benchmark/pipeline/config.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/benchmark/pipeline/config.yml new file mode 100644 index 0000000000..30a2b50cf6 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/benchmark/pipeline/config.yml @@ -0,0 +1 @@ +num_docs: 10000 diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/pipeline/test-common-config.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 0000000000..4da2264165 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log new file mode 100644 index 0000000000..554be7a5b2 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log @@ -0,0 +1,3 @@ +{"targetProcessInfo":{"tgtFileCreatedAt":"2018-02-27T04:49:26.257525Z","tgtFileIsSigned":"string","tgtFileOldPath":"string","tgtProcImagePath":"string","tgtProcSignedStatus":"string","tgtFileHashSha256":"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824","tgtProcStorylineId":"string","tgtProcPid":"12345","tgtProcCmdLine":"string","tgtProcName":"string","tgtFileModifiedAt":"2018-02-27T04:49:26.257525Z","tgtFileId":"string","tgtProcIntegrityLevel":"unknown","tgtFileHashSha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","tgtProcUid":"string","tgtProcessStartTime":"2018-02-27T04:49:26.257525Z","tgtFilePath":"string"},"alertInfo":{"createdAt":"2018-02-27T04:49:26.257525Z","srcIp":"81.2.69.142","incidentStatus":"string","registryOldValue":"string","alertId":"123456789123456789","dstPort":"1234","indicatorName":"string","registryPath":"string","loginType":"string","dstIp":"81.2.69.144","updatedAt":"2018-02-27T04:49:26.257525Z","indicatorDescription":"string","loginsUserName":"string","loginIsSuccessful":"string","indicatorCategory":"string","modulePath":"string","loginAccountSid":"string","dnsResponse":"string","netEventDirection":"string","registryValue":"string","srcMachineIp":"81.2.69.192","registryOldValueType":"string","eventType":"string","analystVerdict":"string","dvEventId":"string","dnsRequest":"string","loginIsAdministratorEquivalent":"string","loginAccountDomain":"string","tiIndicatorType":"string","moduleSha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","source":"string","srcPort":"1234","tiIndicatorValue":"string","tiIndicatorSource":"string","reportedAt":"2018-02-27T04:49:26.257525Z","registryKeyPath":"string","tiIndicatorComparisonMethod":"string","hitType":"Events"},"sourceProcessInfo":{"integrityLevel":"unknown","pid":"12345","fileHashMd5":"5d41402abc4b2a76b9719d911017c592","filePath":"string","fileSignerIdentity":"string","pidStarttime":"2018-02-27T04:49:26.257525Z","storyline":"string","fileHashSha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","uniqueId":"string","user":"string","commandline":"string","name":"string","fileHashSha256":"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824","subsystem":"unknown"},"ruleInfo":{"severity":"Low","treatAsThreat":"UNDEFINED","id":"string","scopeLevel":"string","name":"string","description":"string"},"sourceParentProcessInfo":{"integrityLevel":"unknown","pid":"12345","fileHashMd5":"5d41402abc4b2a76b9719d911017c592","filePath":"string","fileSignerIdentity":"string","pidStarttime":"2018-02-27T04:49:26.257525Z","storyline":"string","fileHashSha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","uniqueId":"string","user":"string","commandline":"string","name":"string","fileHashSha256":"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824","subsystem":"unknown"},"agentDetectionInfo":{"osFamily":"string","uuid":"string","osName":"string","version":"3.x.x.x","siteId":"123456789123456789","name":"string","machineType":"string","osRevision":"string"},"kubernetesInfo":{"controllerName":"string","node":"string","namespace":"string","namespaceLabels":"string","pod":"string","controllerLabels":"string","controllerKind":"string","cluster":"string","podLabels":"string"},"containerInfo":{"id":"string","name":"string","image":"string","labels":"string"}} +{"agentDetectionInfo":{"accountId":"123205378574369791","machineType":"server","name":"srv-win1","osFamily":"windows","osName":"Windows Server 2022 Datacenter","osRevision":"20348","siteId":"1402053568582768389","uuid":"0efd7bcfd285450885e05bd8d5bf2ba7","version":"23.4.4.223"},"agentRealtimeInfo":{"id":"1834780238610855645","infected":true,"isActive":true,"isDecommissioned":false,"machineType":"server","name":"srv-win1","os":"windows","uuid":"0efd7bcfd285450885e05bd8d5bf2ba7"},"alertInfo":{"alertId":"1985998272619999973","analystVerdict":"Undefined","createdAt":"2024-07-03T03:44:03.003000Z","dnsRequest":null,"dnsResponse":null,"dstIp":null,"dstPort":null,"dvEventId":"01J1VB26A8A7W9A4QZ3D8VQB8T_90","eventType":"PROCESSCREATION","hitType":"Events","incidentStatus":"Unresolved","indicatorCategory":null,"indicatorDescription":null,"indicatorName":null,"isEdr":true,"loginAccountDomain":null,"loginAccountSid":null,"loginIsAdministratorEquivalent":null,"loginIsSuccessful":null,"loginType":null,"loginsUserName":null,"modulePath":null,"moduleSha1":null,"netEventDirection":null,"registryKeyPath":null,"registryOldValue":null,"registryOldValueType":null,"registryPath":null,"registryValue":null,"reportedAt":"2024-07-03T03:44:03.128163Z","source":"STAR","srcIp":null,"srcMachineIp":null,"srcPort":null,"tiIndicatorComparisonMethod":null,"tiIndicatorSource":null,"tiIndicatorType":null,"tiIndicatorValue":null,"updatedAt":"2024-07-03T03:44:03.128163Z"},"containerInfo":{"id":null,"image":null,"labels":null,"name":null},"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"namespace":null,"namespaceLabels":null,"node":null,"pod":null,"podLabels":null},"ruleInfo":{"description":null,"id":"1412136126226508571","name":"test5","queryLang":"1.0","queryType":"events","s1ql":"SrcProcName = \"powershell.exe\"","scopeLevel":"site","severity":"Critical","treatAsThreat":"Suspicious"},"sourceParentProcessInfo":{"commandline":"C:\\Windows\\system32\\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun -cv:Fo0W4Ce9IE+s0TJH.2","effectiveUser":null,"fileHashMd5":"9e15f5602630802698afd17631b2f02c","fileHashSha1":"eaae4f4ac59d91a1e4fc84c86f5020759e451b3a","fileHashSha256":"c7cb93a6afe26dd2ca48241ca12fc76f45e2726441d7119443aaeac54444dcba","filePath":"C:\\Windows\\System32\\CompatTelRunner.exe","fileSignerIdentity":"MICROSOFT CORPORATION","integrityLevel":"system","loginUser":null,"name":"CompatTelRunner.exe","pid":"4884","pidStarttime":"2024-07-03T03:43:07.906000Z","realUser":null,"storyline":"CE8DD1F60F2447E2","subsystem":"sys_win32","uniqueId":"A5E3EEF60F2447E2","user":"NT AUTHORITY\\SYSTEM"},"sourceProcessInfo":{"commandline":"powershell.exe -ExecutionPolicy Restricted -Command $res = 0; if(get-vmswitch | Where {$_.NetAdapterInterfaceDescription -ne $null -and $_.NetAdapterInterfaceDescription -eq (Get-NetLbfoTeamNic).InterfaceDescription}){$res=1}; Write-Host \"Final result:\", $res","effectiveUser":null,"fileHashMd5":"0bc8a4cd1e07390bafd741e1fc0399a3","fileHashSha1":"a2d8d23854e33984c08dcf8b03edc619c9c5ec69","fileHashSha256":"75d6634a676fb0bea5bfd8d424e2bd4f685f3885853637ea143b2671a3bb76e9","filePath":"C:\\Windows\\System32\\WINDOWSPOWERSHELL\\V1.0\\powershell.exe","fileSignerIdentity":"MICROSOFT WINDOWS","integrityLevel":"system","loginUser":null,"name":"powershell.exe","pid":"1252","pidStarttime":"2024-07-03T03:43:24.307000Z","realUser":null,"storyline":"CE8DD1F60F2447E2","subsystem":"sys_win32","uniqueId":"E0E3EEF60F2447E2","user":"NT AUTHORITY\\SYSTEM"},"targetProcessInfo":{"tgtFileCreatedAt":"1970-01-01T00:00:00Z","tgtFileHashSha1":null,"tgtFileHashSha256":null,"tgtFileId":null,"tgtFileIsSigned":"signed","tgtFileModifiedAt":"1970-01-01T00:00:00Z","tgtFileOldPath":null,"tgtFilePath":null,"tgtProcCmdLine":"\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1","tgtProcImagePath":"C:\\Windows\\System32\\conhost.exe","tgtProcIntegrityLevel":"system","tgtProcName":"conhost.exe","tgtProcPid":"6472","tgtProcSignedStatus":"signed","tgtProcStorylineId":"CE8DD1F60F2447E2","tgtProcUid":"E1E3EEF60F2447E2","tgtProcessStartTime":"2024-07-03T03:43:24.318000Z"}} +{"agentDetectionInfo":{"accountId":"1232053768574369791","machineType":"server","name":"srv-win1","osFamily":"windows","osName":"Windows Server 2022 Datacenter","osRevision":"20348","siteId":"1402053568582768389","uuid":"0efd7bcfd285450885e05bd8d5bf2ba7","version":"23.4.4.223"},"agentRealtimeInfo":{"id":"1834780238610855645","infected":true,"isActive":true,"isDecommissioned":false,"machineType":"server","name":"srv-win1","os":"windows","uuid":"0efd7bcfd285450885e05bd8d5bf2ba7"},"alertInfo":{"alertId":"1985998274037674753","analystVerdict":"Undefined","createdAt":"2024-07-03T03:44:03.004000Z","dnsRequest":null,"dnsResponse":null,"dstIp":null,"dstPort":null,"dvEventId":"01J1VB26A8A7W9A4QZ3D8VQB8T_139","eventType":"PROCESSCREATION","hitType":"Events","incidentStatus":"Unresolved","indicatorCategory":null,"indicatorDescription":null,"indicatorName":null,"isEdr":true,"loginAccountDomain":null,"loginAccountSid":null,"loginIsAdministratorEquivalent":null,"loginIsSuccessful":null,"loginType":null,"loginsUserName":null,"modulePath":null,"moduleSha1":null,"netEventDirection":null,"registryKeyPath":null,"registryOldValue":null,"registryOldValueType":null,"registryPath":null,"registryValue":null,"reportedAt":"2024-07-03T03:44:03.296751Z","source":"STAR","srcIp":null,"srcMachineIp":null,"srcPort":null,"tiIndicatorComparisonMethod":null,"tiIndicatorSource":null,"tiIndicatorType":null,"tiIndicatorValue":null,"updatedAt":"2024-07-03T03:44:03.296751Z"},"containerInfo":{"id":null,"image":null,"labels":null,"name":null},"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"namespace":null,"namespaceLabels":null,"node":null,"pod":null,"podLabels":null},"ruleInfo":{"description":null,"id":"1412136126226508571","name":"test5","queryLang":"1.0","queryType":"events","s1ql":"SrcProcName = \"powershell.exe\"","scopeLevel":"site","severity":"Critical","treatAsThreat":"Suspicious"},"sourceParentProcessInfo":{"commandline":"C:\\Windows\\system32\\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun -cv:Fo0W4Ce9IE+s0TJH.2","effectiveUser":null,"fileHashMd5":"9e15f5602630802698afd17631b2f02c","fileHashSha1":"eaae4f4ac59d91a1e4fc84c86f5020759e451b3a","fileHashSha256":"c7cb93a6afe26dd2ca48241ca12fc76f45e2726441d7119443aaeac54444dcba","filePath":"C:\\Windows\\System32\\CompatTelRunner.exe","fileSignerIdentity":"MICROSOFT CORPORATION","integrityLevel":"system","loginUser":null,"name":"CompatTelRunner.exe","pid":"4884","pidStarttime":"2024-07-03T03:43:07.906000Z","realUser":null,"storyline":"CE8DD1F60F2447E2","subsystem":"sys_win32","uniqueId":"A5E3EEF60F2447E2","user":"NT AUTHORITY\\SYSTEM"},"sourceProcessInfo":{"commandline":"powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';","effectiveUser":null,"fileHashMd5":"0bc8a4cd1e07390bafd741e1fc0399a3","fileHashSha1":"a2d8d23854e33984c08dcf8b03edc619c9c5ec69","fileHashSha256":"75d6634a676fb0bea5bfd8d424e2bd4f685f3885853637ea143b2671a3bb76e9","filePath":"C:\\Windows\\System32\\WINDOWSPOWERSHELL\\V1.0\\powershell.exe","fileSignerIdentity":"MICROSOFT WINDOWS","integrityLevel":"system","loginUser":null,"name":"powershell.exe","pid":"4912","pidStarttime":"2024-07-03T03:43:28.323000Z","realUser":null,"storyline":"CE8DD1F60F2447E2","subsystem":"sys_win32","uniqueId":"E6E3EEF60F2447E2","user":"NT AUTHORITY\\SYSTEM"},"targetProcessInfo":{"tgtFileCreatedAt":"1970-01-01T00:00:00Z","tgtFileHashSha1":null,"tgtFileHashSha256":null,"tgtFileId":null,"tgtFileIsSigned":"signed","tgtFileModifiedAt":"1970-01-01T00:00:00Z","tgtFileOldPath":null,"tgtFilePath":null,"tgtProcCmdLine":"\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1","tgtProcImagePath":"C:\\Windows\\System32\\conhost.exe","tgtProcIntegrityLevel":"system","tgtProcName":"conhost.exe","tgtProcPid":"7144","tgtProcSignedStatus":"signed","tgtProcStorylineId":"CE8DD1F60F2447E2","tgtProcUid":"E7E3EEF60F2447E2","tgtProcessStartTime":"2024-07-03T03:43:28.330000Z"}} \ No newline at end of file diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json new file mode 100644 index 0000000000..6a81c8a496 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json @@ -0,0 +1,573 @@ +{ + "expected": [ + { + "@timestamp": "2018-02-27T04:49:26.257Z", + "container": { + "id": "string", + "image": { + "name": "string" + }, + "name": "string" + }, + "destination": { + "ip": "81.2.69.144", + "port": 1234 + }, + "dll": { + "hash": { + "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d" + }, + "path": "string" + }, + "dns": { + "question": { + "name": "string" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "malware" + ], + "id": "123456789123456789", + "kind": "event", + "original": "{\"targetProcessInfo\":{\"tgtFileCreatedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileIsSigned\":\"string\",\"tgtFileOldPath\":\"string\",\"tgtProcImagePath\":\"string\",\"tgtProcSignedStatus\":\"string\",\"tgtFileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"tgtProcStorylineId\":\"string\",\"tgtProcPid\":\"12345\",\"tgtProcCmdLine\":\"string\",\"tgtProcName\":\"string\",\"tgtFileModifiedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileId\":\"string\",\"tgtProcIntegrityLevel\":\"unknown\",\"tgtFileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"tgtProcUid\":\"string\",\"tgtProcessStartTime\":\"2018-02-27T04:49:26.257525Z\",\"tgtFilePath\":\"string\"},\"alertInfo\":{\"createdAt\":\"2018-02-27T04:49:26.257525Z\",\"srcIp\":\"81.2.69.142\",\"incidentStatus\":\"string\",\"registryOldValue\":\"string\",\"alertId\":\"123456789123456789\",\"dstPort\":\"1234\",\"indicatorName\":\"string\",\"registryPath\":\"string\",\"loginType\":\"string\",\"dstIp\":\"81.2.69.144\",\"updatedAt\":\"2018-02-27T04:49:26.257525Z\",\"indicatorDescription\":\"string\",\"loginsUserName\":\"string\",\"loginIsSuccessful\":\"string\",\"indicatorCategory\":\"string\",\"modulePath\":\"string\",\"loginAccountSid\":\"string\",\"dnsResponse\":\"string\",\"netEventDirection\":\"string\",\"registryValue\":\"string\",\"srcMachineIp\":\"81.2.69.192\",\"registryOldValueType\":\"string\",\"eventType\":\"string\",\"analystVerdict\":\"string\",\"dvEventId\":\"string\",\"dnsRequest\":\"string\",\"loginIsAdministratorEquivalent\":\"string\",\"loginAccountDomain\":\"string\",\"tiIndicatorType\":\"string\",\"moduleSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"source\":\"string\",\"srcPort\":\"1234\",\"tiIndicatorValue\":\"string\",\"tiIndicatorSource\":\"string\",\"reportedAt\":\"2018-02-27T04:49:26.257525Z\",\"registryKeyPath\":\"string\",\"tiIndicatorComparisonMethod\":\"string\",\"hitType\":\"Events\"},\"sourceProcessInfo\":{\"integrityLevel\":\"unknown\",\"pid\":\"12345\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"uniqueId\":\"string\",\"user\":\"string\",\"commandline\":\"string\",\"name\":\"string\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"subsystem\":\"unknown\"},\"ruleInfo\":{\"severity\":\"Low\",\"treatAsThreat\":\"UNDEFINED\",\"id\":\"string\",\"scopeLevel\":\"string\",\"name\":\"string\",\"description\":\"string\"},\"sourceParentProcessInfo\":{\"integrityLevel\":\"unknown\",\"pid\":\"12345\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"uniqueId\":\"string\",\"user\":\"string\",\"commandline\":\"string\",\"name\":\"string\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"subsystem\":\"unknown\"},\"agentDetectionInfo\":{\"osFamily\":\"string\",\"uuid\":\"string\",\"osName\":\"string\",\"version\":\"3.x.x.x\",\"siteId\":\"123456789123456789\",\"name\":\"string\",\"machineType\":\"string\",\"osRevision\":\"string\"},\"kubernetesInfo\":{\"controllerName\":\"string\",\"node\":\"string\",\"namespace\":\"string\",\"namespaceLabels\":\"string\",\"pod\":\"string\",\"controllerLabels\":\"string\",\"controllerKind\":\"string\",\"cluster\":\"string\",\"podLabels\":\"string\"},\"containerInfo\":{\"id\":\"string\",\"name\":\"string\",\"image\":\"string\",\"labels\":\"string\"}}", + "severity": 21, + "type": [ + "info" + ] + }, + "file": { + "created": "2018-02-27T04:49:26.257Z", + "mtime": "2018-02-27T04:49:26.257Z" + }, + "host": { + "ip": [ + "81.2.69.192" + ], + "name": "string", + "os": { + "family": "string", + "name": "string", + "version": "string" + }, + "type": "string" + }, + "message": "string", + "observer": { + "serial_number": "string", + "version": "3.x.x.x" + }, + "orchestrator": { + "cluster": { + "name": "string" + }, + "namespace": "string" + }, + "process": { + "code_signature": { + "signing_id": "string" + }, + "command_line": "string", + "entity_id": "string", + "executable": "string", + "hash": { + "md5": "5d41402abc4b2a76b9719d911017c592", + "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" + }, + "name": "string", + "parent": { + "code_signature": { + "signing_id": "string" + }, + "command_line": "string", + "entity_id": "string", + "executable": "string", + "hash": { + "md5": "5d41402abc4b2a76b9719d911017c592", + "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" + }, + "name": "string", + "pid": 12345, + "start": "2018-02-27T04:49:26.257Z", + "user": { + "name": "string" + } + }, + "pid": 12345, + "start": "2018-02-27T04:49:26.257Z", + "user": { + "name": "string" + } + }, + "registry": { + "key": "string", + "path": "string", + "value": "string" + }, + "related": { + "hash": [ + "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "5d41402abc4b2a76b9719d911017c592", + "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" + ], + "hosts": [ + "string" + ], + "ip": [ + "81.2.69.142", + "81.2.69.144", + "81.2.69.192" + ], + "user": [ + "string" + ] + }, + "rule": { + "description": "string", + "id": "string", + "name": "string" + }, + "sentinel_one": { + "alert": { + "agent": { + "site_id": "123456789123456789" + }, + "analyst_verdict": "string", + "container": { + "info": { + "labels": "string" + } + }, + "dv_event": { + "id": "string" + }, + "info": { + "dns": { + "response": "string" + }, + "event_type": "string", + "hit": { + "type": "Events" + }, + "indicator": { + "category": "string", + "description": "string", + "name": "string" + }, + "login": { + "account": { + "sid": "string" + }, + "is_administrator": "string", + "is_successful": "string", + "type": "string" + }, + "registry": { + "old_value": "string", + "old_value_type": "string" + }, + "reported_at": "2018-02-27T04:49:26.257Z", + "source": "string", + "status": "string", + "ti_indicator": { + "comparison_method": "string", + "source": "string", + "type": "string", + "value": "string" + }, + "updated_at": "2018-02-27T04:49:26.257Z" + }, + "kubernetes": { + "controller": { + "kind": "string", + "labels": "string", + "name": "string" + }, + "namespace": { + "labels": "string" + }, + "node": "string", + "pod": { + "labels": "string", + "name": "string" + } + }, + "process": { + "integrity_level": "unknown", + "parent": { + "integrity_level": "unknown", + "storyline": "string", + "subsystem": "unknown" + }, + "storyline": "string", + "subsystem": "unknown" + }, + "rule": { + "scope_level": "string", + "severity": "Low", + "treat_as_threat": "UNDEFINED" + }, + "target": { + "process": { + "file": { + "hash": { + "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" + }, + "id": "string", + "is_signed": "string", + "old_path": "string", + "path": "string" + }, + "proc": { + "cmdline": "string", + "image_path": "string", + "integrity_level": "unknown", + "name": "string", + "pid": 12345, + "signed_status": "string", + "storyline_id": "string", + "uid": "string" + }, + "start_time": "2018-02-27T04:49:26.257Z" + } + } + } + }, + "source": { + "ip": "81.2.69.142", + "port": 1234 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "string", + "name": "string" + } + }, + { + "@timestamp": "2024-07-03T03:44:03.003Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "malware" + ], + "id": "1985998272619999973", + "kind": "event", + "original": "{\"agentDetectionInfo\":{\"accountId\":\"123205378574369791\",\"machineType\":\"server\",\"name\":\"srv-win1\",\"osFamily\":\"windows\",\"osName\":\"Windows Server 2022 Datacenter\",\"osRevision\":\"20348\",\"siteId\":\"1402053568582768389\",\"uuid\":\"0efd7bcfd285450885e05bd8d5bf2ba7\",\"version\":\"23.4.4.223\"},\"agentRealtimeInfo\":{\"id\":\"1834780238610855645\",\"infected\":true,\"isActive\":true,\"isDecommissioned\":false,\"machineType\":\"server\",\"name\":\"srv-win1\",\"os\":\"windows\",\"uuid\":\"0efd7bcfd285450885e05bd8d5bf2ba7\"},\"alertInfo\":{\"alertId\":\"1985998272619999973\",\"analystVerdict\":\"Undefined\",\"createdAt\":\"2024-07-03T03:44:03.003000Z\",\"dnsRequest\":null,\"dnsResponse\":null,\"dstIp\":null,\"dstPort\":null,\"dvEventId\":\"01J1VB26A8A7W9A4QZ3D8VQB8T_90\",\"eventType\":\"PROCESSCREATION\",\"hitType\":\"Events\",\"incidentStatus\":\"Unresolved\",\"indicatorCategory\":null,\"indicatorDescription\":null,\"indicatorName\":null,\"isEdr\":true,\"loginAccountDomain\":null,\"loginAccountSid\":null,\"loginIsAdministratorEquivalent\":null,\"loginIsSuccessful\":null,\"loginType\":null,\"loginsUserName\":null,\"modulePath\":null,\"moduleSha1\":null,\"netEventDirection\":null,\"registryKeyPath\":null,\"registryOldValue\":null,\"registryOldValueType\":null,\"registryPath\":null,\"registryValue\":null,\"reportedAt\":\"2024-07-03T03:44:03.128163Z\",\"source\":\"STAR\",\"srcIp\":null,\"srcMachineIp\":null,\"srcPort\":null,\"tiIndicatorComparisonMethod\":null,\"tiIndicatorSource\":null,\"tiIndicatorType\":null,\"tiIndicatorValue\":null,\"updatedAt\":\"2024-07-03T03:44:03.128163Z\"},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"ruleInfo\":{\"description\":null,\"id\":\"1412136126226508571\",\"name\":\"test5\",\"queryLang\":\"1.0\",\"queryType\":\"events\",\"s1ql\":\"SrcProcName = \\\"powershell.exe\\\"\",\"scopeLevel\":\"site\",\"severity\":\"Critical\",\"treatAsThreat\":\"Suspicious\"},\"sourceParentProcessInfo\":{\"commandline\":\"C:\\\\Windows\\\\system32\\\\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun -cv:Fo0W4Ce9IE+s0TJH.2\",\"effectiveUser\":null,\"fileHashMd5\":\"9e15f5602630802698afd17631b2f02c\",\"fileHashSha1\":\"eaae4f4ac59d91a1e4fc84c86f5020759e451b3a\",\"fileHashSha256\":\"c7cb93a6afe26dd2ca48241ca12fc76f45e2726441d7119443aaeac54444dcba\",\"filePath\":\"C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\"fileSignerIdentity\":\"MICROSOFT CORPORATION\",\"integrityLevel\":\"system\",\"loginUser\":null,\"name\":\"CompatTelRunner.exe\",\"pid\":\"4884\",\"pidStarttime\":\"2024-07-03T03:43:07.906000Z\",\"realUser\":null,\"storyline\":\"CE8DD1F60F2447E2\",\"subsystem\":\"sys_win32\",\"uniqueId\":\"A5E3EEF60F2447E2\",\"user\":\"NT AUTHORITY\\\\SYSTEM\"},\"sourceProcessInfo\":{\"commandline\":\"powershell.exe -ExecutionPolicy Restricted -Command $res = 0; if(get-vmswitch | Where {$_.NetAdapterInterfaceDescription -ne $null -and $_.NetAdapterInterfaceDescription -eq (Get-NetLbfoTeamNic).InterfaceDescription}){$res=1}; Write-Host \\\"Final result:\\\", $res\",\"effectiveUser\":null,\"fileHashMd5\":\"0bc8a4cd1e07390bafd741e1fc0399a3\",\"fileHashSha1\":\"a2d8d23854e33984c08dcf8b03edc619c9c5ec69\",\"fileHashSha256\":\"75d6634a676fb0bea5bfd8d424e2bd4f685f3885853637ea143b2671a3bb76e9\",\"filePath\":\"C:\\\\Windows\\\\System32\\\\WINDOWSPOWERSHELL\\\\V1.0\\\\powershell.exe\",\"fileSignerIdentity\":\"MICROSOFT WINDOWS\",\"integrityLevel\":\"system\",\"loginUser\":null,\"name\":\"powershell.exe\",\"pid\":\"1252\",\"pidStarttime\":\"2024-07-03T03:43:24.307000Z\",\"realUser\":null,\"storyline\":\"CE8DD1F60F2447E2\",\"subsystem\":\"sys_win32\",\"uniqueId\":\"E0E3EEF60F2447E2\",\"user\":\"NT AUTHORITY\\\\SYSTEM\"},\"targetProcessInfo\":{\"tgtFileCreatedAt\":\"1970-01-01T00:00:00Z\",\"tgtFileHashSha1\":null,\"tgtFileHashSha256\":null,\"tgtFileId\":null,\"tgtFileIsSigned\":\"signed\",\"tgtFileModifiedAt\":\"1970-01-01T00:00:00Z\",\"tgtFileOldPath\":null,\"tgtFilePath\":null,\"tgtProcCmdLine\":\"\\\\??\\\\C:\\\\Windows\\\\system32\\\\conhost.exe 0xffffffff -ForceV1\",\"tgtProcImagePath\":\"C:\\\\Windows\\\\System32\\\\conhost.exe\",\"tgtProcIntegrityLevel\":\"system\",\"tgtProcName\":\"conhost.exe\",\"tgtProcPid\":\"6472\",\"tgtProcSignedStatus\":\"signed\",\"tgtProcStorylineId\":\"CE8DD1F60F2447E2\",\"tgtProcUid\":\"E1E3EEF60F2447E2\",\"tgtProcessStartTime\":\"2024-07-03T03:43:24.318000Z\"}}", + "severity": 99, + "type": [ + "info" + ] + }, + "file": { + "created": "1970-01-01T00:00:00.000Z", + "mtime": "1970-01-01T00:00:00.000Z" + }, + "host": { + "id": "1834780238610855645", + "name": "srv-win1", + "os": { + "family": "windows", + "name": "Windows Server 2022 Datacenter", + "type": "windows", + "version": "20348" + }, + "type": "server" + }, + "message": "test5", + "observer": { + "serial_number": "0efd7bcfd285450885e05bd8d5bf2ba7", + "version": "23.4.4.223" + }, + "process": { + "code_signature": { + "signing_id": "MICROSOFT WINDOWS" + }, + "command_line": "powershell.exe -ExecutionPolicy Restricted -Command $res = 0; if(get-vmswitch | Where {$_.NetAdapterInterfaceDescription -ne $null -and $_.NetAdapterInterfaceDescription -eq (Get-NetLbfoTeamNic).InterfaceDescription}){$res=1}; Write-Host \"Final result:\", $res", + "entity_id": "E0E3EEF60F2447E2", + "executable": "C:\\Windows\\System32\\WINDOWSPOWERSHELL\\V1.0\\powershell.exe", + "hash": { + "md5": "0bc8a4cd1e07390bafd741e1fc0399a3", + "sha1": "a2d8d23854e33984c08dcf8b03edc619c9c5ec69", + "sha256": "75d6634a676fb0bea5bfd8d424e2bd4f685f3885853637ea143b2671a3bb76e9" + }, + "name": "powershell.exe", + "parent": { + "code_signature": { + "signing_id": "MICROSOFT CORPORATION" + }, + "command_line": "C:\\Windows\\system32\\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun -cv:Fo0W4Ce9IE+s0TJH.2", + "entity_id": "A5E3EEF60F2447E2", + "executable": "C:\\Windows\\System32\\CompatTelRunner.exe", + "hash": { + "md5": "9e15f5602630802698afd17631b2f02c", + "sha1": "eaae4f4ac59d91a1e4fc84c86f5020759e451b3a", + "sha256": "c7cb93a6afe26dd2ca48241ca12fc76f45e2726441d7119443aaeac54444dcba" + }, + "name": "CompatTelRunner.exe", + "pid": 4884, + "start": "2024-07-03T03:43:07.906Z", + "user": { + "name": "NT AUTHORITY\\SYSTEM" + } + }, + "pid": 1252, + "start": "2024-07-03T03:43:24.307Z", + "user": { + "name": "NT AUTHORITY\\SYSTEM" + } + }, + "related": { + "hash": [ + "9e15f5602630802698afd17631b2f02c", + "eaae4f4ac59d91a1e4fc84c86f5020759e451b3a", + "c7cb93a6afe26dd2ca48241ca12fc76f45e2726441d7119443aaeac54444dcba", + "0bc8a4cd1e07390bafd741e1fc0399a3", + "a2d8d23854e33984c08dcf8b03edc619c9c5ec69", + "75d6634a676fb0bea5bfd8d424e2bd4f685f3885853637ea143b2671a3bb76e9" + ], + "hosts": [ + "srv-win1" + ] + }, + "rule": { + "id": "1412136126226508571", + "name": "test5" + }, + "sentinel_one": { + "alert": { + "agent": { + "computer_name": "srv-win1", + "id": "1834780238610855645", + "infected": true, + "is_active": true, + "is_decommissioned": false, + "machine_type": "server", + "os": { + "type": "windows" + }, + "site_id": "1402053568582768389" + }, + "analyst_verdict": "Undefined", + "dv_event": { + "id": "01J1VB26A8A7W9A4QZ3D8VQB8T_90" + }, + "info": { + "event_type": "PROCESSCREATION", + "hit": { + "type": "Events" + }, + "reported_at": "2024-07-03T03:44:03.128Z", + "source": "STAR", + "status": "Unresolved", + "updated_at": "2024-07-03T03:44:03.128Z" + }, + "process": { + "integrity_level": "system", + "parent": { + "integrity_level": "system", + "storyline": "CE8DD1F60F2447E2", + "subsystem": "sys_win32" + }, + "storyline": "CE8DD1F60F2447E2", + "subsystem": "sys_win32" + }, + "rule": { + "scope_level": "site", + "severity": "Critical", + "treat_as_threat": "Suspicious" + }, + "target": { + "process": { + "file": { + "is_signed": "signed" + }, + "proc": { + "cmdline": "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1", + "image_path": "C:\\Windows\\System32\\conhost.exe", + "integrity_level": "system", + "name": "conhost.exe", + "pid": 6472, + "signed_status": "signed", + "storyline_id": "CE8DD1F60F2447E2", + "uid": "E1E3EEF60F2447E2" + }, + "start_time": "2024-07-03T03:43:24.318Z" + } + } + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-07-03T03:44:03.004Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "malware" + ], + "id": "1985998274037674753", + "kind": "event", + "original": "{\"agentDetectionInfo\":{\"accountId\":\"1232053768574369791\",\"machineType\":\"server\",\"name\":\"srv-win1\",\"osFamily\":\"windows\",\"osName\":\"Windows Server 2022 Datacenter\",\"osRevision\":\"20348\",\"siteId\":\"1402053568582768389\",\"uuid\":\"0efd7bcfd285450885e05bd8d5bf2ba7\",\"version\":\"23.4.4.223\"},\"agentRealtimeInfo\":{\"id\":\"1834780238610855645\",\"infected\":true,\"isActive\":true,\"isDecommissioned\":false,\"machineType\":\"server\",\"name\":\"srv-win1\",\"os\":\"windows\",\"uuid\":\"0efd7bcfd285450885e05bd8d5bf2ba7\"},\"alertInfo\":{\"alertId\":\"1985998274037674753\",\"analystVerdict\":\"Undefined\",\"createdAt\":\"2024-07-03T03:44:03.004000Z\",\"dnsRequest\":null,\"dnsResponse\":null,\"dstIp\":null,\"dstPort\":null,\"dvEventId\":\"01J1VB26A8A7W9A4QZ3D8VQB8T_139\",\"eventType\":\"PROCESSCREATION\",\"hitType\":\"Events\",\"incidentStatus\":\"Unresolved\",\"indicatorCategory\":null,\"indicatorDescription\":null,\"indicatorName\":null,\"isEdr\":true,\"loginAccountDomain\":null,\"loginAccountSid\":null,\"loginIsAdministratorEquivalent\":null,\"loginIsSuccessful\":null,\"loginType\":null,\"loginsUserName\":null,\"modulePath\":null,\"moduleSha1\":null,\"netEventDirection\":null,\"registryKeyPath\":null,\"registryOldValue\":null,\"registryOldValueType\":null,\"registryPath\":null,\"registryValue\":null,\"reportedAt\":\"2024-07-03T03:44:03.296751Z\",\"source\":\"STAR\",\"srcIp\":null,\"srcMachineIp\":null,\"srcPort\":null,\"tiIndicatorComparisonMethod\":null,\"tiIndicatorSource\":null,\"tiIndicatorType\":null,\"tiIndicatorValue\":null,\"updatedAt\":\"2024-07-03T03:44:03.296751Z\"},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"ruleInfo\":{\"description\":null,\"id\":\"1412136126226508571\",\"name\":\"test5\",\"queryLang\":\"1.0\",\"queryType\":\"events\",\"s1ql\":\"SrcProcName = \\\"powershell.exe\\\"\",\"scopeLevel\":\"site\",\"severity\":\"Critical\",\"treatAsThreat\":\"Suspicious\"},\"sourceParentProcessInfo\":{\"commandline\":\"C:\\\\Windows\\\\system32\\\\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun -cv:Fo0W4Ce9IE+s0TJH.2\",\"effectiveUser\":null,\"fileHashMd5\":\"9e15f5602630802698afd17631b2f02c\",\"fileHashSha1\":\"eaae4f4ac59d91a1e4fc84c86f5020759e451b3a\",\"fileHashSha256\":\"c7cb93a6afe26dd2ca48241ca12fc76f45e2726441d7119443aaeac54444dcba\",\"filePath\":\"C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\"fileSignerIdentity\":\"MICROSOFT CORPORATION\",\"integrityLevel\":\"system\",\"loginUser\":null,\"name\":\"CompatTelRunner.exe\",\"pid\":\"4884\",\"pidStarttime\":\"2024-07-03T03:43:07.906000Z\",\"realUser\":null,\"storyline\":\"CE8DD1F60F2447E2\",\"subsystem\":\"sys_win32\",\"uniqueId\":\"A5E3EEF60F2447E2\",\"user\":\"NT AUTHORITY\\\\SYSTEM\"},\"sourceProcessInfo\":{\"commandline\":\"powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\",\"effectiveUser\":null,\"fileHashMd5\":\"0bc8a4cd1e07390bafd741e1fc0399a3\",\"fileHashSha1\":\"a2d8d23854e33984c08dcf8b03edc619c9c5ec69\",\"fileHashSha256\":\"75d6634a676fb0bea5bfd8d424e2bd4f685f3885853637ea143b2671a3bb76e9\",\"filePath\":\"C:\\\\Windows\\\\System32\\\\WINDOWSPOWERSHELL\\\\V1.0\\\\powershell.exe\",\"fileSignerIdentity\":\"MICROSOFT WINDOWS\",\"integrityLevel\":\"system\",\"loginUser\":null,\"name\":\"powershell.exe\",\"pid\":\"4912\",\"pidStarttime\":\"2024-07-03T03:43:28.323000Z\",\"realUser\":null,\"storyline\":\"CE8DD1F60F2447E2\",\"subsystem\":\"sys_win32\",\"uniqueId\":\"E6E3EEF60F2447E2\",\"user\":\"NT AUTHORITY\\\\SYSTEM\"},\"targetProcessInfo\":{\"tgtFileCreatedAt\":\"1970-01-01T00:00:00Z\",\"tgtFileHashSha1\":null,\"tgtFileHashSha256\":null,\"tgtFileId\":null,\"tgtFileIsSigned\":\"signed\",\"tgtFileModifiedAt\":\"1970-01-01T00:00:00Z\",\"tgtFileOldPath\":null,\"tgtFilePath\":null,\"tgtProcCmdLine\":\"\\\\??\\\\C:\\\\Windows\\\\system32\\\\conhost.exe 0xffffffff -ForceV1\",\"tgtProcImagePath\":\"C:\\\\Windows\\\\System32\\\\conhost.exe\",\"tgtProcIntegrityLevel\":\"system\",\"tgtProcName\":\"conhost.exe\",\"tgtProcPid\":\"7144\",\"tgtProcSignedStatus\":\"signed\",\"tgtProcStorylineId\":\"CE8DD1F60F2447E2\",\"tgtProcUid\":\"E7E3EEF60F2447E2\",\"tgtProcessStartTime\":\"2024-07-03T03:43:28.330000Z\"}}", + "severity": 99, + "type": [ + "info" + ] + }, + "file": { + "created": "1970-01-01T00:00:00.000Z", + "mtime": "1970-01-01T00:00:00.000Z" + }, + "host": { + "id": "1834780238610855645", + "name": "srv-win1", + "os": { + "family": "windows", + "name": "Windows Server 2022 Datacenter", + "type": "windows", + "version": "20348" + }, + "type": "server" + }, + "message": "test5", + "observer": { + "serial_number": "0efd7bcfd285450885e05bd8d5bf2ba7", + "version": "23.4.4.223" + }, + "process": { + "code_signature": { + "signing_id": "MICROSOFT WINDOWS" + }, + "command_line": "powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';", + "entity_id": "E6E3EEF60F2447E2", + "executable": "C:\\Windows\\System32\\WINDOWSPOWERSHELL\\V1.0\\powershell.exe", + "hash": { + "md5": "0bc8a4cd1e07390bafd741e1fc0399a3", + "sha1": "a2d8d23854e33984c08dcf8b03edc619c9c5ec69", + "sha256": "75d6634a676fb0bea5bfd8d424e2bd4f685f3885853637ea143b2671a3bb76e9" + }, + "name": "powershell.exe", + "parent": { + "code_signature": { + "signing_id": "MICROSOFT CORPORATION" + }, + "command_line": "C:\\Windows\\system32\\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun -cv:Fo0W4Ce9IE+s0TJH.2", + "entity_id": "A5E3EEF60F2447E2", + "executable": "C:\\Windows\\System32\\CompatTelRunner.exe", + "hash": { + "md5": "9e15f5602630802698afd17631b2f02c", + "sha1": "eaae4f4ac59d91a1e4fc84c86f5020759e451b3a", + "sha256": "c7cb93a6afe26dd2ca48241ca12fc76f45e2726441d7119443aaeac54444dcba" + }, + "name": "CompatTelRunner.exe", + "pid": 4884, + "start": "2024-07-03T03:43:07.906Z", + "user": { + "name": "NT AUTHORITY\\SYSTEM" + } + }, + "pid": 4912, + "start": "2024-07-03T03:43:28.323Z", + "user": { + "name": "NT AUTHORITY\\SYSTEM" + } + }, + "related": { + "hash": [ + "9e15f5602630802698afd17631b2f02c", + "eaae4f4ac59d91a1e4fc84c86f5020759e451b3a", + "c7cb93a6afe26dd2ca48241ca12fc76f45e2726441d7119443aaeac54444dcba", + "0bc8a4cd1e07390bafd741e1fc0399a3", + "a2d8d23854e33984c08dcf8b03edc619c9c5ec69", + "75d6634a676fb0bea5bfd8d424e2bd4f685f3885853637ea143b2671a3bb76e9" + ], + "hosts": [ + "srv-win1" + ] + }, + "rule": { + "id": "1412136126226508571", + "name": "test5" + }, + "sentinel_one": { + "alert": { + "agent": { + "computer_name": "srv-win1", + "id": "1834780238610855645", + "infected": true, + "is_active": true, + "is_decommissioned": false, + "machine_type": "server", + "os": { + "type": "windows" + }, + "site_id": "1402053568582768389" + }, + "analyst_verdict": "Undefined", + "dv_event": { + "id": "01J1VB26A8A7W9A4QZ3D8VQB8T_139" + }, + "info": { + "event_type": "PROCESSCREATION", + "hit": { + "type": "Events" + }, + "reported_at": "2024-07-03T03:44:03.296Z", + "source": "STAR", + "status": "Unresolved", + "updated_at": "2024-07-03T03:44:03.296Z" + }, + "process": { + "integrity_level": "system", + "parent": { + "integrity_level": "system", + "storyline": "CE8DD1F60F2447E2", + "subsystem": "sys_win32" + }, + "storyline": "CE8DD1F60F2447E2", + "subsystem": "sys_win32" + }, + "rule": { + "scope_level": "site", + "severity": "Critical", + "treat_as_threat": "Suspicious" + }, + "target": { + "process": { + "file": { + "is_signed": "signed" + }, + "proc": { + "cmdline": "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1", + "image_path": "C:\\Windows\\System32\\conhost.exe", + "integrity_level": "system", + "name": "conhost.exe", + "pid": 7144, + "signed_status": "signed", + "storyline_id": "CE8DD1F60F2447E2", + "uid": "E7E3EEF60F2447E2" + }, + "start_time": "2024-07-03T03:43:28.330Z" + } + } + } + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/policy/test-all.expected b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/policy/test-all.expected new file mode 100644 index 0000000000..29cebb8e61 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/policy/test-all.expected @@ -0,0 +1,164 @@ +inputs: + - data_stream: + namespace: ep + meta: + package: + name: sentinel_one + name: test-all-sentinel_one + streams: + - config_version: 2 + cursor: + last_create_at: + value: '[[.last_event.alertInfo.createdAt]]' + data_stream: + dataset: sentinel_one.alert + interval: 30s + processors: + - add_fields: + fields: + id: "574734885120952459" + name: myproject + target: project + - add_tags: + tags: + - web + - production + target: environment + publisher_pipeline.disable_host: true + request.method: GET + request.proxy_url: https://user:P%40ssword%23@0.0.0.0:0000 + request.ssl: + certificate: | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- + certificate_authorities: + - | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- + cipher_suites: + - ECDHE-ECDSA-AES-128-CBC-SHA + - ECDHE-ECDSA-AES-256-GCM-SHA384 + curve_types: + - P-256 + enabled: true + key: | + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI + sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP + Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F + KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2 + MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z + HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ + nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx + Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0 + eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/ + Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM + epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve + Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn + BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8 + VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU + zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5 + GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA + 5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7 + TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF + hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li + e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze + Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T + kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+ + kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav + NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K + 0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc + nygO9KTJuUiBrLr0AHEnqko= + -----END PRIVATE KEY----- + supported_protocols: + - TLSv1.2 + request.tracer: + enabled: true + filename: ../../logs/httpjson/http-request-trace-*.ndjson + maxbackups: 5 + request.transforms: + - set: + target: header.Authorization + value: ApiToken ${SECRET_0} + - set: + target: url.params.limit + value: "100" + - set: + target: url.params.sortBy + value: alertInfoCreatedAt + - set: + target: url.params.sortOrder + value: asc + - set: + default: '[[formatDate (now (parseDuration "-24h"))]]' + target: url.params.createdAt__gte + value: '[[formatDate (parseDate .cursor.last_create_at)]]' + - set: + target: url.params.siteIds + value: "123" + request.url: http://host.tld/web/api/v2.1/cloud-detection/alerts + response.pagination: + - set: + fail_on_template_error: true + target: url.params.cursor + value: '[[if (ne .last_response.body.pagination.nextCursor nil)]][[.last_response.body.pagination.nextCursor]][[end]]' + response.split: + ignore_empty_value: true + target: body.data + tags: + - preserve_original_event + - forwarded + - sentinel_one-alert + - test-policy + type: httpjson + use_output: default +output_permissions: + default: + _elastic_agent_checks: + cluster: + - monitor + _elastic_agent_monitoring: + indices: [] + uuid-for-permissions-on-related-indices: + indices: + - names: + - logs-sentinel_one.alert-ep + privileges: + - auto_configure + - create_doc +secret_references: + - {} diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/policy/test-all.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/policy/test-all.yml new file mode 100644 index 0000000000..f94f2850c9 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/policy/test-all.yml @@ -0,0 +1,103 @@ +vars: + url: http://host.tld + api_token: test_api_token + proxy_url: https://user:P%40ssword%23@0.0.0.0:0000 + site_ids: 123 + enable_request_tracer: true + ssl: | + enabled: true + supported_protocols: + - TLSv1.2 + cipher_suites: + - ECDHE-ECDSA-AES-128-CBC-SHA + - ECDHE-ECDSA-AES-256-GCM-SHA384 + curve_types: + - P-256 + certificate_authorities: + - | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- + certificate: | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- + key: | + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI + sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP + Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F + KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2 + MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z + HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ + nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx + Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0 + eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/ + Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM + epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve + Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn + BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8 + VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU + zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5 + GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA + 5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7 + TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF + hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li + e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze + Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T + kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+ + kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav + NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K + 0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc + nygO9KTJuUiBrLr0AHEnqko= + -----END PRIVATE KEY----- +data_stream: + vars: + initial_interval: 24h + interval: 30s + tags: + - forwarded + - sentinel_one-alert + - test-policy + preserve_original_event: true + processors: | + - add_fields: + target: project + fields: + name: myproject + id: '574734885120952459' + - add_tags: + tags: [web, production] + target: "environment" diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/policy/test-default.expected b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/policy/test-default.expected new file mode 100644 index 0000000000..746d2cd968 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/policy/test-default.expected @@ -0,0 +1,69 @@ +inputs: + - data_stream: + namespace: ep + meta: + package: + name: sentinel_one + name: test-default-sentinel_one + streams: + - config_version: 2 + cursor: + last_create_at: + value: '[[.last_event.alertInfo.createdAt]]' + data_stream: + dataset: sentinel_one.alert + interval: 30s + publisher_pipeline.disable_host: true + request.method: GET + request.ssl: null + request.tracer: + enabled: false + filename: ../../logs/httpjson/http-request-trace-*.ndjson + maxbackups: 5 + request.transforms: + - set: + target: header.Authorization + value: ApiToken ${SECRET_0} + - set: + target: url.params.limit + value: "100" + - set: + target: url.params.sortBy + value: alertInfoCreatedAt + - set: + target: url.params.sortOrder + value: asc + - set: + default: '[[formatDate (now (parseDuration "-24h"))]]' + target: url.params.createdAt__gte + value: '[[formatDate (parseDate .cursor.last_create_at)]]' + request.url: http://host.tld/web/api/v2.1/cloud-detection/alerts + response.pagination: + - set: + fail_on_template_error: true + target: url.params.cursor + value: '[[if (ne .last_response.body.pagination.nextCursor nil)]][[.last_response.body.pagination.nextCursor]][[end]]' + response.split: + ignore_empty_value: true + target: body.data + tags: + - forwarded + - sentinel_one-alert + type: httpjson + use_output: default +output_permissions: + default: + _elastic_agent_checks: + cluster: + - monitor + _elastic_agent_monitoring: + indices: [] + uuid-for-permissions-on-related-indices: + indices: + - names: + - logs-sentinel_one.alert-ep + privileges: + - auto_configure + - create_doc +secret_references: + - {} diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/policy/test-default.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/policy/test-default.yml new file mode 100644 index 0000000000..4487fe15b0 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/policy/test-default.yml @@ -0,0 +1,12 @@ +vars: + url: http://host.tld + api_token: test_api_token + enable_request_tracer: false +data_stream: + vars: + initial_interval: 24h + interval: 30s + preserve_original_event: false + tags: + - forwarded + - sentinel_one-alert diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/system/test-default-config.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/system/test-default-config.yml new file mode 100644 index 0000000000..4f56670813 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/_dev/test/system/test-default-config.yml @@ -0,0 +1,11 @@ +input: httpjson +service: sentinel_one +vars: + url: http://{{Hostname}}:{{Port}} + api_token: xxxx +data_stream: + vars: + preserve_original_event: true + enable_request_tracer: true +assert: + hit_count: 2 diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/agent/stream/httpjson.yml.hbs b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/agent/stream/httpjson.yml.hbs new file mode 100644 index 0000000000..1e920c96a1 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/agent/stream/httpjson.yml.hbs @@ -0,0 +1,61 @@ +config_version: 2 +interval: {{interval}} +request.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/httpjson/http-request-trace-*.ndjson" + maxbackups: 5 +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.method: GET +request.url: {{url}}/web/api/v2.1/cloud-detection/alerts +request.transforms: + - set: + target: header.Authorization + value: 'ApiToken {{api_token}}' + - set: + target: url.params.limit + value: '100' + - set: + target: url.params.sortBy + value: 'alertInfoCreatedAt' + - set: + target: url.params.sortOrder + value: 'asc' + - set: + target: url.params.createdAt__gte + value: '[[formatDate (parseDate .cursor.last_create_at)]]' + default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' +{{#if site_ids }} + - set: + target: url.params.siteIds + value: '{{site_ids}}' +{{/if}} +response.pagination: + - set: + target: url.params.cursor + value: '[[if (ne .last_response.body.pagination.nextCursor nil)]][[.last_response.body.pagination.nextCursor]][[end]]' + fail_on_template_error: true +cursor: + last_create_at: + value: '[[.last_event.alertInfo.createdAt]]' +response.split: + target: body.data + ignore_empty_value: true +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 0000000000..900b9c04ab --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,839 @@ +--- +description: Pipeline for processing alert logs. +processors: + - remove: + field: + - organization + - division + - team + ignore_missing: true + if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String + tag: remove_agentless_tags + description: >- + Removes the fields added by Agentless as metadata, + as they can collide with ECS fields. + - set: + field: ecs.version + value: '8.11.0' + - set: + field: event.kind + value: event + - set: + field: event.category + value: [malware] + - set: + field: event.type + value: [info] + - rename: + field: message + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + - remove: + field: message + ignore_missing: true + if: 'ctx.event?.original != null' + description: 'The `message` field is no longer required if the document has an `event.original` field.' + - json: + field: event.original + target_field: json + ignore_failure: true + - fingerprint: + fields: + - json.alertInfo.createdAt + - json.alertInfo.updatedAt + - json.alertInfo.alertId + target_field: _id + ignore_missing: true + - rename: + field: json.agentDetectionInfo.machineType + target_field: host.type + ignore_missing: true + - rename: + field: json.agentDetectionInfo.name + target_field: host.name + ignore_missing: true + - append: + field: related.hosts + value: '{{{host.name}}}' + if: ctx.host?.name != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.agentDetectionInfo.osFamily + target_field: host.os.family + ignore_missing: true + - rename: + field: json.agentDetectionInfo.osRevision + target_field: host.os.version + ignore_missing: true + - rename: + field: json.agentDetectionInfo.siteId + target_field: sentinel_one.alert.agent.site_id + ignore_missing: true + - rename: + field: json.agentDetectionInfo.uuid + target_field: observer.serial_number + ignore_missing: true + - rename: + field: json.agentDetectionInfo.osName + target_field: host.os.name + ignore_missing: true + - rename: + field: json.agentDetectionInfo.version + target_field: observer.version + ignore_missing: true + - rename: + field: json.agentRealtimeInfo.id + target_field: sentinel_one.alert.agent.id + ignore_missing: true + - set: + field: host.id + copy_from: sentinel_one.alert.agent.id + if: ctx.sentinel_one?.alert?.agent?.id != null + - convert: + field: json.agentRealtimeInfo.infected + target_field: sentinel_one.alert.agent.infected + type: boolean + ignore_missing: true + on_failure: + - remove: + field: json.agentRealtimeInfo.infected + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.agentRealtimeInfo.isActive + target_field: sentinel_one.alert.agent.is_active + type: boolean + ignore_missing: true + on_failure: + - remove: + field: json.agentRealtimeInfo.isActive + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.agentRealtimeInfo.isDecommissioned + target_field: sentinel_one.alert.agent.is_decommissioned + type: boolean + ignore_missing: true + on_failure: + - remove: + field: json.agentRealtimeInfo.isDecommissioned + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.agentRealtimeInfo.machineType + target_field: sentinel_one.alert.agent.machine_type + ignore_missing: true + - rename: + field: json.agentRealtimeInfo.name + target_field: sentinel_one.alert.agent.computer_name + ignore_missing: true + - set: + field: host.name + copy_from: sentinel_one.alert.agent.computer_name + if: ctx.sentinel_one?.alert?.agent?.computer_name != null + - rename: + field: json.agentRealtimeInfo.os + target_field: sentinel_one.alert.agent.os.type + ignore_missing: true + - script: + description: Dynamically set host.os.type values. + tag: script_map_host_os_type + lang: painless + if: ctx.sentinel_one?.alert?.agent?.os?.type != null + params: + os_type: + - linux + - macos + - unix + - windows + - ios + - android + source: | + ctx.host = ctx.host ?: [:]; + ctx.host.os = ctx.host.os ?: [:]; + String os_type = ctx.sentinel_one.alert.agent.os.type.toLowerCase(); + for (String os: params.os_type) { + if (os_type.contains(os)) { + ctx.host.os.put('type', os); + return; + } + } + - date: + field: json.alertInfo.createdAt + if: ctx.json?.alertInfo?.createdAt != null + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.alertInfo.srcIp + target_field: source.ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: json.alertInfo.srcIp + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - append: + field: related.ip + value: '{{{source.ip}}}' + if: ctx.source?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.alertInfo.incidentStatus + target_field: sentinel_one.alert.info.status + ignore_missing: true + - rename: + field: json.alertInfo.registryOldValue + target_field: sentinel_one.alert.info.registry.old_value + ignore_missing: true + - rename: + field: json.alertInfo.alertId + target_field: event.id + ignore_missing: true + - convert: + field: json.alertInfo.dstPort + target_field: destination.port + type: long + ignore_missing: true + on_failure: + - remove: + field: json.alertInfo.dstPort + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.alertInfo.indicatorName + target_field: sentinel_one.alert.info.indicator.name + ignore_missing: true + - rename: + field: json.alertInfo.registryPath + target_field: registry.path + ignore_missing: true + - rename: + field: json.alertInfo.loginType + target_field: sentinel_one.alert.info.login.type + ignore_missing: true + - convert: + field: json.alertInfo.dstIp + target_field: destination.ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: json.alertInfo.dstIp + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - append: + field: related.ip + value: '{{{destination.ip}}}' + if: ctx.destination?.ip != null + allow_duplicates: false + ignore_failure: true + - date: + field: json.alertInfo.updatedAt + target_field: sentinel_one.alert.info.updated_at + if: ctx.json?.alertInfo?.updatedAt != null + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.alertInfo.indicatorDescription + target_field: sentinel_one.alert.info.indicator.description + ignore_missing: true + - rename: + field: json.alertInfo.loginsUserName + target_field: user.name + ignore_missing: true + - append: + field: related.user + value: '{{{user.name}}}' + allow_duplicates: false + ignore_failure: true + - rename: + field: json.alertInfo.loginIsSuccessful + target_field: sentinel_one.alert.info.login.is_successful + ignore_missing: true + - rename: + field: json.alertInfo.indicatorCategory + target_field: sentinel_one.alert.info.indicator.category + ignore_missing: true + - rename: + field: json.alertInfo.modulePath + target_field: dll.path + ignore_missing: true + - rename: + field: json.alertInfo.loginAccountSid + target_field: sentinel_one.alert.info.login.account.sid + ignore_missing: true + - rename: + field: json.alertInfo.dnsResponse + target_field: sentinel_one.alert.info.dns.response + ignore_missing: true + - rename: + field: json.alertInfo.netEventDirection + target_field: network.direction + ignore_missing: true + if: ctx.json?.alertInfo?.netEventDirection != null && ['ingress', 'egress', 'inbound', 'outbound', 'internal', 'external', 'unknown'].contains(ctx.json.alertInfo.netEventDirection) + - rename: + field: json.alertInfo.registryValue + target_field: registry.value + ignore_missing: true + - convert: + field: json.alertInfo.srcMachineIp + type: ip + ignore_missing: true + on_failure: + - remove: + field: json.alertInfo.srcMachineIp + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - append: + field: host.ip + value: '{{{json.alertInfo.srcMachineIp}}}' + if: ctx.json?.alertInfo?.srcMachineIp != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: '{{{json.alertInfo.srcMachineIp}}}' + if: ctx.json?.alertInfo?.srcMachineIp != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.alertInfo.registryOldValueType + target_field: sentinel_one.alert.info.registry.old_value_type + ignore_missing: true + - rename: + field: json.alertInfo.eventType + target_field: sentinel_one.alert.info.event_type + ignore_missing: true + - rename: + field: json.alertInfo.analystVerdict + target_field: sentinel_one.alert.analyst_verdict + ignore_missing: true + - rename: + field: json.alertInfo.dvEventId + target_field: sentinel_one.alert.dv_event.id + ignore_missing: true + - rename: + field: json.alertInfo.dnsRequest + target_field: dns.question.name + ignore_missing: true + - rename: + field: json.alertInfo.loginIsAdministratorEquivalent + target_field: sentinel_one.alert.info.login.is_administrator + ignore_missing: true + - rename: + field: json.alertInfo.loginAccountDomain + target_field: user.domain + ignore_missing: true + - rename: + field: json.alertInfo.tiIndicatorType + target_field: sentinel_one.alert.info.ti_indicator.type + ignore_missing: true + - rename: + field: json.alertInfo.moduleSha1 + target_field: dll.hash.sha1 + ignore_missing: true + - append: + field: related.hash + value: '{{{dll.hash.sha1}}}' + if: ctx.dll?.hash?.sha1 != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.alertInfo.source + target_field: sentinel_one.alert.info.source + ignore_missing: true + - convert: + field: json.alertInfo.srcPort + target_field: source.port + type: long + ignore_missing: true + on_failure: + - remove: + field: json.alertInfo.srcPort + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.alertInfo.tiIndicatorValue + target_field: sentinel_one.alert.info.ti_indicator.value + ignore_missing: true + - rename: + field: json.alertInfo.tiIndicatorSource + target_field: sentinel_one.alert.info.ti_indicator.source + ignore_missing: true + - date: + field: json.alertInfo.reportedAt + target_field: sentinel_one.alert.info.reported_at + if: ctx.json?.alertInfo?.reportedAt != null + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.alertInfo.registryKeyPath + target_field: registry.key + ignore_missing: true + - rename: + field: json.alertInfo.tiIndicatorComparisonMethod + target_field: sentinel_one.alert.info.ti_indicator.comparison_method + ignore_missing: true + - rename: + field: json.alertInfo.hitType + target_field: sentinel_one.alert.info.hit.type + ignore_missing: true + - rename: + field: json.containerInfo.id + target_field: container.id + ignore_missing: true + - rename: + field: json.containerInfo.image + target_field: container.image.name + ignore_missing: true + - rename: + field: json.containerInfo.labels + target_field: sentinel_one.alert.container.info.labels + ignore_missing: true + - rename: + field: json.containerInfo.name + target_field: container.name + ignore_missing: true + ignore_failure: true + if: ctx.container?.name == null + - rename: + field: json.kubernetesInfo.cluster + target_field: orchestrator.cluster.name + ignore_missing: true + ignore_failure: true + if: ctx.orchestrator?.cluster?.name == null + - rename: + field: json.kubernetesInfo.controllerKind + target_field: sentinel_one.alert.kubernetes.controller.kind + ignore_missing: true + - rename: + field: json.kubernetesInfo.controllerLabels + target_field: sentinel_one.alert.kubernetes.controller.labels + ignore_missing: true + - rename: + field: json.kubernetesInfo.controllerName + target_field: sentinel_one.alert.kubernetes.controller.name + ignore_missing: true + - rename: + field: json.kubernetesInfo.namespace + target_field: orchestrator.namespace + ignore_missing: true + ignore_failure: true + if: ctx.orchestrator?.namespace == null + - rename: + field: json.kubernetesInfo.namespaceLabels + target_field: sentinel_one.alert.kubernetes.namespace.labels + ignore_missing: true + - rename: + field: json.kubernetesInfo.node + target_field: sentinel_one.alert.kubernetes.node + ignore_missing: true + - rename: + field: json.kubernetesInfo.pod + target_field: sentinel_one.alert.kubernetes.pod.name + ignore_missing: true + - rename: + field: json.kubernetesInfo.podLabels + target_field: sentinel_one.alert.kubernetes.pod.labels + ignore_missing: true + - rename: + field: json.osName + target_field: observer.os.name + ignore_missing: true + - rename: + field: json.ruleInfo.type + target_field: rule.category + ignore_missing: true + - rename: + field: json.ruleInfo.description + target_field: rule.description + ignore_missing: true + - rename: + field: json.ruleInfo.id + target_field: rule.id + ignore_missing: true + - rename: + field: json.ruleInfo.name + target_field: rule.name + ignore_missing: true + - set: + field: message + copy_from: rule.name + if: ctx.rule?.name != null + - rename: + field: json.ruleInfo.scopeLevel + target_field: sentinel_one.alert.rule.scope_level + ignore_missing: true + - rename: + field: json.ruleInfo.severity + target_field: sentinel_one.alert.rule.severity + ignore_missing: true + - script: + lang: painless + description: Script to set event.severity. + tag: set_event_severity + if: ctx.sentinel_one?.alert?.rule?.severity instanceof String + source: |- + ctx.event = ctx.event ?: [:]; + String risk_score_value = ctx.sentinel_one.alert.rule.severity; + if (risk_score_value.equalsIgnoreCase("low")) { + ctx.event.severity = 21; + } else if (risk_score_value.equalsIgnoreCase("medium")) { + ctx.event.severity = 47; + } else if (risk_score_value.equalsIgnoreCase("high")) { + ctx.event.severity = 73; + } else if (risk_score_value.equalsIgnoreCase("critical")) { + ctx.event.severity = 99; + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.ruleInfo.treatAsThreat + target_field: sentinel_one.alert.rule.treat_as_threat + ignore_missing: true + - rename: + field: json.sourceParentProcessInfo.commandline + target_field: process.parent.command_line + ignore_missing: true + - rename: + field: json.sourceParentProcessInfo.fileHashMd5 + target_field: process.parent.hash.md5 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.parent.hash.md5}}}' + if: ctx.process?.parent?.hash?.md5 != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.sourceParentProcessInfo.fileHashSha1 + target_field: process.parent.hash.sha1 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.parent.hash.sha1}}}' + if: ctx.process?.parent?.hash?.sha1 != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.sourceParentProcessInfo.fileHashSha256 + target_field: process.parent.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.parent.hash.sha256}}}' + if: ctx.process?.parent?.hash?.sha256 != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.sourceParentProcessInfo.filePath + target_field: process.parent.executable + ignore_missing: true + - rename: + field: json.sourceParentProcessInfo.fileSignerIdentity + target_field: process.parent.code_signature.signing_id + ignore_missing: true + - rename: + field: json.sourceParentProcessInfo.integrityLevel + target_field: sentinel_one.alert.process.parent.integrity_level + ignore_missing: true + - rename: + field: json.sourceParentProcessInfo.name + target_field: process.parent.name + ignore_missing: true + - convert: + field: json.sourceParentProcessInfo.pid + target_field: process.parent.pid + type: long + ignore_missing: true + on_failure: + - remove: + field: json.sourceParentProcessInfo.pid + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - date: + field: json.sourceParentProcessInfo.pidStarttime + target_field: process.parent.start + if: ctx.json?.sourceParentProcessInfo?.pidStarttime != null + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.sourceParentProcessInfo.storyline + target_field: sentinel_one.alert.process.parent.storyline + ignore_missing: true + - rename: + field: json.sourceParentProcessInfo.subsystem + target_field: sentinel_one.alert.process.parent.subsystem + ignore_missing: true + - rename: + field: json.sourceParentProcessInfo.uniqueId + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: json.sourceParentProcessInfo.user + target_field: process.parent.user.name + ignore_missing: true + - rename: + field: json.sourceProcessInfo.commandline + target_field: process.command_line + ignore_missing: true + - rename: + field: json.sourceProcessInfo.fileHashMd5 + target_field: process.hash.md5 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.md5}}}' + if: ctx.process?.hash?.md5 != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.sourceProcessInfo.fileHashSha1 + target_field: process.hash.sha1 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.sourceProcessInfo.fileHashSha256 + target_field: process.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.sha256}}}' + if: ctx.process?.hash?.sha256 != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.sourceProcessInfo.filePath + target_field: process.executable + ignore_missing: true + - rename: + field: json.sourceProcessInfo.fileSignerIdentity + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: json.sourceProcessInfo.integrityLevel + target_field: sentinel_one.alert.process.integrity_level + ignore_missing: true + - rename: + field: json.sourceProcessInfo.name + target_field: process.name + ignore_missing: true + - convert: + field: json.sourceProcessInfo.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - remove: + field: json.sourceProcessInfo.pid + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - date: + field: json.sourceProcessInfo.pidStarttime + target_field: process.start + if: ctx.json?.sourceProcessInfo?.pidStarttime != null + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.sourceProcessInfo.storyline + target_field: sentinel_one.alert.process.storyline + ignore_missing: true + - rename: + field: json.sourceProcessInfo.subsystem + target_field: sentinel_one.alert.process.subsystem + ignore_missing: true + - rename: + field: json.sourceProcessInfo.uniqueId + target_field: process.entity_id + ignore_missing: true + - rename: + field: json.sourceProcessInfo.user + target_field: process.user.name + ignore_missing: true + - date: + field: json.targetProcessInfo.tgtFileCreatedAt + target_field: file.created + if: ctx.json?.targetProcessInfo?.tgtFileCreatedAt != null + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.targetProcessInfo.tgtFileIsSigned + target_field: sentinel_one.alert.target.process.file.is_signed + ignore_missing: true + - rename: + field: json.targetProcessInfo.tgtFileOldPath + target_field: sentinel_one.alert.target.process.file.old_path + ignore_missing: true + - rename: + field: json.targetProcessInfo.tgtProcImagePath + target_field: sentinel_one.alert.target.process.proc.image_path + ignore_missing: true + - rename: + field: json.targetProcessInfo.tgtProcSignedStatus + target_field: sentinel_one.alert.target.process.proc.signed_status + ignore_missing: true + - rename: + field: json.targetProcessInfo.tgtFileHashSha256 + target_field: sentinel_one.alert.target.process.file.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{sentinel_one.alert.target.process.file.hash.sha256}}}' + if: ctx.sentinel_one?.alert?.target?.process?.file?.hash?.sha256 != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.targetProcessInfo.tgtProcStorylineId + target_field: sentinel_one.alert.target.process.proc.storyline_id + ignore_missing: true + - convert: + field: json.targetProcessInfo.tgtProcPid + target_field: sentinel_one.alert.target.process.proc.pid + type: long + ignore_missing: true + on_failure: + - remove: + field: json.targetProcessInfo.tgtProcPid + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.targetProcessInfo.tgtProcCmdLine + target_field: sentinel_one.alert.target.process.proc.cmdline + ignore_missing: true + - rename: + field: json.targetProcessInfo.tgtProcName + target_field: sentinel_one.alert.target.process.proc.name + ignore_missing: true + - date: + field: json.targetProcessInfo.tgtFileModifiedAt + target_field: file.mtime + if: ctx.json?.targetProcessInfo?.tgtFileModifiedAt != null + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.targetProcessInfo.tgtFileId + target_field: sentinel_one.alert.target.process.file.id + ignore_missing: true + - rename: + field: json.targetProcessInfo.tgtProcIntegrityLevel + target_field: sentinel_one.alert.target.process.proc.integrity_level + ignore_missing: true + - rename: + field: json.targetProcessInfo.tgtFileHashSha1 + target_field: sentinel_one.alert.target.process.file.hash.sha1 + ignore_missing: true + - append: + field: related.hash + value: '{{{sentinel_one.alert.target.process.file.hash.sha1}}}' + if: ctx.sentinel_one?.alert?.target?.process?.file?.hash?.sha1 != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.targetProcessInfo.tgtProcUid + target_field: sentinel_one.alert.target.process.proc.uid + ignore_missing: true + - date: + field: json.targetProcessInfo.tgtProcessStartTime + target_field: sentinel_one.alert.target.process.start_time + if: ctx.json?.targetProcessInfo?.tgtProcessStartTime != null + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.targetProcessInfo.tgtFilePath + target_field: sentinel_one.alert.target.process.file.path + ignore_missing: true + - remove: + field: json + - script: + description: Drops null/empty values recursively. + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/fields/agent.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/fields/agent.yml new file mode 100644 index 0000000000..894e6f12be --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/fields/agent.yml @@ -0,0 +1,39 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/fields/base-fields.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/fields/base-fields.yml new file mode 100644 index 0000000000..39c2555b82 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: sentinel_one +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: sentinel_one.alert +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/fields/fields.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/fields/fields.yml new file mode 100644 index 0000000000..96d0375dd2 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/fields/fields.yml @@ -0,0 +1,267 @@ +- name: sentinel_one.alert + type: group + fields: + - name: agent + type: group + fields: + - name: site_id + type: keyword + description: Site id. + - name: id + type: keyword + description: Agent ID. + - name: infected + type: boolean + description: Agent infected. + - name: is_active + type: boolean + description: Is active. + - name: is_decommissioned + type: boolean + description: Is decommissioned. + - name: machine_type + type: keyword + description: Machine type. + - name: computer_name + type: keyword + description: Computer distinguished name. + - name: os + type: group + fields: + - name: type + type: keyword + description: OS type. + - name: analyst_verdict + type: keyword + description: Analyst verdict. + - name: container + type: group + fields: + - name: info + type: group + fields: + - name: labels + type: keyword + description: Container info labels. + - name: dv_event + type: group + fields: + - name: id + type: keyword + description: DV event id. + - name: info + type: group + fields: + - name: dns + type: group + fields: + - name: response + type: keyword + description: IP address, DNS, type, etc. in response. + - name: event_type + type: keyword + description: Event type. + - name: hit + type: group + fields: + - name: type + type: keyword + description: Type of hit reported from agent. + - name: indicator + type: group + fields: + - name: category + type: keyword + description: Indicator categories for this process. + - name: description + type: keyword + description: Indicator_description. + - name: name + type: keyword + description: Indicator names for this process. + - name: login + type: group + fields: + - name: account + type: group + fields: + - name: sid + type: keyword + description: SID of the account that attempted to login. + - name: is_administrator + type: keyword + description: Is the login attempt administrator equivalent. + - name: is_successful + type: keyword + description: Was the login attempt successful. + - name: type + type: keyword + description: Type of login which was performed. + - name: registry + type: group + fields: + - name: old_value + type: keyword + description: Registry previous value (in case of modification). + - name: old_value_type + type: keyword + description: Registry previous value type (in case of modification). + - name: reported_at + type: date + description: Timestamp of alert creation in STAR. + - name: source + type: keyword + description: Source reported from agent. + - name: status + type: keyword + description: Incident status. + - name: ti_indicator + type: group + fields: + - name: comparison_method + type: keyword + description: The comparison method used by SentinelOne to trigger the event. + - name: source + type: keyword + description: The value of the identified Threat Intelligence indicator. + - name: type + type: keyword + description: The type of the identified Threat Intelligence indicator. + - name: value + type: keyword + description: The value of the identified Threat Intelligence indicator. + - name: updated_at + type: date + description: Date of alert updated in Star MMS. + - name: kubernetes + type: group + fields: + - name: controller + type: group + fields: + - name: kind + type: keyword + description: Controller kind. + - name: labels + type: keyword + description: Controller labels. + - name: name + type: keyword + description: Controller name. + - name: namespace + type: group + fields: + - name: labels + type: keyword + description: Namespace labels. + - name: node + type: keyword + description: Node. + - name: pod + type: group + fields: + - name: labels + type: keyword + description: Pod Labels. + - name: name + type: keyword + description: Pod name. + - name: process + type: group + fields: + - name: integrity_level + type: keyword + description: Integrity level. + - name: parent + type: group + fields: + - name: integrity_level + type: keyword + description: Integrity level. + - name: storyline + type: keyword + description: StoryLine. + - name: subsystem + type: keyword + description: Subsystem. + - name: storyline + type: keyword + description: StoryLine. + - name: subsystem + type: keyword + description: Subsystem. + - name: rule + type: group + fields: + - name: scope_level + type: keyword + description: Scope level. + - name: severity + type: keyword + description: Rule severity. + - name: treat_as_threat + type: keyword + description: Rule treat as threat type. + - name: target + type: group + fields: + - name: process + type: group + fields: + - name: file + type: group + fields: + - name: hash + type: group + fields: + - name: sha1 + type: keyword + description: SHA1 Signature of File. + - name: sha256 + type: keyword + description: SHA256 Signature of File. + - name: id + type: keyword + description: Unique ID of file. + - name: is_signed + type: keyword + description: Is fle signed. + - name: old_path + type: keyword + description: Old path before 'Rename'. + - name: path + type: keyword + description: Path and filename. + - name: proc + type: group + fields: + - name: cmdline + type: keyword + description: Target Process Command Line. + - name: image_path + type: keyword + description: Target Process Image path + - name: integrity_level + type: keyword + description: Integrity level of target process. + - name: name + type: keyword + description: Target Process Name. + - name: pid + type: long + description: Target Process ID (PID). + - name: signed_status + type: keyword + description: Target Process Signed Status. + - name: storyline_id + type: keyword + description: Target Process StoryLine ID. + - name: uid + type: keyword + description: Target Process Unique ID. + - name: start_time + type: date + description: Target Process Start Time. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/manifest.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/manifest.yml new file mode 100644 index 0000000000..69c1926990 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/manifest.yml @@ -0,0 +1,49 @@ +title: Collect Alert logs from SentinelOne +type: logs +streams: + - input: httpjson + title: Alert logs + description: Collect alert logs from SentinelOne. + template_path: httpjson.yml.hbs + vars: + - name: initial_interval + type: text + title: Initial Interval + description: "How far back to pull the alerts from SentinelOne. NOTE: Supported units for this parameter are h/m/s." + multi: false + required: true + show_user: true + default: 24h + - name: interval + type: text + title: Interval + description: "Duration between requests to the SentinelOne API. NOTE: Supported units for this parameter are h/m/s." + default: 30s + multi: false + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - sentinel_one-alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/sample_event.json b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/sample_event.json new file mode 100644 index 0000000000..f5ea715584 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/data_stream/alert/sample_event.json @@ -0,0 +1,276 @@ +{ + "@timestamp": "2018-02-27T04:49:26.257Z", + "agent": { + "ephemeral_id": "08bbc60c-bcdb-4947-b58b-db2a8b01a1fc", + "id": "18481dc1-1b98-402b-ac39-57dc51f6d92e", + "name": "elastic-agent-93569", + "type": "filebeat", + "version": "8.18.7" + }, + "container": { + "id": "string", + "image": { + "name": "string" + }, + "name": "string" + }, + "data_stream": { + "dataset": "sentinel_one.alert", + "namespace": "33685", + "type": "logs" + }, + "destination": { + "ip": "81.2.69.144", + "port": 1234 + }, + "dll": { + "hash": { + "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d" + }, + "path": "string" + }, + "dns": { + "question": { + "name": "string" + } + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "18481dc1-1b98-402b-ac39-57dc51f6d92e", + "snapshot": false, + "version": "8.18.7" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "malware" + ], + "created": "2025-09-22T11:51:54.640Z", + "dataset": "sentinel_one.alert", + "id": "888456789123456789", + "ingested": "2025-09-22T11:51:57Z", + "kind": "event", + "original": "{\"agentDetectionInfo\":{\"machineType\":\"string\",\"name\":\"string\",\"osFamily\":\"string\",\"osName\":\"string\",\"osRevision\":\"string\",\"siteId\":\"123456789123456789\",\"uuid\":\"string\",\"version\":\"3.x.x.x\"},\"alertInfo\":{\"alertId\":\"888456789123456789\",\"analystVerdict\":\"string\",\"createdAt\":\"2018-02-27T04:49:26.257525Z\",\"dnsRequest\":\"string\",\"dnsResponse\":\"string\",\"dstIp\":\"81.2.69.144\",\"dstPort\":\"1234\",\"dvEventId\":\"string\",\"eventType\":\"info\",\"hitType\":\"Events\",\"incidentStatus\":\"open\",\"indicatorCategory\":\"string\",\"indicatorDescription\":\"string\",\"indicatorName\":\"string\",\"loginAccountDomain\":\"string\",\"loginAccountSid\":\"string\",\"loginIsAdministratorEquivalent\":\"string\",\"loginIsSuccessful\":\"string\",\"loginType\":\"login\",\"loginsUserName\":\"string\",\"modulePath\":\"string\",\"moduleSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"netEventDirection\":\"string\",\"registryKeyPath\":\"string\",\"registryOldValue\":\"string\",\"registryOldValueType\":\"string\",\"registryPath\":\"string\",\"registryValue\":\"string\",\"reportedAt\":\"2018-02-27T04:49:26.257525Z\",\"source\":\"string\",\"srcIp\":\"81.2.69.142\",\"srcMachineIp\":\"81.2.69.142\",\"srcPort\":\"1234\",\"tiIndicatorComparisonMethod\":\"string\",\"tiIndicatorSource\":\"string\",\"tiIndicatorType\":\"string\",\"tiIndicatorValue\":\"string\",\"updatedAt\":\"2018-02-27T04:49:26.257525Z\"},\"containerInfo\":{\"id\":\"string\",\"image\":\"string\",\"labels\":\"string\",\"name\":\"string\"},\"kubernetesInfo\":{\"cluster\":\"string\",\"controllerKind\":\"string\",\"controllerLabels\":\"string\",\"controllerName\":\"string\",\"namespace\":\"string\",\"namespaceLabels\":\"string\",\"node\":\"string\",\"pod\":\"string\",\"podLabels\":\"string\"},\"ruleInfo\":{\"description\":\"string\",\"id\":\"string\",\"name\":\"string\",\"scopeLevel\":\"string\",\"severity\":\"Low\",\"treatAsThreat\":\"UNDEFINED\"},\"sourceParentProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"sourceProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"targetProcessInfo\":{\"tgtFileCreatedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"tgtFileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"tgtFileId\":\"string\",\"tgtFileIsSigned\":\"string\",\"tgtFileModifiedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileOldPath\":\"string\",\"tgtFilePath\":\"string\",\"tgtProcCmdLine\":\"string\",\"tgtProcImagePath\":\"string\",\"tgtProcIntegrityLevel\":\"unknown\",\"tgtProcName\":\"string\",\"tgtProcPid\":\"12345\",\"tgtProcSignedStatus\":\"string\",\"tgtProcStorylineId\":\"string\",\"tgtProcUid\":\"string\",\"tgtProcessStartTime\":\"2018-02-27T04:49:26.257525Z\"}}", + "severity": 21, + "type": [ + "info" + ] + }, + "file": { + "created": "2018-02-27T04:49:26.257Z", + "mtime": "2018-02-27T04:49:26.257Z" + }, + "host": { + "ip": [ + "81.2.69.142" + ], + "name": "string", + "os": { + "family": "string", + "name": "string", + "version": "string" + }, + "type": "string" + }, + "input": { + "type": "httpjson" + }, + "message": "string", + "observer": { + "serial_number": "string", + "version": "3.x.x.x" + }, + "orchestrator": { + "cluster": { + "name": "string" + }, + "namespace": "string" + }, + "process": { + "code_signature": { + "signing_id": "string" + }, + "command_line": "string", + "entity_id": "string", + "executable": "string", + "hash": { + "md5": "5d41402abc4b2a76b9719d911017c592", + "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" + }, + "name": "string", + "parent": { + "code_signature": { + "signing_id": "string" + }, + "command_line": "string", + "entity_id": "string", + "executable": "string", + "hash": { + "md5": "5d41402abc4b2a76b9719d911017c592", + "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" + }, + "name": "string", + "pid": 12345, + "start": "2018-02-27T04:49:26.257Z", + "user": { + "name": "string" + } + }, + "pid": 12345, + "start": "2018-02-27T04:49:26.257Z", + "user": { + "name": "string" + } + }, + "registry": { + "key": "string", + "path": "string", + "value": "string" + }, + "related": { + "hash": [ + "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "5d41402abc4b2a76b9719d911017c592", + "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" + ], + "hosts": [ + "string" + ], + "ip": [ + "81.2.69.142", + "81.2.69.144" + ], + "user": [ + "string" + ] + }, + "rule": { + "description": "string", + "id": "string", + "name": "string" + }, + "sentinel_one": { + "alert": { + "agent": { + "site_id": "123456789123456789" + }, + "analyst_verdict": "string", + "container": { + "info": { + "labels": "string" + } + }, + "dv_event": { + "id": "string" + }, + "info": { + "dns": { + "response": "string" + }, + "event_type": "info", + "hit": { + "type": "Events" + }, + "indicator": { + "category": "string", + "description": "string", + "name": "string" + }, + "login": { + "account": { + "sid": "string" + }, + "is_administrator": "string", + "is_successful": "string", + "type": "login" + }, + "registry": { + "old_value": "string", + "old_value_type": "string" + }, + "reported_at": "2018-02-27T04:49:26.257Z", + "source": "string", + "status": "open", + "ti_indicator": { + "comparison_method": "string", + "source": "string", + "type": "string", + "value": "string" + }, + "updated_at": "2018-02-27T04:49:26.257Z" + }, + "kubernetes": { + "controller": { + "kind": "string", + "labels": "string", + "name": "string" + }, + "namespace": { + "labels": "string" + }, + "node": "string", + "pod": { + "labels": "string", + "name": "string" + } + }, + "process": { + "integrity_level": "unknown", + "parent": { + "integrity_level": "unknown", + "storyline": "string", + "subsystem": "unknown" + }, + "storyline": "string", + "subsystem": "unknown" + }, + "rule": { + "scope_level": "string", + "severity": "Low", + "treat_as_threat": "UNDEFINED" + }, + "target": { + "process": { + "file": { + "hash": { + "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" + }, + "id": "string", + "is_signed": "string", + "old_path": "string", + "path": "string" + }, + "proc": { + "cmdline": "string", + "image_path": "string", + "integrity_level": "unknown", + "name": "string", + "pid": 12345, + "signed_status": "string", + "storyline_id": "string", + "uid": "string" + }, + "start_time": "2018-02-27T04:49:26.257Z" + } + } + } + }, + "source": { + "ip": "81.2.69.142", + "port": 1234 + }, + "tags": [ + "preserve_original_event", + "forwarded", + "sentinel_one-alert" + ], + "user": { + "domain": "string", + "name": "string" + } +} diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/docs/README.md b/test/packages/benchmarks/system_benchmark_sentinel_one/docs/README.md new file mode 100644 index 0000000000..d69a419024 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/docs/README.md @@ -0,0 +1,428 @@ +# SentinelOne + +The [SentinelOne](https://www.sentinelone.com/) integration collects and parses data from SentinelOne REST APIs. This integration also offers the capability to perform response actions on SentinelOne hosts directly through the Elastic Security interface (introduced with v8.12.0). Additional configuration is required; for detailed guidance, refer to [documentation](https://www.elastic.co/guide/en/security/current/response-actions-config.html). + +## Agentless Enabled Integration +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. + +## Compatibility + +This module has been tested against `SentinelOne Management Console API version 2.1`. + +## API token + +To collect data from SentinelOne APIs, you must have an API token. To create an API token, follow these steps: + + 1. Log in to the **SentinelOne Management Console** as an **Admin**. + ![SentinelOne dashboards](../img/sentinel-one-dashboard.png) + 2. Navigate to **Logged User Account** from top right panel in the navigation bar. + 3. Click **My User**. + 4. In the API token section, navigate to **Actions** > **API Token Operators** > **Generate API Token**. + ![SentinelOne generate API token ](../img/sentinel-one-api-token-generate.png) + 5. Enter the MFA code, if enabled. + ![SentinelOne generate MFA Code ](../img/sentinel-one-mfa-code.png) + 6. You will see the API token on the screen. + +**Permissions Required for the Role Attached to the User** + +| **Data Stream** | **Permission** | +|-------------------|---------------------------------| +| Activity | Activity -> view | +| Agent | Endpoints -> view | +| Alert | STAR Rule Alerts -> view | +| Application | Applications -> view | +| Application Risk | Applications -> viewRisks | +| Group | Groups -> view | +| Threat | Threats -> view | + +## Note + +The **alert** data stream depends on STAR Custom Rules. STAR Custom Rules are supported in Cloud environments, but are not supported in on-premises environments. Because of this, the **alert** data stream is not supported in on-premises environments. + +## Troubleshooting + +- The API token generated by the user is time-limited. The user must reconfigure a new API token before it expires. + - For console users, the default expiration time limit is 30 days. + - For service users, the expiration time limit is the same as the duration specified while generating the API token. + +## Alert severity mapping + +The values used in `event.severity` are consistent with Elastic Detection Rules. + +| Severity Name | `event.severity` | +|---------------|:----------------:| +| Low | 21 | +| Medium | 47 | +| High | 73 | +| Critical | 99 | + +## Logs + +### alert + +This is the `alert` dataset. + +An example event for `alert` looks as following: + +```json +{ + "@timestamp": "2018-02-27T04:49:26.257Z", + "agent": { + "ephemeral_id": "08bbc60c-bcdb-4947-b58b-db2a8b01a1fc", + "id": "18481dc1-1b98-402b-ac39-57dc51f6d92e", + "name": "elastic-agent-93569", + "type": "filebeat", + "version": "8.18.7" + }, + "container": { + "id": "string", + "image": { + "name": "string" + }, + "name": "string" + }, + "data_stream": { + "dataset": "sentinel_one.alert", + "namespace": "33685", + "type": "logs" + }, + "destination": { + "ip": "81.2.69.144", + "port": 1234 + }, + "dll": { + "hash": { + "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d" + }, + "path": "string" + }, + "dns": { + "question": { + "name": "string" + } + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "18481dc1-1b98-402b-ac39-57dc51f6d92e", + "snapshot": false, + "version": "8.18.7" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "malware" + ], + "created": "2025-09-22T11:51:54.640Z", + "dataset": "sentinel_one.alert", + "id": "888456789123456789", + "ingested": "2025-09-22T11:51:57Z", + "kind": "event", + "original": "{\"agentDetectionInfo\":{\"machineType\":\"string\",\"name\":\"string\",\"osFamily\":\"string\",\"osName\":\"string\",\"osRevision\":\"string\",\"siteId\":\"123456789123456789\",\"uuid\":\"string\",\"version\":\"3.x.x.x\"},\"alertInfo\":{\"alertId\":\"888456789123456789\",\"analystVerdict\":\"string\",\"createdAt\":\"2018-02-27T04:49:26.257525Z\",\"dnsRequest\":\"string\",\"dnsResponse\":\"string\",\"dstIp\":\"81.2.69.144\",\"dstPort\":\"1234\",\"dvEventId\":\"string\",\"eventType\":\"info\",\"hitType\":\"Events\",\"incidentStatus\":\"open\",\"indicatorCategory\":\"string\",\"indicatorDescription\":\"string\",\"indicatorName\":\"string\",\"loginAccountDomain\":\"string\",\"loginAccountSid\":\"string\",\"loginIsAdministratorEquivalent\":\"string\",\"loginIsSuccessful\":\"string\",\"loginType\":\"login\",\"loginsUserName\":\"string\",\"modulePath\":\"string\",\"moduleSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"netEventDirection\":\"string\",\"registryKeyPath\":\"string\",\"registryOldValue\":\"string\",\"registryOldValueType\":\"string\",\"registryPath\":\"string\",\"registryValue\":\"string\",\"reportedAt\":\"2018-02-27T04:49:26.257525Z\",\"source\":\"string\",\"srcIp\":\"81.2.69.142\",\"srcMachineIp\":\"81.2.69.142\",\"srcPort\":\"1234\",\"tiIndicatorComparisonMethod\":\"string\",\"tiIndicatorSource\":\"string\",\"tiIndicatorType\":\"string\",\"tiIndicatorValue\":\"string\",\"updatedAt\":\"2018-02-27T04:49:26.257525Z\"},\"containerInfo\":{\"id\":\"string\",\"image\":\"string\",\"labels\":\"string\",\"name\":\"string\"},\"kubernetesInfo\":{\"cluster\":\"string\",\"controllerKind\":\"string\",\"controllerLabels\":\"string\",\"controllerName\":\"string\",\"namespace\":\"string\",\"namespaceLabels\":\"string\",\"node\":\"string\",\"pod\":\"string\",\"podLabels\":\"string\"},\"ruleInfo\":{\"description\":\"string\",\"id\":\"string\",\"name\":\"string\",\"scopeLevel\":\"string\",\"severity\":\"Low\",\"treatAsThreat\":\"UNDEFINED\"},\"sourceParentProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"sourceProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"targetProcessInfo\":{\"tgtFileCreatedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"tgtFileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"tgtFileId\":\"string\",\"tgtFileIsSigned\":\"string\",\"tgtFileModifiedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileOldPath\":\"string\",\"tgtFilePath\":\"string\",\"tgtProcCmdLine\":\"string\",\"tgtProcImagePath\":\"string\",\"tgtProcIntegrityLevel\":\"unknown\",\"tgtProcName\":\"string\",\"tgtProcPid\":\"12345\",\"tgtProcSignedStatus\":\"string\",\"tgtProcStorylineId\":\"string\",\"tgtProcUid\":\"string\",\"tgtProcessStartTime\":\"2018-02-27T04:49:26.257525Z\"}}", + "severity": 21, + "type": [ + "info" + ] + }, + "file": { + "created": "2018-02-27T04:49:26.257Z", + "mtime": "2018-02-27T04:49:26.257Z" + }, + "host": { + "ip": [ + "81.2.69.142" + ], + "name": "string", + "os": { + "family": "string", + "name": "string", + "version": "string" + }, + "type": "string" + }, + "input": { + "type": "httpjson" + }, + "message": "string", + "observer": { + "serial_number": "string", + "version": "3.x.x.x" + }, + "orchestrator": { + "cluster": { + "name": "string" + }, + "namespace": "string" + }, + "process": { + "code_signature": { + "signing_id": "string" + }, + "command_line": "string", + "entity_id": "string", + "executable": "string", + "hash": { + "md5": "5d41402abc4b2a76b9719d911017c592", + "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" + }, + "name": "string", + "parent": { + "code_signature": { + "signing_id": "string" + }, + "command_line": "string", + "entity_id": "string", + "executable": "string", + "hash": { + "md5": "5d41402abc4b2a76b9719d911017c592", + "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" + }, + "name": "string", + "pid": 12345, + "start": "2018-02-27T04:49:26.257Z", + "user": { + "name": "string" + } + }, + "pid": 12345, + "start": "2018-02-27T04:49:26.257Z", + "user": { + "name": "string" + } + }, + "registry": { + "key": "string", + "path": "string", + "value": "string" + }, + "related": { + "hash": [ + "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "5d41402abc4b2a76b9719d911017c592", + "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" + ], + "hosts": [ + "string" + ], + "ip": [ + "81.2.69.142", + "81.2.69.144" + ], + "user": [ + "string" + ] + }, + "rule": { + "description": "string", + "id": "string", + "name": "string" + }, + "sentinel_one": { + "alert": { + "agent": { + "site_id": "123456789123456789" + }, + "analyst_verdict": "string", + "container": { + "info": { + "labels": "string" + } + }, + "dv_event": { + "id": "string" + }, + "info": { + "dns": { + "response": "string" + }, + "event_type": "info", + "hit": { + "type": "Events" + }, + "indicator": { + "category": "string", + "description": "string", + "name": "string" + }, + "login": { + "account": { + "sid": "string" + }, + "is_administrator": "string", + "is_successful": "string", + "type": "login" + }, + "registry": { + "old_value": "string", + "old_value_type": "string" + }, + "reported_at": "2018-02-27T04:49:26.257Z", + "source": "string", + "status": "open", + "ti_indicator": { + "comparison_method": "string", + "source": "string", + "type": "string", + "value": "string" + }, + "updated_at": "2018-02-27T04:49:26.257Z" + }, + "kubernetes": { + "controller": { + "kind": "string", + "labels": "string", + "name": "string" + }, + "namespace": { + "labels": "string" + }, + "node": "string", + "pod": { + "labels": "string", + "name": "string" + } + }, + "process": { + "integrity_level": "unknown", + "parent": { + "integrity_level": "unknown", + "storyline": "string", + "subsystem": "unknown" + }, + "storyline": "string", + "subsystem": "unknown" + }, + "rule": { + "scope_level": "string", + "severity": "Low", + "treat_as_threat": "UNDEFINED" + }, + "target": { + "process": { + "file": { + "hash": { + "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", + "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" + }, + "id": "string", + "is_signed": "string", + "old_path": "string", + "path": "string" + }, + "proc": { + "cmdline": "string", + "image_path": "string", + "integrity_level": "unknown", + "name": "string", + "pid": 12345, + "signed_status": "string", + "storyline_id": "string", + "uid": "string" + }, + "start_time": "2018-02-27T04:49:26.257Z" + } + } + } + }, + "source": { + "ip": "81.2.69.142", + "port": 1234 + }, + "tags": [ + "preserve_original_event", + "forwarded", + "sentinel_one-alert" + ], + "user": { + "domain": "string", + "name": "string" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset. | constant_keyword | +| event.module | Event module. | constant_keyword | +| host.containerized | If the host is a container. | boolean | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| sentinel_one.alert.agent.computer_name | Computer distinguished name. | keyword | +| sentinel_one.alert.agent.id | Agent ID. | keyword | +| sentinel_one.alert.agent.infected | Agent infected. | boolean | +| sentinel_one.alert.agent.is_active | Is active. | boolean | +| sentinel_one.alert.agent.is_decommissioned | Is decommissioned. | boolean | +| sentinel_one.alert.agent.machine_type | Machine type. | keyword | +| sentinel_one.alert.agent.os.type | OS type. | keyword | +| sentinel_one.alert.agent.site_id | Site id. | keyword | +| sentinel_one.alert.analyst_verdict | Analyst verdict. | keyword | +| sentinel_one.alert.container.info.labels | Container info labels. | keyword | +| sentinel_one.alert.dv_event.id | DV event id. | keyword | +| sentinel_one.alert.info.dns.response | IP address, DNS, type, etc. in response. | keyword | +| sentinel_one.alert.info.event_type | Event type. | keyword | +| sentinel_one.alert.info.hit.type | Type of hit reported from agent. | keyword | +| sentinel_one.alert.info.indicator.category | Indicator categories for this process. | keyword | +| sentinel_one.alert.info.indicator.description | Indicator_description. | keyword | +| sentinel_one.alert.info.indicator.name | Indicator names for this process. | keyword | +| sentinel_one.alert.info.login.account.sid | SID of the account that attempted to login. | keyword | +| sentinel_one.alert.info.login.is_administrator | Is the login attempt administrator equivalent. | keyword | +| sentinel_one.alert.info.login.is_successful | Was the login attempt successful. | keyword | +| sentinel_one.alert.info.login.type | Type of login which was performed. | keyword | +| sentinel_one.alert.info.registry.old_value | Registry previous value (in case of modification). | keyword | +| sentinel_one.alert.info.registry.old_value_type | Registry previous value type (in case of modification). | keyword | +| sentinel_one.alert.info.reported_at | Timestamp of alert creation in STAR. | date | +| sentinel_one.alert.info.source | Source reported from agent. | keyword | +| sentinel_one.alert.info.status | Incident status. | keyword | +| sentinel_one.alert.info.ti_indicator.comparison_method | The comparison method used by SentinelOne to trigger the event. | keyword | +| sentinel_one.alert.info.ti_indicator.source | The value of the identified Threat Intelligence indicator. | keyword | +| sentinel_one.alert.info.ti_indicator.type | The type of the identified Threat Intelligence indicator. | keyword | +| sentinel_one.alert.info.ti_indicator.value | The value of the identified Threat Intelligence indicator. | keyword | +| sentinel_one.alert.info.updated_at | Date of alert updated in Star MMS. | date | +| sentinel_one.alert.kubernetes.controller.kind | Controller kind. | keyword | +| sentinel_one.alert.kubernetes.controller.labels | Controller labels. | keyword | +| sentinel_one.alert.kubernetes.controller.name | Controller name. | keyword | +| sentinel_one.alert.kubernetes.namespace.labels | Namespace labels. | keyword | +| sentinel_one.alert.kubernetes.node | Node. | keyword | +| sentinel_one.alert.kubernetes.pod.labels | Pod Labels. | keyword | +| sentinel_one.alert.kubernetes.pod.name | Pod name. | keyword | +| sentinel_one.alert.process.integrity_level | Integrity level. | keyword | +| sentinel_one.alert.process.parent.integrity_level | Integrity level. | keyword | +| sentinel_one.alert.process.parent.storyline | StoryLine. | keyword | +| sentinel_one.alert.process.parent.subsystem | Subsystem. | keyword | +| sentinel_one.alert.process.storyline | StoryLine. | keyword | +| sentinel_one.alert.process.subsystem | Subsystem. | keyword | +| sentinel_one.alert.rule.scope_level | Scope level. | keyword | +| sentinel_one.alert.rule.severity | Rule severity. | keyword | +| sentinel_one.alert.rule.treat_as_threat | Rule treat as threat type. | keyword | +| sentinel_one.alert.target.process.file.hash.sha1 | SHA1 Signature of File. | keyword | +| sentinel_one.alert.target.process.file.hash.sha256 | SHA256 Signature of File. | keyword | +| sentinel_one.alert.target.process.file.id | Unique ID of file. | keyword | +| sentinel_one.alert.target.process.file.is_signed | Is fle signed. | keyword | +| sentinel_one.alert.target.process.file.old_path | Old path before 'Rename'. | keyword | +| sentinel_one.alert.target.process.file.path | Path and filename. | keyword | +| sentinel_one.alert.target.process.proc.cmdline | Target Process Command Line. | keyword | +| sentinel_one.alert.target.process.proc.image_path | Target Process Image path | keyword | +| sentinel_one.alert.target.process.proc.integrity_level | Integrity level of target process. | keyword | +| sentinel_one.alert.target.process.proc.name | Target Process Name. | keyword | +| sentinel_one.alert.target.process.proc.pid | Target Process ID (PID). | long | +| sentinel_one.alert.target.process.proc.signed_status | Target Process Signed Status. | keyword | +| sentinel_one.alert.target.process.proc.storyline_id | Target Process StoryLine ID. | keyword | +| sentinel_one.alert.target.process.proc.uid | Target Process Unique ID. | keyword | +| sentinel_one.alert.target.process.start_time | Target Process Start Time. | date | + + diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/manifest.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/manifest.yml new file mode 100644 index 0000000000..3d274eacbd --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/manifest.yml @@ -0,0 +1,153 @@ +format_version: "3.4.0" +name: sentinel_one +title: SentinelOne TEST +version: "1.41.0" +description: Collect logs from SentinelOne with Elastic Agent. +type: integration +categories: + - security + - edr_xdr +conditions: + kibana: + version: ^8.18.7 || ^8.19.4 || ^9.0.7 || ^9.1.4 +policy_templates: + - name: sentinel_one + title: SentinelOne + description: Collect logs from SentinelOne. + deployment_modes: + default: + enabled: true + agentless: + enabled: true + organization: security + division: engineering + team: security-service-integrations + inputs: + - type: cel + title: Collect SentinelOne logs via API (CEL) + description: Collecting SentinelOne logs via API. + vars: + - name: url + type: url + title: URL + description: Base URL of the SentinelOne Singularity Operations Center. It will be in the format `https://.sentinelone.net`. + multi: false + required: true + show_user: true + - name: api_token + type: password + title: API Token + description: API Token of the SentinelOne with API Access Level type. + required: true + secret: true + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@:. Please ensure your username and password are in URL encoded format. + - name: ssl + type: yaml + title: SSL Configuration + description: SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - type: httpjson + title: Collect SentinelOne logs via API (HTTP JSON) + description: Collecting SentinelOne logs via API. + vars: + - name: url + type: url + title: URL + description: Base URL of the SentinelOne Singularity Operations Center. It will be in the format `https://.sentinelone.net`. + multi: false + required: true + show_user: true + - name: enable_request_tracer + type: bool + title: Enable request tracing + default: false + multi: false + required: false + show_user: false + description: >- + The request tracer logs requests and responses to the agent's local file-system for debugging configurations. + Enabling this request tracing compromises security and should only be used for debugging. Disabling the request + tracer will delete any stored traces. + See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename). + - name: api_token + type: password + title: API Token + description: API Token of the SentinelOne with API Access Level type. + required: true + secret: true + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@:. Please ensure your username and password are in URL encoded format. + - name: site_ids + type: text + title: Site IDs + multi: false + required: false + show_user: false + description: Comma separated list of Site IDs to filter by. Example - 225494730938493804,225494730938493915. + - name: ssl + type: yaml + title: SSL Configuration + description: SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- +owner: + github: elastic/security-service-integrations + type: elastic diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/validation.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/validation.yml new file mode 100644 index 0000000000..0d5da50336 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/validation.yml @@ -0,0 +1,4 @@ +errors: + exclude_checks: + - SVR00004 # References in dashboards. + - SVR00005 # Kibana version for saved tags. From 7faec54598be5f77c573d0438b3287761b2c064b Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Thu, 23 Oct 2025 12:22:39 +0200 Subject: [PATCH 04/23] Input packages do not use data stream vars --- internal/testrunner/runners/system/tester.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/testrunner/runners/system/tester.go b/internal/testrunner/runners/system/tester.go index 167f063925..555509cb17 100644 --- a/internal/testrunner/runners/system/tester.go +++ b/internal/testrunner/runners/system/tester.go @@ -1919,7 +1919,7 @@ func CreatePackageDatastream( suffix string, ) (kibana.PackageDataStream, error) { if pkg.Type == "input" { - return createInputPackageDatastream(kibanaPolicy, pkg, policyTemplate, cfgVars, cfgDSVars, suffix), nil + return createInputPackageDatastream(kibanaPolicy, pkg, policyTemplate, cfgVars, suffix), nil } if ds == nil { return kibana.PackageDataStream{}, fmt.Errorf("data stream manifest is required for integration packages") @@ -1991,7 +1991,7 @@ func createInputPackageDatastream( kibanaPolicy *kibana.Policy, pkg *packages.PackageManifest, policyTemplate packages.PolicyTemplate, - cfgVars, cfgDSVars common.MapStr, + cfgVars common.MapStr, suffix string, ) kibana.PackageDataStream { r := kibana.PackageDataStream{ From 32cc30a7f7f6b999d9b1583e58af26b573d03fe5 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Thu, 23 Oct 2025 16:19:22 +0200 Subject: [PATCH 05/23] Update loop to find system benchmarks --- scripts/test-check-packages.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/test-check-packages.sh b/scripts/test-check-packages.sh index 2b8c50df32..772337ba8e 100755 --- a/scripts/test-check-packages.sh +++ b/scripts/test-check-packages.sh @@ -76,12 +76,12 @@ run_system_benchmark() { local benchmark_filename="" local benchmark_name="" - for benchmark_file_path in $(find "${package_path}/_dev/benchmark/system/" -maxdepth 1 -mindepth 1 -type f -name "*.yml" ) ; do + while IFS= read -r -d '' benchmark_file_path; do benchmark_filename="$(basename "${benchmark_file_path}")" benchmark_name="${benchmark_filename%.*}" echo "--- Run system benchmarks for package ${package_name} - ${benchmark_name}" elastic-package benchmark system -C "$package_path" --benchmark "${benchmark_name}" -v --defer-cleanup 1s - done + done < <(find "${package_path}/_dev/benchmark/system/" -maxdepth 1 -mindepth 1 -type f -name "*.yml" -print0) } run_serverless_tests() { From f0fa83eed8bac777930d14ae317a69f527d8bc4a Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Thu, 23 Oct 2025 16:29:44 +0200 Subject: [PATCH 06/23] Add exception for non tested packages in benchmarks folder --- scripts/test-check-packages.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/scripts/test-check-packages.sh b/scripts/test-check-packages.sh index 772337ba8e..1d5fce9768 100755 --- a/scripts/test-check-packages.sh +++ b/scripts/test-check-packages.sh @@ -171,7 +171,6 @@ for d in test/packages/${PACKAGE_TEST_TYPE}/${PACKAGE_UNDER_TEST}/; do package_to_test=$(basename "${d}") if [ "${PACKAGE_TEST_TYPE}" == "benchmarks" ]; then - # FIXME: There are other packages in test/packages/benchmarks folder that are not tested like rally_benchmark case "${package_to_test}" in pipeline_benchmark|use_pipeline_tests) run_pipeline_benchmark "${package_to_test}" "$d" @@ -179,6 +178,14 @@ for d in test/packages/${PACKAGE_TEST_TYPE}/${PACKAGE_UNDER_TEST}/; do system_benchmark*) run_system_benchmark "${package_to_test}" "$d" ;; + rally_benchmark) + # FIXME: There are other packages in test/packages/benchmarks folder that are not tested like rally_benchmark + # rally benchmarks require to install esrally tool in the host. + echo "Skipping rally_benchmark tests. esrally tool needs to be installed in the system." + ;; + *) + echo "Unknown benchmark package: ${package_to_test}" + exit 1 esac continue fi From 409db6528b393f327396149c784b3b7fbe566aa8 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Thu, 23 Oct 2025 17:45:13 +0200 Subject: [PATCH 07/23] Use same methods as in system tester to create package policy --- internal/benchrunner/runners/system/runner.go | 97 +++++++------------ internal/kibana/policies.go | 14 --- 2 files changed, 37 insertions(+), 74 deletions(-) diff --git a/internal/benchrunner/runners/system/runner.go b/internal/benchrunner/runners/system/runner.go index dc1d2e87be..b84e046000 100644 --- a/internal/benchrunner/runners/system/runner.go +++ b/internal/benchrunner/runners/system/runner.go @@ -32,6 +32,7 @@ import ( "github.com/elastic/elastic-package/internal/multierror" "github.com/elastic/elastic-package/internal/packages" "github.com/elastic/elastic-package/internal/servicedeployer" + "github.com/elastic/elastic-package/internal/testrunner/runners/system" "github.com/elastic/elastic-package/internal/wait" ) @@ -169,14 +170,6 @@ func (r *runner) setUp(ctx context.Context) error { return fmt.Errorf("reading package manifest failed: %w", err) } - policy, err := r.createBenchmarkPolicy(ctx, pkgManifest) - if err != nil { - return err - } - r.benchPolicy = policy - - // Delete old data - logger.Debug("deleting old data in data stream...") dataStreamManifest, err := packages.ReadDataStreamManifest( filepath.Join( common.DataStreamPath(r.options.PackageRootPath, r.scenario.DataStream.Name), @@ -187,6 +180,12 @@ func (r *runner) setUp(ctx context.Context) error { return fmt.Errorf("reading data stream manifest failed: %w", err) } + policy, err := r.createBenchmarkPolicy(ctx, pkgManifest, dataStreamManifest) + if err != nil { + return err + } + r.benchPolicy = policy + r.runtimeDataStream = fmt.Sprintf( "%s-%s.%s-%s", dataStreamManifest.Type, @@ -210,6 +209,7 @@ func (r *runner) setUp(ctx context.Context) error { return nil } + logger.Debug("deleting old data in data stream...") if err := r.deleteDataStreamDocs(ctx, r.runtimeDataStream); err != nil { return fmt.Errorf("error deleting old data in data stream: %s: %w", r.runtimeDataStream, err) } @@ -367,7 +367,7 @@ func (r *runner) deleteDataStreamDocs(ctx context.Context, dataStream string) er return nil } -func (r *runner) createBenchmarkPolicy(ctx context.Context, pkgManifest *packages.PackageManifest) (*kibana.Policy, error) { +func (r *runner) createBenchmarkPolicy(ctx context.Context, pkgManifest *packages.PackageManifest, dataStreamManifest *packages.DataStreamManifest) (*kibana.Policy, error) { // Configure package (single data stream) via Ingest Manager APIs. logger.Debug("creating benchmark policy...") benchTime := time.Now().Format("20060102T15:04:05Z") @@ -385,22 +385,42 @@ func (r *runner) createBenchmarkPolicy(ctx context.Context, pkgManifest *package policy, err := r.options.KibanaClient.CreatePolicy(ctx, p) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to create benchmark policy: %w", err) } - packagePolicy, err := r.createPackagePolicy(ctx, pkgManifest, policy) + if r.scenario.PolicyTemplate == "" { + policyTemplateName, err := system.FindPolicyTemplateForInput(pkgManifest, dataStreamManifest, r.scenario.Input) + if err != nil { + return nil, fmt.Errorf("failed to determine the associated policy_template: %w", err) + } + r.scenario.PolicyTemplate = policyTemplateName + } + policyTemplate, err := system.SelectPolicyTemplateByName(pkgManifest.PolicyTemplates, r.scenario.PolicyTemplate) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to find the selected policy_template: %w", err) + } + + logger.Debug("adding package data stream to benchmark policy...") + ds, err := system.CreatePackageDatastream( + policy, + pkgManifest, + policyTemplate, + dataStreamManifest, + r.scenario.Input, + r.scenario.Vars, + r.scenario.DataStream.Vars, + policy.Namespace) + if err != nil { + return nil, fmt.Errorf("could not create package data stream: %w", err) + } + + if err := r.options.KibanaClient.AddPackageDataStreamToPolicy(ctx, ds); err != nil { + return nil, fmt.Errorf("could not add data stream config to policy: %w", err) } r.deletePolicyHandler = func(ctx context.Context) error { var merr multierror.Error - logger.Debug("deleting benchmark package policy...") - if err := r.options.KibanaClient.DeletePackagePolicy(ctx, *packagePolicy); err != nil { - merr = append(merr, fmt.Errorf("error cleaning up benchmark package policy: %w", err)) - } - logger.Debug("deleting benchmark policy...") if err := r.options.KibanaClient.DeletePolicy(ctx, policy.ID); err != nil { merr = append(merr, fmt.Errorf("error cleaning up benchmark policy: %w", err)) @@ -416,49 +436,6 @@ func (r *runner) createBenchmarkPolicy(ctx context.Context, pkgManifest *package return policy, nil } -func (r *runner) createPackagePolicy(ctx context.Context, pkgManifest *packages.PackageManifest, p *kibana.Policy) (*kibana.PackagePolicy, error) { - logger.Debug("creating package policy...") - - if r.scenario.Version == "" { - r.scenario.Version = pkgManifest.Version - } - - if r.scenario.Package == "" { - r.scenario.Package = pkgManifest.Name - } - - if r.scenario.PolicyTemplate == "" { - r.scenario.PolicyTemplate = pkgManifest.PolicyTemplates[0].Name - } - - pp := kibana.PackagePolicy{ - Namespace: "ep", - PolicyID: p.ID, - Force: true, - Inputs: map[string]kibana.PackagePolicyInput{ - fmt.Sprintf("%s-%s", r.scenario.PolicyTemplate, r.scenario.Input): { - Enabled: true, - Vars: r.scenario.Vars, - Streams: map[string]kibana.PackagePolicyStream{ - fmt.Sprintf("%s.%s", pkgManifest.Name, r.scenario.DataStream.Name): { - Enabled: true, - Vars: r.scenario.DataStream.Vars, - }, - }, - }, - }, - } - pp.Package.Name = pkgManifest.Name - pp.Package.Version = r.scenario.Version - - policy, err := r.options.KibanaClient.CreatePackagePolicy(ctx, pp) - if err != nil { - return nil, err - } - - return policy, nil -} - func (r *runner) initializeGenerator(ctx context.Context) (genlib.Generator, error) { totEvents := r.scenario.Corpora.Generator.TotalEvents diff --git a/internal/kibana/policies.go b/internal/kibana/policies.go index 5b618fb82f..846dfab233 100644 --- a/internal/kibana/policies.go +++ b/internal/kibana/policies.go @@ -379,17 +379,3 @@ func (c *Client) UpgradePackagePolicyToLatest(ctx context.Context, policyIDs ... } return nil } - -// DeletePackagePolicy removes the given Package Policy from Fleet. -func (c *Client) DeletePackagePolicy(ctx context.Context, p PackagePolicy) error { - statusCode, respBody, err := c.delete(ctx, path.Join(FleetAPI, "package_policies", p.ID)) - if err != nil { - return fmt.Errorf("could not delete package policy: %w", err) - } - - if statusCode != http.StatusOK { - return fmt.Errorf("could not delete package policy; API status code = %d; response body = %s", statusCode, respBody) - } - - return nil -} From fde61a683370b05689f87a98e2c0d9ca8943ce56 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Thu, 23 Oct 2025 18:26:51 +0200 Subject: [PATCH 08/23] Delete data stream at the end of the benchmark --- internal/benchrunner/runners/system/runner.go | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/internal/benchrunner/runners/system/runner.go b/internal/benchrunner/runners/system/runner.go index b84e046000..56c32ae32f 100644 --- a/internal/benchrunner/runners/system/runner.go +++ b/internal/benchrunner/runners/system/runner.go @@ -206,6 +206,9 @@ func (r *runner) setUp(ctx context.Context) error { if err := r.deleteDataStreamDocs(ctx, r.runtimeDataStream); err != nil { return fmt.Errorf("error deleting data in data stream: %w", err) } + if err := r.deleteDataStream(ctx, r.runtimeDataStream); err != nil { + return fmt.Errorf("error deleting data in data stream: %w", err) + } return nil } @@ -367,6 +370,24 @@ func (r *runner) deleteDataStreamDocs(ctx context.Context, dataStream string) er return nil } +func (r *runner) deleteDataStream(ctx context.Context, dataStream string) error { + resp, err := r.options.ESAPI.Indices.DeleteDataStream([]string{dataStream}, + r.options.ESAPI.Indices.DeleteDataStream.WithContext(ctx), + ) + if err != nil { + return fmt.Errorf("delete request failed for data stream %s: %w", dataStream, err) + } + defer resp.Body.Close() + if resp.StatusCode == http.StatusNotFound { + // Data stream doesn't exist, there was nothing to do. + return nil + } + if resp.IsError() { + return fmt.Errorf("delete request failed for data stream %s: %s", dataStream, resp.String()) + } + return nil +} + func (r *runner) createBenchmarkPolicy(ctx context.Context, pkgManifest *packages.PackageManifest, dataStreamManifest *packages.DataStreamManifest) (*kibana.Policy, error) { // Configure package (single data stream) via Ingest Manager APIs. logger.Debug("creating benchmark policy...") From 6ebbadefc97ff29040a65e9461c0ae9d89510715 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Thu, 23 Oct 2025 19:58:41 +0200 Subject: [PATCH 09/23] Add package and version assignments --- internal/benchrunner/runners/system/runner.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/internal/benchrunner/runners/system/runner.go b/internal/benchrunner/runners/system/runner.go index 56c32ae32f..bf17af5457 100644 --- a/internal/benchrunner/runners/system/runner.go +++ b/internal/benchrunner/runners/system/runner.go @@ -180,6 +180,14 @@ func (r *runner) setUp(ctx context.Context) error { return fmt.Errorf("reading data stream manifest failed: %w", err) } + if r.scenario.Version == "" { + r.scenario.Version = pkgManifest.Version + } + + if r.scenario.Package == "" { + r.scenario.Package = pkgManifest.Name + } + policy, err := r.createBenchmarkPolicy(ctx, pkgManifest, dataStreamManifest) if err != nil { return err From 6aadd001ed2d8e6bd956b2a0f92e59a314de3668 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Fri, 24 Oct 2025 11:46:44 +0200 Subject: [PATCH 10/23] Revert changes to test again with same API request --- internal/benchrunner/runners/system/runner.go | 208 +++++++++++++----- internal/kibana/policies.go | 25 ++- 2 files changed, 174 insertions(+), 59 deletions(-) diff --git a/internal/benchrunner/runners/system/runner.go b/internal/benchrunner/runners/system/runner.go index bf17af5457..2fdefde3c4 100644 --- a/internal/benchrunner/runners/system/runner.go +++ b/internal/benchrunner/runners/system/runner.go @@ -26,13 +26,15 @@ import ( "github.com/elastic/elastic-package/internal/benchrunner" "github.com/elastic/elastic-package/internal/benchrunner/reporters" "github.com/elastic/elastic-package/internal/benchrunner/runners/common" + + // commonHelpers "github.com/elastic/elastic-package/internal/common" + // commonHelpers "github.com/elastic/elastic-package/internal/common" "github.com/elastic/elastic-package/internal/configuration/locations" "github.com/elastic/elastic-package/internal/kibana" "github.com/elastic/elastic-package/internal/logger" "github.com/elastic/elastic-package/internal/multierror" "github.com/elastic/elastic-package/internal/packages" "github.com/elastic/elastic-package/internal/servicedeployer" - "github.com/elastic/elastic-package/internal/testrunner/runners/system" "github.com/elastic/elastic-package/internal/wait" ) @@ -41,7 +43,7 @@ const ( // are stored on the Agent container's filesystem. ServiceLogsAgentDir = "/tmp/service_logs" - // BenchType defining system benchmark + // BenchType defining system benchmark/ BenchType benchrunner.Type = "system" ) @@ -182,18 +184,27 @@ func (r *runner) setUp(ctx context.Context) error { if r.scenario.Version == "" { r.scenario.Version = pkgManifest.Version + } else { + // If the scenario version is set, override the package manifest version + // This is needed to create the policy with the correct version + pkgManifest.Version = r.scenario.Version } if r.scenario.Package == "" { r.scenario.Package = pkgManifest.Name } - - policy, err := r.createBenchmarkPolicy(ctx, pkgManifest, dataStreamManifest) + policy, err := r.createBenchmarkPolicy(ctx, pkgManifest) if err != nil { return err } r.benchPolicy = policy + // policy, err := r.createBenchmarkPolicy(ctx, pkgManifest, dataStreamManifest) + // if err != nil { + // return err + // } + // r.benchPolicy = policy + r.runtimeDataStream = fmt.Sprintf( "%s-%s.%s-%s", dataStreamManifest.Type, @@ -214,9 +225,6 @@ func (r *runner) setUp(ctx context.Context) error { if err := r.deleteDataStreamDocs(ctx, r.runtimeDataStream); err != nil { return fmt.Errorf("error deleting data in data stream: %w", err) } - if err := r.deleteDataStream(ctx, r.runtimeDataStream); err != nil { - return fmt.Errorf("error deleting data in data stream: %w", err) - } return nil } @@ -378,25 +386,94 @@ func (r *runner) deleteDataStreamDocs(ctx context.Context, dataStream string) er return nil } -func (r *runner) deleteDataStream(ctx context.Context, dataStream string) error { - resp, err := r.options.ESAPI.Indices.DeleteDataStream([]string{dataStream}, - r.options.ESAPI.Indices.DeleteDataStream.WithContext(ctx), - ) - if err != nil { - return fmt.Errorf("delete request failed for data stream %s: %w", dataStream, err) - } - defer resp.Body.Close() - if resp.StatusCode == http.StatusNotFound { - // Data stream doesn't exist, there was nothing to do. - return nil - } - if resp.IsError() { - return fmt.Errorf("delete request failed for data stream %s: %s", dataStream, resp.String()) - } - return nil -} - -func (r *runner) createBenchmarkPolicy(ctx context.Context, pkgManifest *packages.PackageManifest, dataStreamManifest *packages.DataStreamManifest) (*kibana.Policy, error) { +//func (r *runner) deleteDataStream(ctx context.Context, dataStream string) error { +// resp, err := r.options.ESAPI.Indices.DeleteDataStream([]string{dataStream}, +// r.options.ESAPI.Indices.DeleteDataStream.WithContext(ctx), +// ) +// if err != nil { +// return fmt.Errorf("delete request failed for data stream %s: %w", dataStream, err) +// } +// defer resp.Body.Close() +// if resp.StatusCode == http.StatusNotFound { +// // Data stream doesn't exist, there was nothing to do. +// return nil +// } +// if resp.IsError() { +// return fmt.Errorf("delete request failed for data stream %s: %s", dataStream, resp.String()) +// } +// return nil +//} + +// func (r *runner) createBenchmarkPolicy(ctx context.Context, pkgManifest *packages.PackageManifest, dataStreamManifest *packages.DataStreamManifest) (*kibana.Policy, error) { +// // Configure package (single data stream) via Ingest Manager APIs. +// logger.Debug("creating benchmark policy...") +// benchTime := time.Now().Format("20060102T15:04:05Z") +// p := kibana.Policy{ +// Name: fmt.Sprintf("ep-bench-%s-%s", r.options.BenchName, benchTime), +// Description: fmt.Sprintf("policy created by elastic-package for benchmark %s", r.options.BenchName), +// Namespace: "ep38915", // fmt.Sprintf("ep%s", commonHelpers.CreateTestRunID()), +// MonitoringEnabled: []string{"logs", "metrics"}, +// } +// +// // Assign the data_output_id to the agent policy to configure the output to logstash. The value is inferred from stack/_static/kibana.yml.tmpl +// if r.options.Profile.Config("stack.logstash_enabled", "false") == "true" { +// p.DataOutputID = "fleet-logstash-output" +// } +// +// policy, err := r.options.KibanaClient.CreatePolicy(ctx, p) +// if err != nil { +// return nil, fmt.Errorf("failed to create benchmark policy: %w", err) +// } +// +// if r.scenario.PolicyTemplate == "" { +// policyTemplateName, err := system.FindPolicyTemplateForInput(pkgManifest, dataStreamManifest, r.scenario.Input) +// if err != nil { +// return nil, fmt.Errorf("failed to determine the associated policy_template: %w", err) +// } +// r.scenario.PolicyTemplate = policyTemplateName +// } +// policyTemplate, err := system.SelectPolicyTemplateByName(pkgManifest.PolicyTemplates, r.scenario.PolicyTemplate) +// if err != nil { +// return nil, fmt.Errorf("failed to find the selected policy_template: %w", err) +// } +// +// logger.Debug("adding package data stream to benchmark policy...") +// ds, err := system.CreatePackageDatastream( +// policy, +// pkgManifest, +// policyTemplate, +// dataStreamManifest, +// r.scenario.Input, +// r.scenario.Vars, +// r.scenario.DataStream.Vars, +// policy.Namespace) +// if err != nil { +// return nil, fmt.Errorf("could not create package data stream: %w", err) +// } +// +// if err := r.options.KibanaClient.AddPackageDataStreamToPolicy(ctx, ds); err != nil { +// return nil, fmt.Errorf("could not add data stream config to policy: %w", err) +// } +// +// r.deletePolicyHandler = func(ctx context.Context) error { +// var merr multierror.Error +// +// logger.Debug("deleting benchmark policy...") +// if err := r.options.KibanaClient.DeletePolicy(ctx, policy.ID); err != nil { +// merr = append(merr, fmt.Errorf("error cleaning up benchmark policy: %w", err)) +// } +// +// if len(merr) > 0 { +// return merr +// } +// +// return nil +// } +// +// return policy, nil +// } + +func (r *runner) createBenchmarkPolicy(ctx context.Context, pkgManifest *packages.PackageManifest) (*kibana.Policy, error) { // Configure package (single data stream) via Ingest Manager APIs. logger.Debug("creating benchmark policy...") benchTime := time.Now().Format("20060102T15:04:05Z") @@ -414,42 +491,22 @@ func (r *runner) createBenchmarkPolicy(ctx context.Context, pkgManifest *package policy, err := r.options.KibanaClient.CreatePolicy(ctx, p) if err != nil { - return nil, fmt.Errorf("failed to create benchmark policy: %w", err) + return nil, err } - if r.scenario.PolicyTemplate == "" { - policyTemplateName, err := system.FindPolicyTemplateForInput(pkgManifest, dataStreamManifest, r.scenario.Input) - if err != nil { - return nil, fmt.Errorf("failed to determine the associated policy_template: %w", err) - } - r.scenario.PolicyTemplate = policyTemplateName - } - policyTemplate, err := system.SelectPolicyTemplateByName(pkgManifest.PolicyTemplates, r.scenario.PolicyTemplate) - if err != nil { - return nil, fmt.Errorf("failed to find the selected policy_template: %w", err) - } - - logger.Debug("adding package data stream to benchmark policy...") - ds, err := system.CreatePackageDatastream( - policy, - pkgManifest, - policyTemplate, - dataStreamManifest, - r.scenario.Input, - r.scenario.Vars, - r.scenario.DataStream.Vars, - policy.Namespace) + packagePolicy, err := r.createPackagePolicy(ctx, pkgManifest, policy) if err != nil { - return nil, fmt.Errorf("could not create package data stream: %w", err) - } - - if err := r.options.KibanaClient.AddPackageDataStreamToPolicy(ctx, ds); err != nil { - return nil, fmt.Errorf("could not add data stream config to policy: %w", err) + return nil, err } r.deletePolicyHandler = func(ctx context.Context) error { var merr multierror.Error + logger.Debug("deleting benchmark package policy...") + if err := r.options.KibanaClient.DeletePackagePolicy(ctx, *packagePolicy); err != nil { + merr = append(merr, fmt.Errorf("error cleaning up benchmark package policy: %w", err)) + } + logger.Debug("deleting benchmark policy...") if err := r.options.KibanaClient.DeletePolicy(ctx, policy.ID); err != nil { merr = append(merr, fmt.Errorf("error cleaning up benchmark policy: %w", err)) @@ -465,6 +522,49 @@ func (r *runner) createBenchmarkPolicy(ctx context.Context, pkgManifest *package return policy, nil } +func (r *runner) createPackagePolicy(ctx context.Context, pkgManifest *packages.PackageManifest, p *kibana.Policy) (*kibana.PackagePolicy, error) { + logger.Debug("creating package policy...") + + if r.scenario.Version == "" { + r.scenario.Version = pkgManifest.Version + } + + if r.scenario.Package == "" { + r.scenario.Package = pkgManifest.Name + } + + if r.scenario.PolicyTemplate == "" { + r.scenario.PolicyTemplate = pkgManifest.PolicyTemplates[0].Name + } + + pp := kibana.PackagePolicy{ + Namespace: "ep", + PolicyIDs: []string{p.ID}, + Force: true, + Inputs: map[string]kibana.PackagePolicyInput{ + fmt.Sprintf("%s-%s", r.scenario.PolicyTemplate, r.scenario.Input): { + Enabled: true, + Vars: r.scenario.Vars, + Streams: map[string]kibana.PackagePolicyStream{ + fmt.Sprintf("%s.%s", pkgManifest.Name, r.scenario.DataStream.Name): { + Enabled: true, + Vars: r.scenario.DataStream.Vars, + }, + }, + }, + }, + } + pp.Package.Name = pkgManifest.Name + pp.Package.Version = r.scenario.Version + + policy, err := r.options.KibanaClient.CreatePackagePolicy(ctx, pp) + if err != nil { + return nil, err + } + + return policy, nil +} + func (r *runner) initializeGenerator(ctx context.Context) (genlib.Generator, error) { totEvents := r.scenario.Corpora.Generator.TotalEvents diff --git a/internal/kibana/policies.go b/internal/kibana/policies.go index 846dfab233..811f955634 100644 --- a/internal/kibana/policies.go +++ b/internal/kibana/policies.go @@ -259,11 +259,12 @@ func (c *Client) AddPackageDataStreamToPolicy(ctx context.Context, r PackageData // PackagePolicy represents an Package Policy in Fleet. type PackagePolicy struct { - ID string `json:"id,omitempty"` - Name string `json:"name"` - Description string `json:"description"` - Namespace string `json:"namespace"` - PolicyID string `json:"policy_id"` + ID string `json:"id,omitempty"` + Name string `json:"name"` + Description string `json:"description"` + Namespace string `json:"namespace"` + PolicyIDs []string `json:"policy_ids,omitempty"` + PolicyID string `json:"policy_id,omitempty"` // Deprecated: use PolicyIDs Package struct { Name string `json:"name"` Version string `json:"version"` @@ -379,3 +380,17 @@ func (c *Client) UpgradePackagePolicyToLatest(ctx context.Context, policyIDs ... } return nil } + +// DeletePackagePolicy removes the given Package Policy from Fleet. +func (c *Client) DeletePackagePolicy(ctx context.Context, p PackagePolicy) error { + statusCode, respBody, err := c.delete(ctx, path.Join(FleetAPI, "package_policies", p.ID)) + if err != nil { + return fmt.Errorf("could not delete package policy: %w", err) + } + + if statusCode != http.StatusOK { + return fmt.Errorf("could not delete package policy; API status code = %d; response body = %s", statusCode, respBody) + } + + return nil +} From 8d1dea6aa1b3b4de86fe7677bf531be115c55e9c Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Fri, 24 Oct 2025 11:47:00 +0200 Subject: [PATCH 11/23] Update test package benchmark files --- .../_dev/benchmark/system/alert-benchmark.yml | 2 +- .../system/alert-benchmark/template.ndjson | 185 +- .../system/deploy/docker/docker-compose.yml | 3 +- .../system/deploy/docker/files/config.yml | 1848 +---------------- 4 files changed, 34 insertions(+), 2004 deletions(-) diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark.yml index 31af5ee7a1..5896a33923 100644 --- a/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark.yml +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark.yml @@ -1,7 +1,7 @@ --- description: Benchmark 100000 alert events ingested input: httpjson -# policy_template: sentinel_one +policy_template: sentinel_one vars: url: "http://svc-sentinel_one:8080/" api_token: xxxx diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark/template.ndjson b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark/template.ndjson index 3daf057591..f3b242af88 100644 --- a/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark/template.ndjson +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark/template.ndjson @@ -1,4 +1,3 @@ -{{- $timestamp := generate "timestamp" }} {{- /* Agent Data */ -}} {{- $accountId := generate "agentInfo.accountId" }} {{- $agentId := generate "agentInfo.id" }} @@ -75,186 +74,4 @@ {{- $scopeLevel := generate "ruleInfo.scopeLevel" }} {{- $severity := generate "ruleInfo.severity" }} {{- $treatAsThreat := generate "ruleInfo.treatAsThreat" }} -{{- /* -{ - "agentDetectionInfo": { - "accountId": "{{ $accountId }}", - "machineType": "{{ $machineType }}", - "name": "{{ $agentName }}", - "osFamily": "{{ $osFamily }}", - "osName": "{{ $osName }}", - "osRevision": "{{ $osRevision }}", - "siteId": "{{ $siteId }}", - "uuid": "{{ $uuid }}", - "version": "{{ $version }}" - }, - "agentRealtimeInfo": { - "id": "{{ $agentId }}", - "infected": {{ $infected }}, - "isActive": {{ $isActive }}, - "isDecommissioned": {{ $isDecommissioned }}, - "machineType": "{{ $machineType }}", - "name": "{{ $agentName }}", - "os": "{{ $osFamily }}", - "uuid": "{{ $uuid }}" - }, - "alertInfo": { - "alertId": "{{ $alertId }}", - "analystVerdict": "{{ $analystVerdict }}", - "createdAt": "{{ $createdAt }}", - "dnsRequest": "type: 1 {{ $domain }}", - "dnsResponse": "{{ $ipAddress }};", - "dstIp": "{{ $ipAddress }}", - "dstPort": "{{ $port }}", - "dvEventId": "{{ $dvEventId }}", - "eventType": "{{ $eventType }}", - "hitType": "{{ $hitType }}", - "incidentStatus": "{{ $incidentStatus }}", - "indicatorCategory": "{{ $indicatorCategory }}", - "indicatorDescription": "{{ $indicatorDescription }}", - "indicatorName": "{{ $indicatorName }}", - "isEdr": {{ $isEdr }}, - "loginAccountDomain": null, - "loginAccountSid": null, - "loginIsAdministratorEquivalent": null, - "loginIsSuccessful": null, - "loginType": null, - "loginsUserName": null, - "modulePath": null, - "moduleSha1": null, - "netEventDirection": null, - "registryKeyPath": null, - "registryOldValue": null, - "registryOldValueType": null, - "registryPath": null, - "registryValue": null, - "reportedAt": "{{ $reportedAt }}", - "source": "{{ $source }}", - "srcIp": "{{ $ipAddress }}", - "srcMachineIp": "{{ $ipAddress}}", - "srcPort": "{{ $port }}", - "tiIndicatorComparisonMethod": null, - "tiIndicatorSource": null, - "tiIndicatorType": null, - "tiIndicatorValue": null, - "updatedAt": "{{ $updatedAt }}" - }, - "containerInfo": { - "id": null, - "image": null, - "labels": null, - "name": null - }, - "kubernetesInfo": { - "cluster": null, - "controllerKind": null, - "controllerLabels": null, - "controllerName": null, - "namespace": null, - "namespaceLabels": null, - "node": null, - "pod": null, - "podLabels": null - }, - "ruleInfo": { - "description": "{{ $description }}", - "id": "{{ $ruleId }}", - "name": "{{ $ruleName }}", - "queryLang": "{{ $queryLang }}", - "queryType": "{{ $queryType }}", - "s1ql": "{{ $s1ql }}", - "scopeLevel": "{{ $scopeLevel }}", - "severity": "{{ $severity }}", - "treatAsThreat": "{{ $treatAsThreat }}" - }, - "sourceParentProcessInfo": { - "commandline": "{{ $filePath }}", - "effectiveUser": "{{ $effectiveUser }}", - "fileHashMd5": "{{ $fileHashMd5 }}", - "fileHashSha1": "{{ $fileHashSha1 }}", - "fileHashSha256": "{{ $fileHashSha256 }}", - "filePath": "{{ $filePath }}", - "fileSignerIdentity": "{{ $fileSignerIdentity }}", - "integrityLevel": "{{ $integrityLevel }}", - "loginUser": "{{ $loginUser }}", - "name": "{{ $processName }}", - "pid": "{{ $pid }}", - "pidStarttime": "{{ $pidStarttime }}", - "realUser": "{{ $realUser }}", - "storyline": "{{ $storyline }}", - "subsystem": "{{ $subsystem }}", - "uniqueId": "{{ $uniqueId }}", - "user": "{{ $user }}" - }, - "sourceProcessInfo": { - "commandline": "{{ $filePath }}", - "effectiveUser": "{{ $effectiveUser }}", - "fileHashMd5": "{{ $fileHashMd5 }}", - "fileHashSha1": "{{ $fileHashSha1 }}", - "fileHashSha256": "{{ $fileHashSha256 }}", - "filePath": "{{ $filePath }}", - "fileSignerIdentity": "{{ $fileSignerIdentity }}", - "integrityLevel": "{{ $integrityLevel }}", - "loginUser": "{{ $loginUser }}", - "name": "{{ $processName }}", - "pid": "{{ $pid }}", - "pidStarttime": "{{ $pidStarttime }}", - "realUser": "{{ $realUser }}", - "storyline": "{{ $storyline }}", - "subsystem": "{{ $subsystem }}", - "uniqueId": "{{ $uniqueId }}", - "user": "{{ $user }}" - }, - "targetProcessInfo": { - "tgtFileCreatedAt": "{{ $tgtFileCreatedAt }}", - "tgtFileHashSha1": "{{ $tgtFileHashSha1 }}", - "tgtFileHashSha256": "{{ $tgtFileHashSha256 }}", - "tgtFileId": "{{ $tgtFileId }}", - "tgtFileIsSigned": "{{ $tgtFileIsSigned }}", - "tgtFileModifiedAt": "{{ $tgtFileModifiedAt }}", - "tgtFileOldPath": "{{ $tgtFileOldPath }}", - "tgtFilePath": "{{ $tgtFilePath }}", - "tgtProcCmdLine": "{{ $tgtProcCmdLine }}", - "tgtProcImagePath": "{{ $tgtProcImagePath }}", - "tgtProcIntegrityLevel": "{{ $tgtProcIntegrityLevel }}", - "tgtProcName": "{{ $tgtProcName }}", - "tgtProcPid": "{{ $tgtProcPid }}", - "tgtProcSignedStatus": "{{ $tgtProcSignedStatus }}", - "tgtProcStorylineId": "{{ $tgtProcStorylineId }}", - "tgtProcUid": "{{ $tgtProcUid }}", - "tgtProcessStartTime": "{{ $tgtProcessStartTime }}" - } -} -*/ -}} -{ - "@timestamp": "{{ $timestamp.Format "2006-01-02T15:04:05.999999Z07:00" }}", - "agent": { - "ephemeral_id": "cdaaaabb-be7e-432f-816b-bda019fd7c15", - "id": "da6cb4c8-c84c-4c5f-97c7-f8586a098af4", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.18.0" - }, - "data_stream": { - "dataset": "sentinel_one.alert", - "namespace": "93724", - "type": "logs" - }, - "elastic_agent": { - "id": "da6cb4c8-c84c-4c5f-97c7-f8586a098af4", - "snapshot": false, - "version": "8.18.0" - }, - "message": "{\"agentDetectionInfo\":{\"accountId\":\"{{ $accountId }}\",\"machineType\":\"{{ $machineType }}\",\"name\":\"{{ $agentName }}\",\"osFamily\":\"{{ $osFamily }}\",\"osName\":\"{{ $osName }}\",\"osRevision\":\"{{ $osRevision }}\",\"siteId\":\"{{ $siteId }}\",\"uuid\":\"{{ $uuid }}\",\"version\":\"{{ $version }}\"},\"agentRealtimeInfo\":{\"id\":\"{{ $agentId }}\",\"infected\":{{ $infected }},\"isActive\":{{ $isActive }},\"isDecommissioned\":{{ $isDecommissioned }},\"machineType\":\"{{ $machineType }}\",\"name\":\"{{ $agentName }}\",\"os\":\"{{ $osFamily }}\",\"uuid\":\"{{ $uuid }}\"},\"alertInfo\":{\"alertId\":\"{{ $alertId }}\",\"analystVerdict\":\"{{ $analystVerdict }}\",\"createdAt\":\"{{ $createdAt }}\",\"dnsRequest\":\"type: 1 {{ $domain }}\",\"dnsResponse\":\"{{ $ipAddress }};\",\"dstIp\":\"{{ $ipAddress }}\",\"dstPort\":\"{{ $port }}\",\"dvEventId\":\"{{ $dvEventId }}\",\"eventType\":\"{{ $eventType }}\",\"hitType\":\"{{ $hitType }}\",\"incidentStatus\":\"{{ $incidentStatus }}\",\"indicatorCategory\":\"{{ $indicatorCategory }}\",\"indicatorDescription\":\"{{ $indicatorDescription }}\",\"indicatorName\":\"{{ $indicatorName }}\",\"isEdr\":{{ $isEdr }},\"loginAccountDomain\":null,\"loginAccountSid\":null,\"loginIsAdministratorEquivalent\":null,\"loginIsSuccessful\":null,\"loginType\":null,\"loginsUserName\":null,\"modulePath\":null,\"moduleSha1\":null,\"netEventDirection\":null,\"registryKeyPath\":null,\"registryOldValue\":null,\"registryOldValueType\":null,\"registryPath\":null,\"registryValue\":null,\"reportedAt\":\"{{ $reportedAt }}\",\"source\":\"{{ $source }}\",\"srcIp\":\"{{ $ipAddress }}\",\"srcMachineIp\":\"{{ $ipAddress}}\",\"srcPort\":\"{{ $port }}\",\"tiIndicatorComparisonMethod\":null,\"tiIndicatorSource\":null,\"tiIndicatorType\":null,\"tiIndicatorValue\":null,\"updatedAt\":\"{{ $updatedAt }}\"},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"ruleInfo\":{\"description\":\"{{ $description }}\",\"id\":\"{{ $ruleId }}\",\"name\":\"{{ $ruleName }}\",\"queryLang\":\"{{ $queryLang }}\",\"queryType\":\"{{ $queryType }}\",\"s1ql\":\"{{ $s1ql }}\",\"scopeLevel\":\"{{ $scopeLevel }}\",\"severity\":\"{{ $severity }}\",\"treatAsThreat\":\"{{ $treatAsThreat }}\"},\"sourceParentProcessInfo\":{\"commandline\":\"{{ $filePath }}\",\"effectiveUser\":\"{{ $effectiveUser }}\",\"fileHashMd5\":\"{{ $fileHashMd5 }}\",\"fileHashSha1\":\"{{ $fileHashSha1 }}\",\"fileHashSha256\":\"{{ $fileHashSha256 }}\",\"filePath\":\"{{ $filePath }}\",\"fileSignerIdentity\":\"{{ $fileSignerIdentity }}\",\"integrityLevel\":\"{{ $integrityLevel }}\",\"loginUser\":\"{{ $loginUser }}\",\"name\":\"{{ $processName }}\",\"pid\":\"{{ $pid }}\",\"pidStarttime\":\"{{ $pidStarttime }}\",\"realUser\":\"{{ $realUser }}\",\"storyline\":\"{{ $storyline }}\",\"subsystem\":\"{{ $subsystem }}\",\"uniqueId\":\"{{ $uniqueId }}\",\"user\":\"{{ $user }}\"},\"sourceProcessInfo\":{\"commandline\":\"{{ $filePath }}\",\"effectiveUser\":\"{{ $effectiveUser }}\",\"fileHashMd5\":\"{{ $fileHashMd5 }}\",\"fileHashSha1\":\"{{ $fileHashSha1 }}\",\"fileHashSha256\":\"{{ $fileHashSha256 }}\",\"filePath\":\"{{ $filePath }}\",\"fileSignerIdentity\":\"{{ $fileSignerIdentity }}\",\"integrityLevel\":\"{{ $integrityLevel }}\",\"loginUser\":\"{{ $loginUser }}\",\"name\":\"{{ $processName }}\",\"pid\":\"{{ $pid }}\",\"pidStarttime\":\"{{ $pidStarttime }}\",\"realUser\":\"{{ $realUser }}\",\"storyline\":\"{{ $storyline }}\",\"subsystem\":\"{{ $subsystem }}\",\"uniqueId\":\"{{ $uniqueId }}\",\"user\":\"{{ $user }}\"},\"targetProcessInfo\":{\"tgtFileCreatedAt\":\"{{ $tgtFileCreatedAt }}\",\"tgtFileHashSha1\":\"{{ $tgtFileHashSha1 }}\",\"tgtFileHashSha256\":\"{{ $tgtFileHashSha256 }}\",\"tgtFileId\":\"{{ $tgtFileId }}\",\"tgtFileIsSigned\":\"{{ $tgtFileIsSigned }}\",\"tgtFileModifiedAt\":\"{{ $tgtFileModifiedAt }}\",\"tgtFileOldPath\":\"{{ $tgtFileOldPath }}\",\"tgtFilePath\":\"{{ $tgtFilePath }}\",\"tgtProcCmdLine\":\"{{ $tgtProcCmdLine }}\",\"tgtProcImagePath\":\"{{ $tgtProcImagePath }}\",\"tgtProcIntegrityLevel\":\"{{ $tgtProcIntegrityLevel }}\",\"tgtProcName\":\"{{ $tgtProcName }}\",\"tgtProcPid\":\"{{ $tgtProcPid }}\",\"tgtProcSignedStatus\":\"{{ $tgtProcSignedStatus }}\",\"tgtProcStorylineId\":\"{{ $tgtProcStorylineId }}\",\"tgtProcUid\":\"{{ $tgtProcUid }}\",\"tgtProcessStartTime\":\"{{ $tgtProcessStartTime }}\"}}", - "event": { - "dataset": "sentinel_one.alert" - }, - "input": { - "type": "httpjson" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "sentinel_one-alert" - ] -} +{"agentDetectionInfo":{"accountId":"{{ $accountId }}","machineType":"{{ $machineType }}","name":"{{ $agentName }}","osFamily":"{{ $osFamily }}","osName":"{{ $osName }}","osRevision":"{{ $osRevision }}","siteId":"{{ $siteId }}","uuid":"{{ $uuid }}","version":"{{ $version }}"},"agentRealtimeInfo":{"id":"{{ $agentId }}","infected":{{ $infected }},"isActive":{{ $isActive }},"isDecommissioned":{{ $isDecommissioned }},"machineType":"{{ $machineType }}","name":"{{ $agentName }}","os":"{{ $osFamily }}","uuid":"{{ $uuid }}"},"alertInfo":{"alertId":"{{ $alertId }}","analystVerdict":"{{ $analystVerdict }}","createdAt":"{{ $createdAt }}","dnsRequest":"type: 1 {{ $domain }}","dnsResponse":"{{ $ipAddress }};","dstIp":"{{ $ipAddress }}","dstPort":"{{ $port }}","dvEventId":"{{ $dvEventId }}","eventType":"{{ $eventType }}","hitType":"{{ $hitType }}","incidentStatus":"{{ $incidentStatus }}","indicatorCategory":"{{ $indicatorCategory }}","indicatorDescription":"{{ $indicatorDescription }}","indicatorName":"{{ $indicatorName }}","isEdr":{{ $isEdr }},"loginAccountDomain":null,"loginAccountSid":null,"loginIsAdministratorEquivalent":null,"loginIsSuccessful":null,"loginType":null,"loginsUserName":null,"modulePath":null,"moduleSha1":null,"netEventDirection":null,"registryKeyPath":null,"registryOldValue":null,"registryOldValueType":null,"registryPath":null,"registryValue":null,"reportedAt":"{{ $reportedAt }}","source":"{{ $source }}","srcIp":"{{ $ipAddress }}","srcMachineIp":"{{ $ipAddress}}","srcPort":"{{ $port }}","tiIndicatorComparisonMethod":null,"tiIndicatorSource":null,"tiIndicatorType":null,"tiIndicatorValue":null,"updatedAt":"{{ $updatedAt }}"},"containerInfo":{"id":null,"image":null,"labels":null,"name":null},"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"namespace":null,"namespaceLabels":null,"node":null,"pod":null,"podLabels":null},"ruleInfo":{"description":"{{ $description }}","id":"{{ $ruleId }}","name":"{{ $ruleName }}","queryLang":"{{ $queryLang }}","queryType":"{{ $queryType }}","s1ql":"{{ $s1ql }}","scopeLevel":"{{ $scopeLevel }}","severity":"{{ $severity }}","treatAsThreat":"{{ $treatAsThreat }}"},"sourceParentProcessInfo":{"commandline":"{{ $filePath }}","effectiveUser":"{{ $effectiveUser }}","fileHashMd5":"{{ $fileHashMd5 }}","fileHashSha1":"{{ $fileHashSha1 }}","fileHashSha256":"{{ $fileHashSha256 }}","filePath":"{{ $filePath }}","fileSignerIdentity":"{{ $fileSignerIdentity }}","integrityLevel":"{{ $integrityLevel }}","loginUser":"{{ $loginUser }}","name":"{{ $processName }}","pid":"{{ $pid }}","pidStarttime":"{{ $pidStarttime }}","realUser":"{{ $realUser }}","storyline":"{{ $storyline }}","subsystem":"{{ $subsystem }}","uniqueId":"{{ $uniqueId }}","user":"{{ $user }}"},"sourceProcessInfo":{"commandline":"{{ $filePath }}","effectiveUser":"{{ $effectiveUser }}","fileHashMd5":"{{ $fileHashMd5 }}","fileHashSha1":"{{ $fileHashSha1 }}","fileHashSha256":"{{ $fileHashSha256 }}","filePath":"{{ $filePath }}","fileSignerIdentity":"{{ $fileSignerIdentity }}","integrityLevel":"{{ $integrityLevel }}","loginUser":"{{ $loginUser }}","name":"{{ $processName }}","pid":"{{ $pid }}","pidStarttime":"{{ $pidStarttime }}","realUser":"{{ $realUser }}","storyline":"{{ $storyline }}","subsystem":"{{ $subsystem }}","uniqueId":"{{ $uniqueId }}","user":"{{ $user }}"},"targetProcessInfo":{"tgtFileCreatedAt":"{{ $tgtFileCreatedAt }}","tgtFileHashSha1":"{{ $tgtFileHashSha1 }}","tgtFileHashSha256":"{{ $tgtFileHashSha256 }}","tgtFileId":"{{ $tgtFileId }}","tgtFileIsSigned":"{{ $tgtFileIsSigned }}","tgtFileModifiedAt":"{{ $tgtFileModifiedAt }}","tgtFileOldPath":"{{ $tgtFileOldPath }}","tgtFilePath":"{{ $tgtFilePath }}","tgtProcCmdLine":"{{ $tgtProcCmdLine }}","tgtProcImagePath":"{{ $tgtProcImagePath }}","tgtProcIntegrityLevel":"{{ $tgtProcIntegrityLevel }}","tgtProcName":"{{ $tgtProcName }}","tgtProcPid":"{{ $tgtProcPid }}","tgtProcSignedStatus":"{{ $tgtProcSignedStatus }}","tgtProcStorylineId":"{{ $tgtProcStorylineId }}","tgtProcUid":"{{ $tgtProcUid }}","tgtProcessStartTime":"{{ $tgtProcessStartTime }}"}}, diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/deploy/docker/docker-compose.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/deploy/docker/docker-compose.yml index 48e601d938..2cafcccfa0 100644 --- a/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/deploy/docker/docker-compose.yml +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/deploy/docker/docker-compose.yml @@ -1,12 +1,13 @@ version: "2.3" services: sentinel_one: - image: docker.elastic.co/observability/stream:v0.18.0 + image: docker.elastic.co/observability/stream:v0.20.0 hostname: sentinel_one ports: - 8080 volumes: - ./files:/files:ro + - ${SERVICE_LOGS_DIR}:/var/log environment: PORT: "8080" command: diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/deploy/docker/files/config.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/deploy/docker/files/config.yml index 60a91a45e7..0401865b49 100644 --- a/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/deploy/docker/files/config.yml +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/deploy/docker/files/config.yml @@ -1,1450 +1,68 @@ rules: - path: /web/api/v2.1/activities methods: ["GET"] - query_params: - sortOrder: asc - cursor: efgh - request_headers: - Authorization: - - "ApiToken xxxx" responses: - status_code: 200 body: |- - {{ minify_json ` - { - "data": [], - "pagination": { - "nextCursor": null, - "totalItems": 4 - } - } - `}} - - path: /web/api/v2.1/activities - methods: ["GET"] - query_params: - sortOrder: asc - cursor: abcd - request_headers: - Authorization: - - "ApiToken xxxx" - responses: - - status_code: 200 - body: |- - {{ minify_json ` - { - "data": [ - { - "accountId": "2234567890123456789", - "accountName": "Default5", - "activityType": 1234, - "agentId": null, - "agentUpdatedVersion": null, - "comments": "True", - "createdAt": "2022-04-21T05:14:08.925421Z", - "data": { - "accountName": "Default", - "byUser": "API", - "fullScopeDetails": "Account Default", - "fullScopeDetailsPath": "test/default", - "groupName": null, - "newValue": true, - "role": "Level", - "scopeLevel": "Account", - "scopeName": "Default", - "siteName": null, - "userScope": "account", - "username": "API" - }, - "description": "API", - "groupId": null, - "groupName": null, - "hash": null, - "id": "1234567890123456789", - "osFamily": null, - "primaryDescription": "The management user API enabled Two factor authentication on the user API.", - "secondaryDescription": null, - "siteId": null, - "siteName": null, - "threatId": null, - "updatedAt": "2022-04-18T05:14:08.922553Z", - "userId": "1234567890123456789" - }, - { - "accountId": "444567890123456789", - "accountName": "Default6", - "activityType": 1234, - "agentId": null, - "agentUpdatedVersion": null, - "comments": null, - "createdAt": "2022-04-22T05:14:09.240427Z", - "data": { - "accountName": "Default", - "fullScopeDetails": "Account Default", - "fullScopeDetailsPath": "test/default", - "groupName": null, - "ipAddress": "81.2.69.144", - "reason": null, - "role": "Level", - "scopeLevel": "Account", - "scopeName": "Default", - "siteName": null, - "source": "src", - "userScope": "account", - "username": "API" - }, - "description": null, - "groupId": null, - "groupName": null, - "hash": null, - "id": "1234567890123456789", - "osFamily": null, - "primaryDescription": "The management user API logged in to the management console with IP Address 81.2.69.144", - "secondaryDescription": null, - "siteId": null, - "siteName": null, - "threatId": null, - "updatedAt": "2022-04-18T05:14:09.238430Z", - "userId": "1234567890123456789" - } - ], - "pagination": { - "nextCursor": "efgh", - "totalItems": 4 - } - } - `}} - - path: /web/api/v2.1/activities - methods: ["GET"] - query_params: - sortOrder: asc - request_headers: - Authorization: - - "ApiToken xxxx" - responses: - - status_code: 200 - body: |- - {{ minify_json ` - { - "data": [ - { - "accountId": "3214567890123456789", - "accountName": "Default12", - "activityType": 1234, - "agentId": null, - "agentUpdatedVersion": null, - "comments": "True", - "createdAt": "2022-04-19T05:14:08.925421Z", - "data": { - "accountName": "Default", - "byUser": "API", - "fullScopeDetails": "Account Default", - "fullScopeDetailsPath": "test/default", - "groupName": null, - "newValue": true, - "role": "Level", - "scopeLevel": "Account", - "scopeName": "Default", - "siteName": null, - "userScope": "account", - "username": "API" - }, - "description": "API", - "groupId": null, - "groupName": null, - "hash": null, - "id": "1234567890123456789", - "osFamily": null, - "primaryDescription": "The management user API enabled Two factor authentication on the user API.", - "secondaryDescription": null, - "siteId": null, - "siteName": null, - "threatId": null, - "updatedAt": "2022-04-18T05:14:08.922553Z", - "userId": "1234567890123456789" - }, - { - "accountId": "1114567890123456789", - "accountName": "Default4", - "activityType": 1234, - "agentId": null, - "agentUpdatedVersion": null, - "comments": null, - "createdAt": "2022-04-20T05:14:09.240427Z", - "data": { - "accountName": "Default", - "fullScopeDetails": "Account Default", - "fullScopeDetailsPath": "test/default", - "groupName": null, - "ipAddress": "81.2.69.144", - "reason": null, - "role": "Level", - "scopeLevel": "Account", - "scopeName": "Default", - "siteName": null, - "source": "src", - "userScope": "account", - "username": "API" - }, - "description": null, - "groupId": null, - "groupName": null, - "hash": null, - "id": "1234567890123456789", - "osFamily": null, - "primaryDescription": "The management user API logged in to the management console with IP Address 81.2.69.144", - "secondaryDescription": null, - "siteId": null, - "siteName": null, - "threatId": null, - "updatedAt": "2022-04-18T05:14:09.238430Z", - "userId": "1234567890123456789" - } - ], - "pagination": { - "nextCursor": "abcd", - "totalItems": 4 - } - } - `}} - - path: /web/api/v2.1/agents - methods: ["GET"] - query_params: - sortOrder: asc - cursor: efgh - request_headers: - Authorization: - - "ApiToken xxxx" - responses: - - status_code: 200 - body: |- - {{ minify_json ` - { - "data": [], - "pagination": { - "nextCursor": null, - "totalItems": 2 - } - } - `}} - - path: /web/api/v2.1/agents - methods: ["GET"] - query_params: - sortOrder: asc - cursor: abcd - request_headers: - Authorization: - - "ApiToken xxxx" - responses: - - status_code: 200 - body: |- - {{ minify_json ` { "data": [ - { - "accountId": "9898123451234512345", - "accountName": "DEF", - "activeDirectory": { - "computerDistinguishedName": null, - "computerMemberOf": [], - "lastUserDistinguishedName": null, - "lastUserMemberOf": [] - }, - "activeThreats": 7, - "agentVersion": "12.x.x.x", - "allowRemoteShell": true, - "appsVulnerabilityStatus": "not_applicable", - "cloudProviders": {}, - "computerName": "user-test", - "consoleMigrationStatus": "N/A", - "coreCount": 2, - "missingPermissions": [ - "user-action-needed-bluetooth-per", - "user_action_needed_fda" - ], - "cpuCount": 2, - "cpuId": "CPU Name", - "createdAt": "2022-03-19T09:12:00.519500Z", - "detectionState": null, - "domain": "WORKGROUP", - "encryptedApplications": false, - "externalId": "", - "externalIp": "81.2.69.143", - "firewallEnabled": true, - "firstFullModeTime": null, - "groupId": "1234567890123456789", - "groupIp": "81.2.69.144", - "groupName": "Default Group", - "id": "13491234512345", - "inRemoteShellSession": false, - "infected": true, - "installerType": ".msi", - "isActive": true, - "isDecommissioned": false, - "isPendingUninstall": false, - "isUninstalled": false, - "isUpToDate": true, - "lastActiveDate": "2022-03-17T09:51:28.506000Z", - "lastIpToMgmt": "81.2.69.145", - "lastLoggedInUserName": "", - "licenseKey": "", - "locationEnabled": true, - "locationType": "not_applicable", - "locations": null, - "machineType": "server", - "mitigationMode": "detect", - "mitigationModeSuspicious": "detect", - "modelName": "Compute Engine", - "networkInterfaces": [ - { - "gatewayIp": "81.2.69.145", - "gatewayMacAddress": "00-00-5E-00-53-00", - "id": "1234567890123456789", - "inet": [ - "81.2.69.144" - ], - "inet6": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ], - "name": "Ethernet", - "physical": "00-00-5E-00-53-00" - } - ], - "networkQuarantineEnabled": false, - "networkStatus": "connected", - "operationalState": "na", - "operationalStateExpiration": null, - "osArch": "64 bit", - "osName": "Linux Server", - "osRevision": "1234", - "osStartTime": "2022-04-06T08:27:14Z", - "osType": "linux", - "osUsername": null, - "rangerStatus": "Enabled", - "rangerVersion": "21.x.x.x", - "registeredAt": "2022-04-06T08:26:45.515278Z", - "remoteProfilingState": "disabled", - "remoteProfilingStateExpiration": null, - "scanAbortedAt": null, - "scanFinishedAt": "2022-04-06T09:18:21.090855Z", - "scanStartedAt": "2022-04-06T08:26:52.838047Z", - "scanStatus": "finished", - "siteId": "1234567890123456789", - "siteName": "Default site", - "storageName": null, - "storageType": null, - "tags": { - "sentinelone": [ - { - "assignedBy": "test-user", - "assignedAt": "2018-02-27T04:49:26.257525Z", - "key": "key123", - "assignedById": "123456789012345678", - "id": "123456789012345678", - "value": "value123" - } - ] - }, - "threatRebootRequired": false, - "totalMemory": 1234, - "updatedAt": "2022-04-07T08:31:47.481227Z", - "userActionsNeeded": [ - "reboot_needed" - ], - "uuid": "XXX35XXX8Xfb4aX0X1X8X12X343X8X30" - } + {{/* Comma is added at the end of each line inside the template to preserve JSON format */}} + {{- $g := glob "/var/log/corpus-*" -}} + {{- range $g -}} + {{- file . -}} + {{- end -}} + {{/* A last line of hard-coded data is required to properly close the JSON body */}} + {"accountId":"1234567890123456789","accountName":"Default","activityType":1234,"agentId":null,"agentUpdatedVersion":null,"comments":"True","createdAt":"2022-04-18T05:14:08.925421Z","data":{"accountName":"Default","byUser":"API","fullScopeDetails":"Account Default","fullScopeDetailsPath":"test/default","groupName":null,"newValue":true,"role":"Level","scopeLevel":"Account","scopeName":"Default","siteName":null,"userScope":"account","username":"API"},"description":"API","groupId":null,"groupName":null,"hash":null,"id":"1234567890123456789","osFamily":null,"primaryDescription":"The management user API enabled Two factor authentication on the user API.","secondaryDescription":null,"siteId":null,"siteName":null,"threatId":null,"updatedAt":"2022-04-18T05:14:08.922553Z","userId":"1234567890123456789"} ], "pagination": { - "nextCursor": "efgh", - "totalItems": 2 + "nextCursor": null } } - `}} - path: /web/api/v2.1/agents methods: ["GET"] - query_params: - sortOrder: asc - request_headers: - Authorization: - - "ApiToken xxxx" - responses: - - status_code: 200 - body: |- - {{ minify_json ` - { - "data": [ - { - "accountId": "892341123451234512345", - "accountName": "ABC", - "activeDirectory": { - "computerDistinguishedName": null, - "computerMemberOf": [], - "lastUserDistinguishedName": null, - "lastUserMemberOf": [] - }, - "activeThreats": 7, - "agentVersion": "12.x.x.x", - "allowRemoteShell": true, - "appsVulnerabilityStatus": "not_applicable", - "cloudProviders": {}, - "computerName": "user-test", - "consoleMigrationStatus": "N/A", - "coreCount": 2, - "missingPermissions": [ - "user-action-needed-bluetooth-per", - "user_action_needed_fda" - ], - "cpuCount": 2, - "cpuId": "CPU Name", - "createdAt": "2022-03-18T09:12:00.519500Z", - "detectionState": null, - "domain": "WORKGROUP", - "encryptedApplications": false, - "externalId": "", - "externalIp": "81.2.69.143", - "firewallEnabled": true, - "firstFullModeTime": null, - "groupId": "1234567890123456789", - "groupIp": "81.2.69.144", - "groupName": "Default Group", - "id": "13491234512345", - "inRemoteShellSession": false, - "infected": true, - "installerType": ".msi", - "isActive": true, - "isDecommissioned": false, - "isPendingUninstall": false, - "isUninstalled": false, - "isUpToDate": true, - "lastActiveDate": "2022-03-17T09:51:28.506000Z", - "lastIpToMgmt": "81.2.69.145", - "lastLoggedInUserName": "", - "licenseKey": "", - "locationEnabled": true, - "locationType": "not_applicable", - "locations": null, - "machineType": "server", - "mitigationMode": "detect", - "mitigationModeSuspicious": "detect", - "modelName": "Compute Engine", - "networkInterfaces": [ - { - "gatewayIp": "81.2.69.145", - "gatewayMacAddress": "00-00-5E-00-53-00", - "id": "1234567890123456789", - "inet": [ - "81.2.69.144" - ], - "inet6": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ], - "name": "Ethernet", - "physical": "00-00-5E-00-53-00" - } - ], - "networkQuarantineEnabled": false, - "networkStatus": "connected", - "operationalState": "na", - "operationalStateExpiration": null, - "osArch": "64 bit", - "osName": "Linux Server", - "osRevision": "1234", - "osStartTime": "2022-04-06T08:27:14Z", - "osType": "linux", - "osUsername": null, - "rangerStatus": "Enabled", - "rangerVersion": "21.x.x.x", - "registeredAt": "2022-04-06T08:26:45.515278Z", - "remoteProfilingState": "disabled", - "remoteProfilingStateExpiration": null, - "scanAbortedAt": null, - "scanFinishedAt": "2022-04-06T09:18:21.090855Z", - "scanStartedAt": "2022-04-06T08:26:52.838047Z", - "scanStatus": "finished", - "siteId": "1234567890123456789", - "siteName": "Default site", - "storageName": null, - "storageType": null, - "tags": { - "sentinelone": [ - { - "assignedBy": "test-user", - "assignedAt": "2018-02-27T04:49:26.257525Z", - "key": "key123", - "assignedById": "123456789012345678", - "id": "123456789012345678", - "value": "value123" - } - ] - }, - "threatRebootRequired": false, - "totalMemory": 1234, - "updatedAt": "2022-04-07T08:31:47.481227Z", - "userActionsNeeded": [ - "reboot_needed" - ], - "uuid": "XXX35XXX8Xfb4aX0X1X8X12X343X8X30" - } - ], - "pagination": { - "nextCursor": "abcd", - "totalItems": 2 - } - } - `}} - - path: /web/api/v2.1/cloud-detection/alerts - methods: ["GET"] - query_params: - sortOrder: asc - cursor: efgh - request_headers: - Authorization: - - "ApiToken xxxx" - responses: - - status_code: 200 - body: |- - {{ minify_json ` - { - "data": [], - "pagination": { - "totalItems": 2, - "nextCursor": null - }, - "errors": [ - {} - ] - } - `}} - - path: /web/api/v2.1/cloud-detection/alerts - methods: ["GET"] - query_params: - sortOrder: asc - cursor: abcd - request_headers: - Authorization: - - "ApiToken xxxx" responses: - status_code: 200 - body: |- - {{ minify_json ` - { - "data": [ - { - "targetProcessInfo": { - "tgtFileCreatedAt": "2018-02-28T05:49:26.257525Z", - "tgtFileIsSigned": "string", - "tgtFileOldPath": "string", - "tgtProcImagePath": "string", - "tgtProcSignedStatus": "string", - "tgtFileHashSha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", - "tgtProcStorylineId": "string", - "tgtProcPid": "12345", - "tgtProcCmdLine": "string", - "tgtProcName": "string", - "tgtFileModifiedAt": "2018-02-27T04:49:26.257525Z", - "tgtFileId": "string", - "tgtProcIntegrityLevel": "unknown", - "tgtFileHashSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "tgtProcUid": "string", - "tgtProcessStartTime": "2018-02-27T04:49:26.257525Z", - "tgtFilePath": "string" - }, - "alertInfo": { - "createdAt": "2018-02-28T06:49:26.257525Z", - "srcIp": "81.2.69.142", - "incidentStatus": "string", - "registryOldValue": "string", - "alertId": "123456789123456789", - "dstPort": "1234", - "indicatorName": "string", - "registryPath": "string", - "loginType": "string", - "dstIp": "81.2.69.144", - "updatedAt": "2018-02-27T04:49:26.257525Z", - "indicatorDescription": "string", - "loginsUserName": "string", - "loginIsSuccessful": "string", - "indicatorCategory": "string", - "modulePath": "string", - "loginAccountSid": "string", - "dnsResponse": "string", - "netEventDirection": "string", - "registryValue": "string", - "srcMachineIp": "81.2.69.142", - "registryOldValueType": "string", - "eventType": "info", - "analystVerdict": "string", - "dvEventId": "string", - "dnsRequest": "string", - "loginIsAdministratorEquivalent": "string", - "loginAccountDomain": "string", - "tiIndicatorType": "string", - "moduleSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "source": "string", - "srcPort": "1234", - "tiIndicatorValue": "string", - "tiIndicatorSource": "string", - "reportedAt": "2018-02-27T04:49:26.257525Z", - "registryKeyPath": "string", - "tiIndicatorComparisonMethod": "string", - "hitType": "Events" - }, - "sourceProcessInfo": { - "integrityLevel": "unknown", - "pid": "12345", - "fileHashMd5": "5d41402abc4b2a76b9719d911017c592", - "filePath": "string", - "fileSignerIdentity": "string", - "pidStarttime": "2018-02-27T04:49:26.257525Z", - "storyline": "string", - "fileHashSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "uniqueId": "string", - "user": "string", - "commandline": "string", - "name": "string", - "fileHashSha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", - "subsystem": "unknown" - }, - "ruleInfo": { - "severity": "Low", - "treatAsThreat": "UNDEFINED", - "id": "string", - "scopeLevel": "string", - "name": "string", - "description": "string" - }, - "sourceParentProcessInfo": { - "integrityLevel": "unknown", - "pid": "12345", - "fileHashMd5": "5d41402abc4b2a76b9719d911017c592", - "filePath": "string", - "fileSignerIdentity": "string", - "pidStarttime": "2018-02-27T04:49:26.257525Z", - "storyline": "string", - "fileHashSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "uniqueId": "string", - "user": "string", - "commandline": "string", - "name": "string", - "fileHashSha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", - "subsystem": "unknown" - }, - "agentDetectionInfo": { - "osFamily": "string", - "uuid": "string", - "osName": "string", - "version": "3.x.x.x", - "siteId": "123456789123456789", - "name": "string", - "machineType": "string", - "osRevision": "string" - }, - "kubernetesInfo": { - "controllerName": "string", - "node": "string", - "namespace": "string", - "namespaceLabels": "string", - "pod": "string", - "controllerLabels": "string", - "controllerKind": "string", - "cluster": "string", - "podLabels": "string" - }, - "containerInfo": { - "id": "string", - "name": "string", - "image": "string", - "labels": "string" - } - } - ], - "pagination": { - "totalItems": 2, - "nextCursor": "efgh" - }, - "errors": [ - {} - ] - } - `}} + body: | + {"data":[{"accountId":"12345123451234512345","accountName":"Account Name","activeDirectory":{"computerDistinguishedName":null,"computerMemberOf":[],"lastUserDistinguishedName":null,"lastUserMemberOf":[]},"activeThreats":7,"agentVersion":"12.x.x.x","allowRemoteShell":true,"appsVulnerabilityStatus":"not_applicable","cloudProviders":{},"computerName":"user-test","consoleMigrationStatus":"N/A","coreCount":2,"missingPermissions":["user-action-needed-bluetooth-per","user_action_needed_fda"],"cpuCount":2,"cpuId":"CPU Name","createdAt":"2022-03-18T09:12:00.519500Z","detectionState":null,"domain":"WORKGROUP","encryptedApplications":false,"externalId":"","externalIp":"81.2.69.143","firewallEnabled":true,"firstFullModeTime":null,"groupId":"1234567890123456789","groupIp":"81.2.69.144","groupName":"Default Group","id":"13491234512345","inRemoteShellSession":false,"infected":true,"installerType":".msi","isActive":true,"isDecommissioned":false,"isPendingUninstall":false,"isUninstalled":false,"isUpToDate":true,"lastActiveDate":"2022-03-17T09:51:28.506000Z","lastIpToMgmt":"81.2.69.145","lastLoggedInUserName":"","licenseKey":"","locationEnabled":true,"locationType":"not_applicable","locations":null,"machineType":"server","mitigationMode":"detect","mitigationModeSuspicious":"detect","modelName":"Compute Engine","networkInterfaces":[{"gatewayIp":"81.2.69.145","gatewayMacAddress":"00-00-5E-00-53-00","id":"1234567890123456789","inet":["81.2.69.144"],"inet6":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"],"name":"Ethernet","physical":"00-00-5E-00-53-00"}],"networkQuarantineEnabled":false,"networkStatus":"connected","operationalState":"na","operationalStateExpiration":null,"osArch":"64 bit","osName":"Linux Server","osRevision":"1234","osStartTime":"2022-04-06T08:27:14Z","osType":"linux","osUsername":null,"rangerStatus":"Enabled","rangerVersion":"21.x.x.x","registeredAt":"2022-04-06T08:26:45.515278Z","remoteProfilingState":"disabled","remoteProfilingStateExpiration":null,"scanAbortedAt":null,"scanFinishedAt":"2022-04-06T09:18:21.090855Z","scanStartedAt":"2022-04-06T08:26:52.838047Z","scanStatus":"finished","siteId":"1234567890123456789","siteName":"Default site","storageName":null,"storageType":null,"tags":{"sentinelone":[{"assignedBy":"test-user","assignedAt":"2018-02-27T04:49:26.257525Z","key":"key123","assignedById":"123456789012345678","id":"123456789012345678","value":"value123"}]},"threatRebootRequired":false,"totalMemory":1234,"updatedAt":"2022-04-07T08:31:47.481227Z","userActionsNeeded":["reboot_needed"],"uuid":"XXX35XXX8Xfb4aX0X1X8X12X343X8X30"}],"pagination":{"nextCursor":null,"totalItems":1}} - path: /web/api/v2.1/cloud-detection/alerts methods: ["GET"] - query_params: - sortOrder: asc - request_headers: - Authorization: - - "ApiToken xxxx" responses: - status_code: 200 body: | - {{ minify_json ` - { - "data": [ - { - "targetProcessInfo": { - "tgtFileCreatedAt": "2018-02-27T04:49:26.257525Z", - "tgtFileIsSigned": "string", - "tgtFileOldPath": "string", - "tgtProcImagePath": "string", - "tgtProcSignedStatus": "string", - "tgtFileHashSha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", - "tgtProcStorylineId": "string", - "tgtProcPid": "12345", - "tgtProcCmdLine": "string", - "tgtProcName": "string", - "tgtFileModifiedAt": "2018-02-27T04:49:26.257525Z", - "tgtFileId": "string", - "tgtProcIntegrityLevel": "unknown", - "tgtFileHashSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "tgtProcUid": "string", - "tgtProcessStartTime": "2018-02-27T04:49:26.257525Z", - "tgtFilePath": "string" - }, - "alertInfo": { - "createdAt": "2018-02-27T04:49:26.257525Z", - "srcIp": "81.2.69.142", - "incidentStatus": "open", - "registryOldValue": "string", - "alertId": "888456789123456789", - "dstPort": "1234", - "indicatorName": "string", - "registryPath": "string", - "loginType": "login", - "dstIp": "81.2.69.144", - "updatedAt": "2018-02-27T04:49:26.257525Z", - "indicatorDescription": "string", - "loginsUserName": "string", - "loginIsSuccessful": "string", - "indicatorCategory": "string", - "modulePath": "string", - "loginAccountSid": "string", - "dnsResponse": "string", - "netEventDirection": "string", - "registryValue": "string", - "srcMachineIp": "81.2.69.142", - "registryOldValueType": "string", - "eventType": "info", - "analystVerdict": "string", - "dvEventId": "string", - "dnsRequest": "string", - "loginIsAdministratorEquivalent": "string", - "loginAccountDomain": "string", - "tiIndicatorType": "string", - "moduleSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "source": "string", - "srcPort": "1234", - "tiIndicatorValue": "string", - "tiIndicatorSource": "string", - "reportedAt": "2018-02-27T04:49:26.257525Z", - "registryKeyPath": "string", - "tiIndicatorComparisonMethod": "string", - "hitType": "Events" - }, - "sourceProcessInfo": { - "integrityLevel": "unknown", - "pid": "12345", - "fileHashMd5": "5d41402abc4b2a76b9719d911017c592", - "filePath": "string", - "fileSignerIdentity": "string", - "pidStarttime": "2018-02-27T04:49:26.257525Z", - "storyline": "string", - "fileHashSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "uniqueId": "string", - "user": "string", - "commandline": "string", - "name": "string", - "fileHashSha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", - "subsystem": "unknown" - }, - "ruleInfo": { - "severity": "Low", - "treatAsThreat": "UNDEFINED", - "id": "string", - "scopeLevel": "string", - "name": "string", - "description": "string" - }, - "sourceParentProcessInfo": { - "integrityLevel": "unknown", - "pid": "12345", - "fileHashMd5": "5d41402abc4b2a76b9719d911017c592", - "filePath": "string", - "fileSignerIdentity": "string", - "pidStarttime": "2018-02-27T04:49:26.257525Z", - "storyline": "string", - "fileHashSha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "uniqueId": "string", - "user": "string", - "commandline": "string", - "name": "string", - "fileHashSha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", - "subsystem": "unknown" - }, - "agentDetectionInfo": { - "osFamily": "string", - "uuid": "string", - "osName": "string", - "version": "3.x.x.x", - "siteId": "123456789123456789", - "name": "string", - "machineType": "string", - "osRevision": "string" - }, - "kubernetesInfo": { - "controllerName": "string", - "node": "string", - "namespace": "string", - "namespaceLabels": "string", - "pod": "string", - "controllerLabels": "string", - "controllerKind": "string", - "cluster": "string", - "podLabels": "string" - }, - "containerInfo": { - "id": "string", - "name": "string", - "image": "string", - "labels": "string" - } - } - ], - "pagination": { - "totalItems": 2, - "nextCursor": "abcd" - }, - "errors": [ - {} - ] - } - `}} - - path: /web/api/v2.1/groups - methods: ["GET"] - query_params: - sortOrder: asc - cursor: efgh - request_headers: - Authorization: - - "ApiToken xxxx" - responses: - - status_code: 200 - body: |- - {{ minify_json ` - { - "data": [], - "pagination": { - "nextCursor": null, - "totalItems": 4 - } - } - `}} - - path: /web/api/v2.1/groups - methods: ["GET"] - query_params: - sortOrder: asc - cursor: abcd - request_headers: - Authorization: - - "ApiToken xxxx" - responses: - - status_code: 200 - body: |- - {{ minify_json ` { "data": [ - { - "createdAt": "2022-04-07T16:01:56.928383Z", - "creator": "Test User3", - "creatorId": "09099890123456789", - "filterId": null, - "filterName": null, - "id": "18989567890123456789", - "inherits": true, - "isDefault": true, - "name": "Default Group", - "rank": null, - "registrationToken": "eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=", - "siteId": "1234567890123456789", - "totalAgents": 1, - "type": "static", - "updatedAt": "2022-04-08T16:01:57.564266Z" - }, - { - "createdAt": "2022-04-08T16:01:56.928383Z", - "creator": "Test Use4r", - "creatorId": "08884567890123456789", - "filterId": null, - "filterName": null, - "id": "11134567890123456789", - "inherits": true, - "isDefault": true, - "name": "Default Group", - "rank": null, - "registrationToken": "eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=", - "siteId": "1234567890123456789", - "totalAgents": 1, - "type": "static", - "updatedAt": "2022-04-09T16:01:57.564266Z" - } + {{/* Comma is added at the end of each line inside the template to preserve JSON format */}} + {{- $g := glob "/var/log/corpus-*" -}} + {{- range $g -}} + {{- file . -}} + {{- end -}} + {{/* A last line of hard-coded data is required to properly close the JSON body */}} + {"targetProcessInfo":{"tgtFileCreatedAt":"2018-02-27T04:49:26.257525Z","tgtFileIsSigned":"string","tgtFileOldPath":"string","tgtProcImagePath":"string","tgtProcSignedStatus":"string","tgtFileHashSha256":"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824","tgtProcStorylineId":"string","tgtProcPid":"12345","tgtProcCmdLine":"string","tgtProcName":"string","tgtFileModifiedAt":"2018-02-27T04:49:26.257525Z","tgtFileId":"string","tgtProcIntegrityLevel":"unknown","tgtFileHashSha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","tgtProcUid":"string","tgtProcessStartTime":"2018-02-27T04:49:26.257525Z","tgtFilePath":"string"},"alertInfo":{"createdAt":"2018-02-27T04:49:26.257525Z","srcIp":"81.2.69.142","incidentStatus":"string","registryOldValue":"string","alertId":"123456789123456789","dstPort":"1234","indicatorName":"string","registryPath":"string","loginType":"string","dstIp":"81.2.69.144","updatedAt":"2018-02-27T04:49:26.257525Z","indicatorDescription":"string","loginsUserName":"string","loginIsSuccessful":"string","indicatorCategory":"string","modulePath":"string","loginAccountSid":"string","dnsResponse":"string","netEventDirection":"string","registryValue":"string","srcMachineIp":"81.2.69.142","registryOldValueType":"string","eventType":"info","analystVerdict":"string","dvEventId":"string","dnsRequest":"string","loginIsAdministratorEquivalent":"string","loginAccountDomain":"string","tiIndicatorType":"string","moduleSha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","source":"string","srcPort":"1234","tiIndicatorValue":"string","tiIndicatorSource":"string","reportedAt":"2018-02-27T04:49:26.257525Z","registryKeyPath":"string","tiIndicatorComparisonMethod":"string","hitType":"Events"},"sourceProcessInfo":{"integrityLevel":"unknown","pid":"12345","fileHashMd5":"5d41402abc4b2a76b9719d911017c592","filePath":"string","fileSignerIdentity":"string","pidStarttime":"2018-02-27T04:49:26.257525Z","storyline":"string","fileHashSha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","uniqueId":"string","user":"string","commandline":"string","name":"string","fileHashSha256":"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824","subsystem":"unknown"},"ruleInfo":{"severity":"Low","treatAsThreat":"UNDEFINED","id":"string","scopeLevel":"string","name":"string","description":"string"},"sourceParentProcessInfo":{"integrityLevel":"unknown","pid":"12345","fileHashMd5":"5d41402abc4b2a76b9719d911017c592","filePath":"string","fileSignerIdentity":"string","pidStarttime":"2018-02-27T04:49:26.257525Z","storyline":"string","fileHashSha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","uniqueId":"string","user":"string","commandline":"string","name":"string","fileHashSha256":"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824","subsystem":"unknown"},"agentDetectionInfo":{"osFamily":"string","uuid":"string","osName":"string","version":"3.x.x.x","siteId":"123456789123456789","name":"string","machineType":"string","osRevision":"string"},"kubernetesInfo":{"controllerName":"string","node":"string","namespace":"string","namespaceLabels":"string","pod":"string","controllerLabels":"string","controllerKind":"string","cluster":"string","podLabels":"string"},"containerInfo":{"id":"string","name":"string","image":"string","labels":"string"}} ], "pagination": { - "nextCursor": "efgh", - "totalItems": 4 + "nextCursor": null } } - `}} - path: /web/api/v2.1/groups methods: ["GET"] - query_params: - sortOrder: asc - request_headers: - Authorization: - - "ApiToken xxxx" responses: - status_code: 200 - body: |- - {{ minify_json ` - { - "data": [ - { - "createdAt": "2022-04-05T16:01:56.928383Z", - "creator": "Test User", - "creatorId": "1234567890123456789", - "filterId": null, - "filterName": null, - "id": "1234567890123456789", - "inherits": true, - "isDefault": true, - "name": "Default Group", - "rank": null, - "registrationToken": "eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=", - "siteId": "1234567890123456789", - "totalAgents": 1, - "type": "static", - "updatedAt": "2022-04-05T16:01:57.564266Z" - }, - { - "createdAt": "2022-04-06T16:01:56.928383Z", - "creator": "Test User1", - "creatorId": "3334567890123456789", - "filterId": null, - "filterName": null, - "id": "1333367890123456789", - "inherits": true, - "isDefault": true, - "name": "Default Group", - "rank": null, - "registrationToken": "eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=", - "siteId": "1234567890123456789", - "totalAgents": 1, - "type": "static", - "updatedAt": "2022-04-05T16:01:57.564266Z" - } - ], - "pagination": { - "nextCursor": "abcd", - "totalItems": 4 - } - } - `}} - - path: /web/api/v2.1/threats - methods: ["GET"] - query_params: - sortOrder: asc - cursor: efgh - request_headers: - Authorization: - - "ApiToken xxxx" - responses: - - status_code: 200 - body: |- - {{ minify_json ` - { - "data": [], - "pagination": { - "nextCursor": null, - "totalItems": 2 - } - } - `}} - - path: /web/api/v2.1/threats - methods: ["GET"] - query_params: - sortOrder: asc - cursor: abcd - request_headers: - Authorization: - - "ApiToken xxxx" - responses: - - status_code: 200 - body: |- - {{ minify_json ` - { - "data": [ - { - "agentDetectionInfo": { - "accountId": "111245567890123456789", - "accountName": "Default2", - "agentDetectionState": null, - "agentDomain": "WORKGROUP", - "agentIpV4": "127.0.0.1", - "agentIpV6": "2a02:cf40::", - "agentLastLoggedInUpn": null, - "agentLastLoggedInUserMail": null, - "agentLastLoggedInUserName": "", - "agentMitigationMode": "protect", - "agentOsName": "linux", - "agentOsRevision": "1234", - "agentRegisteredAt": "2022-04-08T08:26:45.515278Z", - "agentUuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", - "agentVersion": "21.x.x", - "cloudProviders": {}, - "externalIp": "81.2.69.143", - "groupId": "1444567890123456789", - "groupName": "Default Group", - "siteId": "1234567890123456789", - "siteName": "Default site" - }, - "agentRealtimeInfo": { - "accountId": "1456567890123456789", - "accountName": "Default2", - "activeThreats": 8, - "agentComputerName": "test-LINUX", - "agentDecommissionedAt": null, - "agentDomain": "WORKGROUP", - "agentId": "1234567890123456789", - "agentInfected": true, - "agentIsActive": true, - "agentIsDecommissioned": false, - "agentMachineType": "server", - "agentMitigationMode": "detect", - "agentNetworkStatus": "connected", - "agentOsName": "linux", - "agentOsRevision": "1234", - "agentOsType": "linux", - "agentUuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", - "agentVersion": "21.x.x.1234", - "groupId": "1234567890123456789", - "groupName": "Default Group", - "networkInterfaces": [ - { - "id": "1234567890123456789", - "inet": [ - "10.0.0.1" - ], - "inet6": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ], - "name": "Ethernet", - "physical": "DE:AD:00:00:BE:EF" - } - ], - "operationalState": "na", - "rebootRequired": false, - "scanAbortedAt": null, - "scanFinishedAt": "2022-04-09T09:18:21.090855Z", - "scanStartedAt": "2022-04-09T08:26:52.838047Z", - "scanStatus": "finished", - "siteId": "1234567890123456789", - "siteName": "Default site", - "storageName": null, - "storageType": null, - "userActionsNeeded": [] - }, - "containerInfo": { - "id": null, - "image": null, - "labels": null, - "name": null - }, - "id": "1234567890123456789", - "indicators": [], - "kubernetesInfo": { - "cluster": null, - "controllerKind": null, - "controllerLabels": null, - "controllerName": null, - "namespace": null, - "namespaceLabels": null, - "node": null, - "pod": null, - "podLabels": null - }, - "mitigationStatus": [ - { - "action": "unquarantine", - "actionsCounters": { - "failed": 0, - "notFound": 0, - "pendingReboot": 0, - "success": 1, - "total": 1 - }, - "agentSupportsReport": true, - "groupNotFound": false, - "lastUpdate": "2022-04-06T08:54:17.198002Z", - "latestReport": "/threats/mitigation-report", - "mitigationEndedAt": "2022-04-06T08:54:17.101000Z", - "mitigationStartedAt": "2022-04-06T08:54:17.101000Z", - "status": "success" - }, - { - "action": "kill", - "actionsCounters": null, - "agentSupportsReport": true, - "groupNotFound": false, - "lastUpdate": "2022-04-06T08:45:55.303355Z", - "latestReport": null, - "mitigationEndedAt": "2022-04-06T08:45:55.297364Z", - "mitigationStartedAt": "2022-04-06T08:45:55.297363Z", - "status": "success" - } - ], - "threatInfo": { - "analystVerdict": "undefined", - "analystVerdictDescription": "Undefined", - "automaticallyResolved": false, - "browserType": null, - "certificateId": "", - "classification": "Trojan", - "classificationSource": "Cloud", - "cloudFilesHashVerdict": "black", - "collectionId": "1234567890123456789", - "confidenceLevel": "malicious", - "createdAt": "2022-04-06T08:45:54.519988Z", - "detectionEngines": [ - { - "key": "sentinelone_cloud", - "title": "SentinelOne Cloud" - } - ], - "detectionType": "static", - "engines": [ - "SentinelOne Cloud" - ], - "externalTicketExists": false, - "externalTicketId": null, - "failedActions": false, - "fileExtension": "EXE", - "fileExtensionType": "Executable", - "filePath": "default.exe", - "fileSize": 1234, - "fileVerificationType": "NotSigned", - "identifiedAt": "2022-04-06T08:45:53.968000Z", - "incidentStatus": "unresolved", - "incidentStatusDescription": "Unresolved", - "initiatedBy": "agent_policy", - "initiatedByDescription": "Agent Policy", - "initiatingUserId": null, - "initiatingUsername": null, - "isFileless": false, - "isValidCertificate": false, - "maliciousProcessArguments": null, - "md5": null, - "mitigatedPreemptively": false, - "mitigationStatus": "not_mitigated", - "mitigationStatusDescription": "Not mitigated", - "originatorProcess": "default.exe", - "pendingActions": false, - "processUser": "test user", - "publisherName": "", - "reachedEventsLimit": false, - "rebootRequired": false, - "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "sha256": null, - "storyline": "D0XXXXXXXXXXAF4D", - "threatId": "1234567890123456789", - "threatName": "default.exe", - "updatedAt": "2022-04-06T08:54:17.194122Z" - }, - "whiteningOptions": [ - "hash" - ] - } - ], - "pagination": { - "nextCursor": "efgh", - "totalItems": 2 - } - } - `}} + body: | + {"data":[{"createdAt":"2022-04-05T16:01:56.928383Z","creator":"Test User","creatorId":"1234567890123456789","filterId":null,"filterName":null,"id":"1234567890123456789","inherits":true,"isDefault":true,"name":"Default Group","rank":null,"registrationToken":"eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=","siteId":"1234567890123456789","totalAgents":1,"type":"static","updatedAt":"2022-04-05T16:01:57.564266Z"}],"pagination":{"nextCursor":null,"totalItems":1}} - path: /web/api/v2.1/threats methods: ["GET"] - query_params: - sortOrder: asc - request_headers: - Authorization: - - "ApiToken xxxx" responses: - status_code: 200 body: |- - {{ minify_json ` - { - "data": [ - { - "agentDetectionInfo": { - "accountId": "1234567890123456789", - "accountName": "Default", - "agentDetectionState": null, - "agentDomain": "WORKGROUP", - "agentIpV4": "10.0.0.1", - "agentIpV6": "2a02:cf40::", - "agentLastLoggedInUpn": null, - "agentLastLoggedInUserMail": null, - "agentLastLoggedInUserName": "", - "agentMitigationMode": "protect", - "agentOsName": "linux", - "agentOsRevision": "1234", - "agentRegisteredAt": "2022-04-06T08:26:45.515278Z", - "agentUuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", - "agentVersion": "21.x.x", - "cloudProviders": {}, - "externalIp": "81.2.69.143", - "groupId": "1234567890123456789", - "groupName": "Default Group", - "siteId": "1234567890123456789", - "siteName": "Default site" - }, - "agentRealtimeInfo": { - "accountId": "1234567890123456789", - "accountName": "Default", - "activeThreats": 7, - "agentComputerName": "test-LINUX", - "agentDecommissionedAt": null, - "agentDomain": "WORKGROUP", - "agentId": "1234567890123456789", - "agentInfected": true, - "agentIsActive": true, - "agentIsDecommissioned": false, - "agentMachineType": "server", - "agentMitigationMode": "detect", - "agentNetworkStatus": "connected", - "agentOsName": "linux", - "agentOsRevision": "1234", - "agentOsType": "linux", - "agentUuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", - "agentVersion": "21.x.x.1234", - "groupId": "1234567890123456789", - "groupName": "Default Group", - "networkInterfaces": [ - { - "id": "1234567890123456789", - "inet": [ - "10.0.0.1" - ], - "inet6": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ], - "name": "Ethernet", - "physical": "DE:AD:00:00:BE:EF" - } - ], - "operationalState": "na", - "rebootRequired": false, - "scanAbortedAt": null, - "scanFinishedAt": "2022-04-06T09:18:21.090855Z", - "scanStartedAt": "2022-04-06T08:26:52.838047Z", - "scanStatus": "finished", - "siteId": "1234567890123456789", - "siteName": "Default site", - "storageName": null, - "storageType": null, - "userActionsNeeded": [] - }, - "containerInfo": { - "id": null, - "image": null, - "labels": null, - "name": null - }, - "id": "1234567890123456789", - "indicators": [], - "kubernetesInfo": { - "cluster": null, - "controllerKind": null, - "controllerLabels": null, - "controllerName": null, - "namespace": null, - "namespaceLabels": null, - "node": null, - "pod": null, - "podLabels": null - }, - "mitigationStatus": [ - { - "action": "unquarantine", - "actionsCounters": { - "failed": 0, - "notFound": 0, - "pendingReboot": 0, - "success": 1, - "total": 1 - }, - "agentSupportsReport": true, - "groupNotFound": false, - "lastUpdate": "2022-04-06T08:54:17.198002Z", - "latestReport": "/threats/mitigation-report", - "mitigationEndedAt": "2022-04-06T08:54:17.101000Z", - "mitigationStartedAt": "2022-04-06T08:54:17.101000Z", - "status": "success" - }, - { - "action": "kill", - "actionsCounters": null, - "agentSupportsReport": true, - "groupNotFound": false, - "lastUpdate": "2022-04-06T08:45:55.303355Z", - "latestReport": null, - "mitigationEndedAt": "2022-04-06T08:45:55.297364Z", - "mitigationStartedAt": "2022-04-06T08:45:55.297363Z", - "status": "success" - } - ], - "threatInfo": { - "analystVerdict": "undefined", - "analystVerdictDescription": "Undefined", - "automaticallyResolved": false, - "browserType": null, - "certificateId": "", - "classification": "Trojan", - "classificationSource": "Cloud", - "cloudFilesHashVerdict": "black", - "collectionId": "1234567890123456789", - "confidenceLevel": "malicious", - "createdAt": "2022-04-06T08:45:54.519988Z", - "detectionEngines": [ - { - "key": "sentinelone_cloud", - "title": "SentinelOne Cloud" - } - ], - "detectionType": "static", - "engines": [ - "SentinelOne Cloud" - ], - "externalTicketExists": false, - "externalTicketId": null, - "failedActions": false, - "fileExtension": "EXE", - "fileExtensionType": "Executable", - "filePath": "default.exe", - "fileSize": 1234, - "fileVerificationType": "NotSigned", - "identifiedAt": "2022-04-06T08:45:53.968000Z", - "incidentStatus": "unresolved", - "incidentStatusDescription": "Unresolved", - "initiatedBy": "agent_policy", - "initiatedByDescription": "Agent Policy", - "initiatingUserId": null, - "initiatingUsername": null, - "isFileless": false, - "isValidCertificate": false, - "maliciousProcessArguments": null, - "md5": null, - "mitigatedPreemptively": false, - "mitigationStatus": "not_mitigated", - "mitigationStatusDescription": "Not mitigated", - "originatorProcess": "default.exe", - "pendingActions": false, - "processUser": "test user", - "publisherName": "", - "reachedEventsLimit": false, - "rebootRequired": false, - "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "sha256": null, - "storyline": "D0XXXXXXXXXXAF4D", - "threatId": "1234567890123456789", - "threatName": "default.exe", - "updatedAt": "2022-04-06T08:55:17.194122Z" - }, - "whiteningOptions": [ - "hash" - ] - } - ], - "pagination": { - "nextCursor": "abcd", - "totalItems": 2 - } - } - `}} + {"data":[{"agentDetectionInfo":{"accountId":"1234567890123456789","accountName":"Default","agentDetectionState":null,"agentDomain":"WORKGROUP","agentIpV4":"10.0.0.1","agentIpV6":"2a02:cf40::","agentLastLoggedInUpn":null,"agentLastLoggedInUserMail":null,"agentLastLoggedInUserName":"","agentMitigationMode":"protect","agentOsName":"linux","agentOsRevision":"1234","agentRegisteredAt":"2022-04-06T08:26:45.515278Z","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x","cloudProviders":{},"externalIp":"81.2.69.143","groupId":"1234567890123456789","groupName":"Default Group","siteId":"1234567890123456789","siteName":"Default site"},"agentRealtimeInfo":{"accountId":"1234567890123456789","accountName":"Default","activeThreats":7,"agentComputerName":"test-LINUX","agentDecommissionedAt":null,"agentDomain":"WORKGROUP","agentId":"1234567890123456789","agentInfected":true,"agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"server","agentMitigationMode":"detect","agentNetworkStatus":"connected","agentOsName":"linux","agentOsRevision":"1234","agentOsType":"linux","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x.1234","groupId":"1234567890123456789","groupName":"Default Group","networkInterfaces":[{"id":"1234567890123456789","inet":["10.0.0.1"],"inet6":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"],"name":"Ethernet","physical":"DE:AD:00:00:BE:EF"}],"operationalState":"na","rebootRequired":false,"scanAbortedAt":null,"scanFinishedAt":"2022-04-06T09:18:21.090855Z","scanStartedAt":"2022-04-06T08:26:52.838047Z","scanStatus":"finished","siteId":"1234567890123456789","siteName":"Default site","storageName":null,"storageType":null,"userActionsNeeded":[]},"containerInfo":{"id":null,"image":null,"labels":null,"name":null},"id":"1234567890123456789","indicators":[],"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"namespace":null,"namespaceLabels":null,"node":null,"pod":null,"podLabels":null},"mitigationStatus":[{"action":"unquarantine","actionsCounters":{"failed":0,"notFound":0,"pendingReboot":0,"success":1,"total":1},"agentSupportsReport":true,"groupNotFound":false,"lastUpdate":"2022-04-06T08:54:17.198002Z","latestReport":"/threats/mitigation-report","mitigationEndedAt":"2022-04-06T08:54:17.101000Z","mitigationStartedAt":"2022-04-06T08:54:17.101000Z","status":"success"},{"action":"kill","actionsCounters":null,"agentSupportsReport":true,"groupNotFound":false,"lastUpdate":"2022-04-06T08:45:55.303355Z","latestReport":null,"mitigationEndedAt":"2022-04-06T08:45:55.297364Z","mitigationStartedAt":"2022-04-06T08:45:55.297363Z","status":"success"}],"threatInfo":{"analystVerdict":"undefined","analystVerdictDescription":"Undefined","automaticallyResolved":false,"browserType":null,"certificateId":"","classification":"Trojan","classificationSource":"Cloud","cloudFilesHashVerdict":"black","collectionId":"1234567890123456789","confidenceLevel":"malicious","createdAt":"2022-04-06T08:45:54.519988Z","detectionEngines":[{"key":"sentinelone_cloud","title":"SentinelOne Cloud"}],"detectionType":"static","engines":["SentinelOne Cloud"],"externalTicketExists":false,"externalTicketId":null,"failedActions":false,"fileExtension":"EXE","fileExtensionType":"Executable","filePath":"default.exe","fileSize":1234,"fileVerificationType":"NotSigned","identifiedAt":"2022-04-06T08:45:53.968000Z","incidentStatus":"unresolved","incidentStatusDescription":"Unresolved","initiatedBy":"agent_policy","initiatedByDescription":"Agent Policy","initiatingUserId":null,"initiatingUsername":null,"isFileless":false,"isValidCertificate":false,"maliciousProcessArguments":null,"md5":null,"mitigatedPreemptively":false,"mitigationStatus":"not_mitigated","mitigationStatusDescription":"Not mitigated","originatorProcess":"default.exe","pendingActions":false,"processUser":"test user","publisherName":"","reachedEventsLimit":false,"rebootRequired":false,"sha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","sha256":null,"storyline":"D0XXXXXXXXXXAF4D","threatId":"1234567890123456789","threatName":"default.exe","updatedAt":"2022-04-06T08:54:17.194122Z"},"whiteningOptions":["hash"]},{"agentDetectionInfo":{"accountId":"1234567890123456789","accountName":"Default","agentDetectionState":null,"agentDomain":"WORKGROUP","agentIpV4":"10.0.0.1","agentIpV6":"2a02:cf40::","agentLastLoggedInUpn":null,"agentLastLoggedInUserMail":null,"agentLastLoggedInUserName":"","agentMitigationMode":"detect","agentOsName":"linux","agentOsRevision":"1234","agentRegisteredAt":"2022-04-06T08:26:45.515278Z","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x","cloudProviders":{},"externalIp":"81.2.69.143","groupId":"1234567890123456789","groupName":"Default Group","siteId":"1234567890123456789","siteName":"Default site"},"agentRealtimeInfo":{"accountId":"1234567890123456789","accountName":"Default","activeThreats":7,"agentComputerName":"test-LINUX","agentDecommissionedAt":null,"agentDomain":"WORKGROUP","agentId":"1234567890123456789","agentInfected":true,"agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"server","agentMitigationMode":"detect","agentNetworkStatus":"connected","agentOsName":"linux","agentOsRevision":"1234","agentOsType":"linux","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x.1234","groupId":"1234567890123456789","groupName":"Default Group","networkInterfaces":[{"id":"1234567890123456789","inet":["10.0.0.1"],"inet6":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"],"name":"Ethernet","physical":"DE:AD:00:00:BE:EF"}],"operationalState":"na","rebootRequired":false,"scanAbortedAt":null,"scanFinishedAt":"2022-04-06T09:18:21.090855Z","scanStartedAt":"2022-04-06T08:26:52.838047Z","scanStatus":"finished","siteId":"1234567890123456789","siteName":"Default site","storageName":null,"storageType":null,"userActionsNeeded":[]},"containerInfo":{"id":null,"image":null,"labels":null,"name":null},"id":"1234567890123456789","indicators":[{"category":"General","description":"Detected by the Static Engine","ids":[43],"tactics":[]},{"category":"Exploitation","description":"Document behaves abnormally","ids":[62],"tactics":[{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"}]},{"name":"Initial Access","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"}]}]},{"category":"Evasion","description":"Indirect command was executed","ids":[427],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"}]}]},{"category":"Evasion","description":"Office program ran macro","ids":[434],"tactics":[{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]},{"name":"Initial Access","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]},{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]},{"category":"Evasion","description":"Process wrote to a hidden file section","ids":[169],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]},{"category":"Evasion","description":"Suspicious registry key was created","ids":[171],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]}],"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"namespace":null,"namespaceLabels":null,"node":null,"pod":null,"podLabels":null},"mitigationStatus":[],"threatInfo":{"analystVerdict":"undefined","analystVerdictDescription":"Undefined","automaticallyResolved":false,"browserType":null,"certificateId":"","classification":"Malware","classificationSource":"Static","cloudFilesHashVerdict":"black","collectionId":"1234567890123456789","confidenceLevel":"malicious","createdAt":"2022-04-06T08:57:34.744922Z","detectionEngines":[{"key":"pre_execution","title":"On-Write Static AI"},{"key":"data_files","title":"Documents, Scripts"}],"detectionType":"dynamic","engines":["Documents, Scripts","On-Write ABC"],"externalTicketExists":false,"externalTicketId":null,"failedActions":false,"fileExtension":"TXT","fileExtensionType":"Document","filePath":"test/path/user","fileSize":238592,"fileVerificationType":"NotSigned","identifiedAt":"2022-04-06T08:57:34.444000Z","incidentStatus":"unresolved","incidentStatusDescription":"Unresolved","initiatedBy":"agent_policy","initiatedByDescription":"Agent Policy","initiatingUserId":null,"initiatingUsername":null,"isFileless":false,"isValidCertificate":false,"maliciousProcessArguments":"test/path/user","md5":null,"mitigatedPreemptively":false,"mitigationStatus":"not_mitigated","mitigationStatusDescription":"Not mitigated","originatorProcess":"default.EXE","pendingActions":false,"processUser":"test_user","publisherName":"","reachedEventsLimit":false,"rebootRequired":false,"sha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","sha256":null,"storyline":"7XXXXXXXXXDD5A41","threatId":"123456789","threatName":"Threats","updatedAt":"2022-04-06T08:57:37.672873Z"},"whiteningOptions":["hash","path","file_type"]}],"pagination":{"nextCursor":null,"totalItems":2}} - path: /web/api/v2.1/application-management/inventory methods: ['GET'] - query_params: - skipCount: "true" - limit: 2 - cursor: abcd - request_headers: - Authorization: - - "ApiToken xxxx" responses: - status_code: 200 headers: Content-Type: - 'application/json' body: |- - {{ minify_json ` - { - "data": [ - { - "applicationName": "Elastic Agent", - "applicationVendor": "Elastic", - "applicationVersionsCount": 1, - "endpointsCount": 1, - "estimate": false - }, - { - "applicationName": "Git", - "applicationVendor": "The Git Development Community", - "applicationVersionsCount": 1, - "endpointsCount": 1, - "estimate": false - } - ], - "pagination": { - "nextCursor": "efgh", - "totalItems": 0 - } - } - `}} - - path: /web/api/v2.1/application-management/inventory - methods: ['GET'] - query_params: - skipCount: "true" - limit: 2 - cursor: efgh - request_headers: - Authorization: - - "ApiToken xxxx" - responses: - - status_code: 200 - headers: - Content-Type: - - 'application/json' - body: |- - {{ minify_json ` - { - "data": [], - "pagination": { - "nextCursor": null, - "totalItems": 0 - } - } - `}} - - path: /web/api/v2.1/application-management/inventory - methods: ['GET'] - query_params: - skipCount: "true" - limit: 2 - request_headers: - Authorization: - - "ApiToken xxxx" - responses: - - status_code: 200 - headers: - Content-Type: - - 'application/json' - body: |- - {{ minify_json ` { "data": [ { @@ -1453,437 +71,31 @@ rules: "applicationVersionsCount": 1, "endpointsCount": 1, "estimate": false - }, - { - "applicationName": "Brave", - "applicationVendor": "Brave Software Inc", - "applicationVersionsCount": 1, - "endpointsCount": 1, - "estimate": false - } - ], - "pagination": { - "nextCursor": "abcd", - "totalItems": 0 - } - } - `}} - - path: /web/api/v2.1/application-management/inventory/endpoints - methods: ['GET'] - query_params: - applicationName: Git - applicationVendor: The Git Development Community - skipCount: "true" - limit: 2 - cursor: xxxxx - request_headers: - Authorization: - - "ApiToken xxxx" - responses: - - status_code: 200 - headers: - Content-Type: - - 'application/json' - body: |- - {{ minify_json ` - { - "data": [], - "pagination": { - "nextCursor": null, - "totalItems": 0 - } - } - `}} - - path: /web/api/v2.1/application-management/inventory/endpoints - methods: ['GET'] - query_params: - applicationName: 7-Zip - applicationVendor: Igor Pavlov - skipCount: "true" - limit: 2 - request_headers: - Authorization: - - "ApiToken xxxx" - responses: - - status_code: 200 - headers: - Content-Type: - - 'application/json' - body: |- - {{ minify_json ` - { - "data": [ - { - "accountName": "7-Zip", - "applicationInstallationDate": "2025-04-13T10:45:01Z", - "applicationInstallationPath": null, - "applicationName": "Igor Pavlov", - "coreCount": 2, - "cpe": "cpe:2.3:a:abc:igor:8.17.3:*:*:*:*:*:*:*", - "cpuCount": 1, - "detectionDate": "2025-06-19T18:00:51.166610Z", - "endpointId": "216970508828266268", - "endpointName": "srv-win-defend-03", - "endpointType": "server", - "endpointUuid": "eb655be8be894dae97711ebb9a9091ae", - "fileSize": 517364, - "groupName": "Default Group", - "id": "2218357748550497214", - "osArch": "64 bit", - "osName": "Windows Server 2022 Datacenter", - "osType": "windows", - "osVersion": "Windows Server 2022 Datacenter 20348", - "siteName": "Default site", - "version": "8.17.3" - } - ], - "pagination": { - "nextCursor": null, - "totalItems": 1 - } - } - `}} - - path: /web/api/v2.1/application-management/inventory/endpoints - methods: ['GET'] - query_params: - applicationName: Brave - applicationVendor: Brave Software Inc - skipCount: "true" - limit: 2 - request_headers: - Authorization: - - "ApiToken xxxx" - responses: - - status_code: 200 - headers: - Content-Type: - - 'application/json' - body: |- - {{ minify_json ` - { - "data": [ - { - "accountName": "Brave", - "applicationInstallationDate": "2025-03-13T10:45:01Z", - "applicationInstallationPath": null, - "applicationName": "Brave Software Inc", - "coreCount": 2, - "cpe": "cpe:2.3:a:elastic:elastic_agent:8.17.3:*:*:*:*:*:*:*", - "cpuCount": 1, - "detectionDate": "2025-05-19T18:00:51.166610Z", - "endpointId": "2169705024028266268", - "endpointName": "srv-win-defend-03", - "endpointType": "server", - "endpointUuid": "eb655be8be894dae97711ebb9a9091ae", - "fileSize": 517364, - "groupName": "Default Group", - "id": "2218357748550497214", - "osArch": "64 bit", - "osName": "Windows Server 2022 Datacenter", - "osType": "windows", - "osVersion": "Windows Server 2022 Datacenter 20348", - "siteName": "Default site", - "version": "8.17.3" - } - ], - "pagination": { - "nextCursor": null, - "totalItems": 1 - } - } - `}} - - path: /web/api/v2.1/application-management/inventory/endpoints - methods: ['GET'] - query_params: - applicationName: Elastic Agent - applicationVendor: Elastic - skipCount: "true" - limit: 2 - request_headers: - Authorization: - - "ApiToken xxxx" - responses: - - status_code: 200 - headers: - Content-Type: - - 'application/json' - body: |- - {{ minify_json ` - { - "data": [ - { - "accountName": "Elastic", - "applicationInstallationDate": "2025-03-13T10:45:01Z", - "applicationInstallationPath": null, - "applicationName": "Elastic Agent", - "coreCount": 2, - "cpe": "cpe:2.3:a:elastic:elastic_agent:8.17.3:*:*:*:*:*:*:*", - "cpuCount": 1, - "detectionDate": "2025-05-19T18:00:51.166610Z", - "endpointId": "2169705024028266268", - "endpointName": "srv-win-defend-03", - "endpointType": "server", - "endpointUuid": "eb655be8be894dae97711ebb9a9091ae", - "fileSize": 517364, - "groupName": "Default Group", - "id": "2218357748550497214", - "osArch": "64 bit", - "osName": "Windows Server 2022 Datacenter", - "osType": "windows", - "osVersion": "Windows Server 2022 Datacenter 20348", - "siteName": "Default site", - "version": "8.17.3" } ], "pagination": { - "nextCursor": null, - "totalItems": 1 + "nextCursor": null } } - `}} - path: /web/api/v2.1/application-management/inventory/endpoints methods: ['GET'] - query_params: - applicationName: Git - applicationVendor: The Git Development Community - skipCount: "true" - limit: 2 - request_headers: - Authorization: - - "ApiToken xxxx" responses: - status_code: 200 headers: Content-Type: - 'application/json' body: |- - {{ minify_json ` { "data": [ - { - "accountName": "Git", - "applicationInstallationDate": "2025-08-13T10:45:01Z", - "applicationInstallationPath": null, - "applicationName": "The Git Development Community", - "coreCount": 2, - "cpe": "cpe:2.3:a:elastic:git:8.17.3:*:*:*:*:*:*:*", - "cpuCount": 1, - "detectionDate": "2025-05-29T18:00:51.166610Z", - "endpointId": "2169705024028266268", - "endpointName": "srv-win-defend-05", - "endpointType": "server", - "endpointUuid": "eb65e894dae97711ebb9a9091ae", - "fileSize": 517364, - "groupName": "Default Group", - "id": "22183577485514", - "osArch": "64 bit", - "osName": "Windows Server 2022 Datacenter", - "osType": "windows", - "osVersion": "Windows Server 2022 Datacenter 20348", - "siteName": "Default site", - "version": "8.17.3" - } + {{/* Comma is added at the end of each line inside the template to preserve JSON format */}} + {{- $g := glob "/var/log/corpus-*" -}} + {{- range $g -}} + {{- file . -}} + {{- end -}} + {{/* A last line of hard-coded data is required to properly close the JSON body */}} + {"accountName":"Git","applicationInstallationDate":"2025-08-13T10:45:01Z","applicationInstallationPath":null,"applicationName":"The Git Development Community","coreCount":2,"cpe":"cpe:2.3:a:elastic:git:8.17.3:*:*:*:*:*:*:*","cpuCount":1,"detectionDate":"2025-05-29T18:00:51.166610Z","endpointId":"2169705024028266268","endpointName":"srv-win-defend-05","endpointType":"server","endpointUuid":"eb65e894dae97711ebb9a9091ae","fileSize":517364,"groupName":"Default Group","id":"22183577485514","osArch":"64 bit","osName":"Windows Server 2022 Datacenter","osType":"windows","osVersion":"Windows Server 2022 Datacenter 20348","siteName":"Default site","version":"8.17.3"} ], "pagination": { - "nextCursor": "xxxxx", - "totalItems": 1 - } - } - `}} - - path: /web/api/v2.1/application-management/risks - methods: ['GET'] - query_params: - limit: 2 - cursor: null - request_headers: - Authorization: - - "ApiToken xxxx" - responses: - - status_code: 200 - headers: - Content-Type: - - 'application/json' - body: |- - {{ minify_json ` - { - "data": [ - { - "application": "7-Zip 22.01", - "applicationName": "7-Zip", - "applicationVendor": "Igor Pavlov", - "applicationVersion": "22.01", - "baseScore": "7.00", - "cveId": "CVE-2025-0411", - "cvssVersion": "3.1", - "daysDetected": 59, - "detectionDate": "2025-06-02T04:46:51.710569Z", - "endpointId": "2162143406517023959", - "endpointName": "test_endpoint", - "endpointType": "desktop", - "id": "2228104980801805822", - "lastScanDate": "2025-07-29T19:25:47Z", - "lastScanResult": "Succeeded", - "markType": "", - "markedBy": null, - "markedDate": null, - "osType": "windows", - "publishedDate": "2025-01-20T07:04:04Z", - "reason": null, - "severity": "HIGH", - "status": "Detected" - }, - { - "application": "7-Zip 22.01", - "applicationName": "7-Zip", - "applicationVendor": "Igor Pavlov", - "applicationVersion": "22.01", - "baseScore": "7.80", - "cveId": "CVE-2024-11477", - "cvssVersion": "3.1", - "daysDetected": 59, - "detectionDate": "2025-06-02T04:46:51.710578Z", - "endpointId": "2162143406517023959", - "endpointName": "example_endpoint", - "endpointType": "desktop", - "id": "2228104981028298282", - "lastScanDate": "2025-07-29T19:25:47Z", - "lastScanResult": "Succeeded", - "markType": "", - "markedBy": null, - "markedDate": null, - "osType": "windows", - "publishedDate": "2024-11-21T06:42:16Z", - "reason": null, - "severity": "HIGH", - "status": "Detected" - } - ], - "pagination": { - "nextCursor": "page2", - "totalItems": 5 - } - } - `}} - - path: /web/api/v2.1/application-management/risks - methods: ['GET'] - query_params: - limit: 2 - cursor: page2 - request_headers: - Authorization: - - "ApiToken xxxx" - responses: - - status_code: 200 - headers: - Content-Type: - - 'application/json' - body: |- - {{ minify_json ` - { - "data": [ - { - "application": "Microsoft Edge 112.0.1722.68", - "applicationName": "Microsoft Edge", - "applicationVendor": "Microsoft Corporation", - "applicationVersion": "112.0.1722.68", - "baseScore": "4.30", - "cveId": "CVE-2024-29057", - "cvssVersion": "3.1", - "daysDetected": 59, - "detectionDate": "2025-06-02T04:46:51.710587Z", - "endpointId": "2162143406517023959", - "endpointName": "DESKTOP-example", - "endpointType": "desktop", - "id": "2228104981036686896", - "lastScanDate": "2025-07-29T19:25:47Z", - "lastScanResult": "Succeeded", - "markType": "", - "markedBy": null, - "markedDate": null, - "osType": "windows", - "publishedDate": "2024-03-22T22:15:00Z", - "reason": null, - "severity": "MEDIUM", - "status": "Detected" - }, - { - "application": "Microsoft Edge 112.0.1722.68", - "applicationName": "Microsoft Edge", - "applicationVendor": "Microsoft Corporation", - "applicationVersion": "112.0.1722.68", - "baseScore": "6.10", - "cveId": "CVE-2024-38156", - "cvssVersion": "3.1", - "daysDetected": 59, - "detectionDate": "2025-06-02T04:46:51.710591Z", - "endpointId": "2162143406517023959", - "endpointName": "DESKTOP-test", - "endpointType": "desktop", - "id": "2228104981070241336", - "lastScanDate": "2025-07-29T19:25:47Z", - "lastScanResult": "Succeeded", - "markType": "", - "markedBy": null, - "markedDate": null, - "osType": "windows", - "publishedDate": "2024-07-18T05:39:23Z", - "reason": null, - "severity": "MEDIUM", - "status": "Detected" - } - ], - "pagination": { - "nextCursor": "page3", - "totalItems": 5 + "nextCursor": null } } - `}} - - path: /web/api/v2.1/application-management/risks - methods: ['GET'] - query_params: - limit: 2 - cursor: page3 - request_headers: - Authorization: - - "ApiToken xxxx" - responses: - - status_code: 200 - headers: - Content-Type: - - 'application/json' - body: |- - {{ minify_json ` - { - "data": [ - { - "application": "Microsoft Edge 112.0.1722.68", - "applicationName": "Microsoft Edge", - "applicationVendor": "Microsoft Corporation", - "applicationVersion": "112.0.1722.68", - "baseScore": "6.50", - "cveId": "CVE-2024-38222", - "cvssVersion": "3.1", - "daysDetected": 59, - "detectionDate": "2025-06-02T04:46:51.710593Z", - "endpointId": "2162143406517023959", - "endpointName": "DESKTOP-R1E2DQ2", - "endpointType": "desktop", - "id": "2228104981095407166", - "lastScanDate": "2025-07-29T19:25:47Z", - "lastScanResult": "Succeeded", - "markType": "", - "markedBy": null, - "markedDate": null, - "osType": "windows", - "publishedDate": "2024-08-13T18:27:28Z", - "reason": null, - "severity": "MEDIUM", - "status": "Detected" - } - ], - "pagination": { - "nextCursor": null, - "totalItems": 5 - } - } - `}} From e5bc43ba58aa4a7a6a9e1e4ef0920db1dc6dc92b Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Fri, 24 Oct 2025 12:29:06 +0200 Subject: [PATCH 12/23] Disable other policy template and inputs --- internal/benchrunner/runners/system/runner.go | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/internal/benchrunner/runners/system/runner.go b/internal/benchrunner/runners/system/runner.go index 2fdefde3c4..d854c27af2 100644 --- a/internal/benchrunner/runners/system/runner.go +++ b/internal/benchrunner/runners/system/runner.go @@ -193,6 +193,7 @@ func (r *runner) setUp(ctx context.Context) error { if r.scenario.Package == "" { r.scenario.Package = pkgManifest.Name } + policy, err := r.createBenchmarkPolicy(ctx, pkgManifest) if err != nil { return err @@ -554,6 +555,21 @@ func (r *runner) createPackagePolicy(ctx context.Context, pkgManifest *packages. }, }, } + + // All other policy templates and inputs must be disabled, + // otherwise Fleet will try to enable them too. + // NOTE: This data is retrieved from the local package manifest. + for _, policyTemplate := range pkgManifest.PolicyTemplates { + for _, input := range policyTemplate.Inputs { + if policyTemplate.Name == r.scenario.PolicyTemplate && input.Type == r.scenario.Input { + continue + } + pp.Inputs[fmt.Sprintf("%s-%s", policyTemplate.Name, input.Type)] = kibana.PackagePolicyInput{ + Enabled: false, + } + } + } + pp.Package.Name = pkgManifest.Name pp.Package.Version = r.scenario.Version From 258a83530287cf582a03e01dee6778e3d92a0602 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Fri, 24 Oct 2025 13:06:33 +0200 Subject: [PATCH 13/23] Comment policy_template field for now --- .../_dev/benchmark/system/alert-benchmark.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark.yml b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark.yml index 5896a33923..8dddb378c6 100644 --- a/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark.yml +++ b/test/packages/benchmarks/system_benchmark_sentinel_one/_dev/benchmark/system/alert-benchmark.yml @@ -1,7 +1,8 @@ --- description: Benchmark 100000 alert events ingested input: httpjson -policy_template: sentinel_one +# This field was not available, fixed in https://github.com/elastic/package-spec/pull/1004 +# policy_template: sentinel_one vars: url: "http://svc-sentinel_one:8080/" api_token: xxxx From b7f9d5a99f7844d9833a1596444b79eaa8251238 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Fri, 24 Oct 2025 13:48:37 +0200 Subject: [PATCH 14/23] Upate deletePolicyHandler to just delete benchmark policy --- internal/benchrunner/runners/system/runner.go | 26 +++++++------------ 1 file changed, 9 insertions(+), 17 deletions(-) diff --git a/internal/benchrunner/runners/system/runner.go b/internal/benchrunner/runners/system/runner.go index d854c27af2..b47fc67bab 100644 --- a/internal/benchrunner/runners/system/runner.go +++ b/internal/benchrunner/runners/system/runner.go @@ -495,31 +495,23 @@ func (r *runner) createBenchmarkPolicy(ctx context.Context, pkgManifest *package return nil, err } - packagePolicy, err := r.createPackagePolicy(ctx, pkgManifest, policy) - if err != nil { - return nil, err - } - r.deletePolicyHandler = func(ctx context.Context) error { - var merr multierror.Error - - logger.Debug("deleting benchmark package policy...") - if err := r.options.KibanaClient.DeletePackagePolicy(ctx, *packagePolicy); err != nil { - merr = append(merr, fmt.Errorf("error cleaning up benchmark package policy: %w", err)) - } - + // Package policy deletion is handled when deleting this policy. + // Setting here the deletion handler ensures that if package policy creation fails, + // no orphaned package policies are left behind. logger.Debug("deleting benchmark policy...") if err := r.options.KibanaClient.DeletePolicy(ctx, policy.ID); err != nil { - merr = append(merr, fmt.Errorf("error cleaning up benchmark policy: %w", err)) - } - - if len(merr) > 0 { - return merr + return fmt.Errorf("error cleaning up benchmark policy: %w", err) } return nil } + _, err = r.createPackagePolicy(ctx, pkgManifest, policy) + if err != nil { + return nil, err + } + return policy, nil } From d2e53033e54db22b384772928f9ded110be72cdd Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Fri, 24 Oct 2025 15:12:11 +0200 Subject: [PATCH 15/23] Parametrize namespace setting --- internal/benchrunner/runners/system/runner.go | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/internal/benchrunner/runners/system/runner.go b/internal/benchrunner/runners/system/runner.go index b47fc67bab..25e3e26f6f 100644 --- a/internal/benchrunner/runners/system/runner.go +++ b/internal/benchrunner/runners/system/runner.go @@ -43,8 +43,10 @@ const ( // are stored on the Agent container's filesystem. ServiceLogsAgentDir = "/tmp/service_logs" - // BenchType defining system benchmark/ + // BenchType defining system benchmark BenchType benchrunner.Type = "system" + + defaultNamespace = "ep" ) type runner struct { @@ -194,7 +196,7 @@ func (r *runner) setUp(ctx context.Context) error { r.scenario.Package = pkgManifest.Name } - policy, err := r.createBenchmarkPolicy(ctx, pkgManifest) + policy, err := r.createBenchmarkPolicy(ctx, pkgManifest, defaultNamespace) if err != nil { return err } @@ -474,14 +476,14 @@ func (r *runner) deleteDataStreamDocs(ctx context.Context, dataStream string) er // return policy, nil // } -func (r *runner) createBenchmarkPolicy(ctx context.Context, pkgManifest *packages.PackageManifest) (*kibana.Policy, error) { +func (r *runner) createBenchmarkPolicy(ctx context.Context, pkgManifest *packages.PackageManifest, namespace string) (*kibana.Policy, error) { // Configure package (single data stream) via Ingest Manager APIs. logger.Debug("creating benchmark policy...") benchTime := time.Now().Format("20060102T15:04:05Z") p := kibana.Policy{ Name: fmt.Sprintf("ep-bench-%s-%s", r.options.BenchName, benchTime), Description: fmt.Sprintf("policy created by elastic-package for benchmark %s", r.options.BenchName), - Namespace: "ep", + Namespace: namespace, MonitoringEnabled: []string{"logs", "metrics"}, } @@ -531,7 +533,7 @@ func (r *runner) createPackagePolicy(ctx context.Context, pkgManifest *packages. } pp := kibana.PackagePolicy{ - Namespace: "ep", + Namespace: p.Namespace, PolicyIDs: []string{p.ID}, Force: true, Inputs: map[string]kibana.PackagePolicyInput{ From 0c282fa5dcef27e7e93bb330344ee20ca4bb4f09 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Fri, 24 Oct 2025 15:20:18 +0200 Subject: [PATCH 16/23] Set default values from package manifest earlier --- internal/benchrunner/runners/system/runner.go | 25 ++++++------------- 1 file changed, 7 insertions(+), 18 deletions(-) diff --git a/internal/benchrunner/runners/system/runner.go b/internal/benchrunner/runners/system/runner.go index 25e3e26f6f..62a405ee7c 100644 --- a/internal/benchrunner/runners/system/runner.go +++ b/internal/benchrunner/runners/system/runner.go @@ -184,18 +184,19 @@ func (r *runner) setUp(ctx context.Context) error { return fmt.Errorf("reading data stream manifest failed: %w", err) } + // Set default values for scenario fields from package manifest if not set if r.scenario.Version == "" { r.scenario.Version = pkgManifest.Version - } else { - // If the scenario version is set, override the package manifest version - // This is needed to create the policy with the correct version - pkgManifest.Version = r.scenario.Version } if r.scenario.Package == "" { r.scenario.Package = pkgManifest.Name } + if r.scenario.PolicyTemplate == "" { + r.scenario.PolicyTemplate = pkgManifest.PolicyTemplates[0].Name + } + policy, err := r.createBenchmarkPolicy(ctx, pkgManifest, defaultNamespace) if err != nil { return err @@ -520,18 +521,6 @@ func (r *runner) createBenchmarkPolicy(ctx context.Context, pkgManifest *package func (r *runner) createPackagePolicy(ctx context.Context, pkgManifest *packages.PackageManifest, p *kibana.Policy) (*kibana.PackagePolicy, error) { logger.Debug("creating package policy...") - if r.scenario.Version == "" { - r.scenario.Version = pkgManifest.Version - } - - if r.scenario.Package == "" { - r.scenario.Package = pkgManifest.Name - } - - if r.scenario.PolicyTemplate == "" { - r.scenario.PolicyTemplate = pkgManifest.PolicyTemplates[0].Name - } - pp := kibana.PackagePolicy{ Namespace: p.Namespace, PolicyIDs: []string{p.ID}, @@ -541,7 +530,7 @@ func (r *runner) createPackagePolicy(ctx context.Context, pkgManifest *packages. Enabled: true, Vars: r.scenario.Vars, Streams: map[string]kibana.PackagePolicyStream{ - fmt.Sprintf("%s.%s", pkgManifest.Name, r.scenario.DataStream.Name): { + fmt.Sprintf("%s.%s", r.scenario.Package, r.scenario.DataStream.Name): { Enabled: true, Vars: r.scenario.DataStream.Vars, }, @@ -564,7 +553,7 @@ func (r *runner) createPackagePolicy(ctx context.Context, pkgManifest *packages. } } - pp.Package.Name = pkgManifest.Name + pp.Package.Name = r.scenario.Package pp.Package.Version = r.scenario.Version policy, err := r.options.KibanaClient.CreatePackagePolicy(ctx, pp) From 8e5c1b5e38b83c5dcea2a01ea81708b13339dafd Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Fri, 24 Oct 2025 16:27:44 +0200 Subject: [PATCH 17/23] Remove for now policyIDs keys --- internal/benchrunner/runners/system/runner.go | 2 +- internal/kibana/policies.go | 11 +++++------ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/internal/benchrunner/runners/system/runner.go b/internal/benchrunner/runners/system/runner.go index 62a405ee7c..ae5145b02f 100644 --- a/internal/benchrunner/runners/system/runner.go +++ b/internal/benchrunner/runners/system/runner.go @@ -523,7 +523,7 @@ func (r *runner) createPackagePolicy(ctx context.Context, pkgManifest *packages. pp := kibana.PackagePolicy{ Namespace: p.Namespace, - PolicyIDs: []string{p.ID}, + PolicyID: p.ID, Force: true, Inputs: map[string]kibana.PackagePolicyInput{ fmt.Sprintf("%s-%s", r.scenario.PolicyTemplate, r.scenario.Input): { diff --git a/internal/kibana/policies.go b/internal/kibana/policies.go index 811f955634..5b618fb82f 100644 --- a/internal/kibana/policies.go +++ b/internal/kibana/policies.go @@ -259,12 +259,11 @@ func (c *Client) AddPackageDataStreamToPolicy(ctx context.Context, r PackageData // PackagePolicy represents an Package Policy in Fleet. type PackagePolicy struct { - ID string `json:"id,omitempty"` - Name string `json:"name"` - Description string `json:"description"` - Namespace string `json:"namespace"` - PolicyIDs []string `json:"policy_ids,omitempty"` - PolicyID string `json:"policy_id,omitempty"` // Deprecated: use PolicyIDs + ID string `json:"id,omitempty"` + Name string `json:"name"` + Description string `json:"description"` + Namespace string `json:"namespace"` + PolicyID string `json:"policy_id"` Package struct { Name string `json:"name"` Version string `json:"version"` From b42d76e5bde774e3ffc10b13ad228e3c61d4d37b Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Fri, 24 Oct 2025 17:05:10 +0200 Subject: [PATCH 18/23] Remove commented code --- internal/benchrunner/runners/system/runner.go | 111 ++---------------- 1 file changed, 9 insertions(+), 102 deletions(-) diff --git a/internal/benchrunner/runners/system/runner.go b/internal/benchrunner/runners/system/runner.go index ae5145b02f..ed9be00ee0 100644 --- a/internal/benchrunner/runners/system/runner.go +++ b/internal/benchrunner/runners/system/runner.go @@ -174,16 +174,6 @@ func (r *runner) setUp(ctx context.Context) error { return fmt.Errorf("reading package manifest failed: %w", err) } - dataStreamManifest, err := packages.ReadDataStreamManifest( - filepath.Join( - common.DataStreamPath(r.options.PackageRootPath, r.scenario.DataStream.Name), - packages.DataStreamManifestFile, - ), - ) - if err != nil { - return fmt.Errorf("reading data stream manifest failed: %w", err) - } - // Set default values for scenario fields from package manifest if not set if r.scenario.Version == "" { r.scenario.Version = pkgManifest.Version @@ -203,11 +193,15 @@ func (r *runner) setUp(ctx context.Context) error { } r.benchPolicy = policy - // policy, err := r.createBenchmarkPolicy(ctx, pkgManifest, dataStreamManifest) - // if err != nil { - // return err - // } - // r.benchPolicy = policy + dataStreamManifest, err := packages.ReadDataStreamManifest( + filepath.Join( + common.DataStreamPath(r.options.PackageRootPath, r.scenario.DataStream.Name), + packages.DataStreamManifestFile, + ), + ) + if err != nil { + return fmt.Errorf("reading data stream manifest failed: %w", err) + } r.runtimeDataStream = fmt.Sprintf( "%s-%s.%s-%s", @@ -390,93 +384,6 @@ func (r *runner) deleteDataStreamDocs(ctx context.Context, dataStream string) er return nil } -//func (r *runner) deleteDataStream(ctx context.Context, dataStream string) error { -// resp, err := r.options.ESAPI.Indices.DeleteDataStream([]string{dataStream}, -// r.options.ESAPI.Indices.DeleteDataStream.WithContext(ctx), -// ) -// if err != nil { -// return fmt.Errorf("delete request failed for data stream %s: %w", dataStream, err) -// } -// defer resp.Body.Close() -// if resp.StatusCode == http.StatusNotFound { -// // Data stream doesn't exist, there was nothing to do. -// return nil -// } -// if resp.IsError() { -// return fmt.Errorf("delete request failed for data stream %s: %s", dataStream, resp.String()) -// } -// return nil -//} - -// func (r *runner) createBenchmarkPolicy(ctx context.Context, pkgManifest *packages.PackageManifest, dataStreamManifest *packages.DataStreamManifest) (*kibana.Policy, error) { -// // Configure package (single data stream) via Ingest Manager APIs. -// logger.Debug("creating benchmark policy...") -// benchTime := time.Now().Format("20060102T15:04:05Z") -// p := kibana.Policy{ -// Name: fmt.Sprintf("ep-bench-%s-%s", r.options.BenchName, benchTime), -// Description: fmt.Sprintf("policy created by elastic-package for benchmark %s", r.options.BenchName), -// Namespace: "ep38915", // fmt.Sprintf("ep%s", commonHelpers.CreateTestRunID()), -// MonitoringEnabled: []string{"logs", "metrics"}, -// } -// -// // Assign the data_output_id to the agent policy to configure the output to logstash. The value is inferred from stack/_static/kibana.yml.tmpl -// if r.options.Profile.Config("stack.logstash_enabled", "false") == "true" { -// p.DataOutputID = "fleet-logstash-output" -// } -// -// policy, err := r.options.KibanaClient.CreatePolicy(ctx, p) -// if err != nil { -// return nil, fmt.Errorf("failed to create benchmark policy: %w", err) -// } -// -// if r.scenario.PolicyTemplate == "" { -// policyTemplateName, err := system.FindPolicyTemplateForInput(pkgManifest, dataStreamManifest, r.scenario.Input) -// if err != nil { -// return nil, fmt.Errorf("failed to determine the associated policy_template: %w", err) -// } -// r.scenario.PolicyTemplate = policyTemplateName -// } -// policyTemplate, err := system.SelectPolicyTemplateByName(pkgManifest.PolicyTemplates, r.scenario.PolicyTemplate) -// if err != nil { -// return nil, fmt.Errorf("failed to find the selected policy_template: %w", err) -// } -// -// logger.Debug("adding package data stream to benchmark policy...") -// ds, err := system.CreatePackageDatastream( -// policy, -// pkgManifest, -// policyTemplate, -// dataStreamManifest, -// r.scenario.Input, -// r.scenario.Vars, -// r.scenario.DataStream.Vars, -// policy.Namespace) -// if err != nil { -// return nil, fmt.Errorf("could not create package data stream: %w", err) -// } -// -// if err := r.options.KibanaClient.AddPackageDataStreamToPolicy(ctx, ds); err != nil { -// return nil, fmt.Errorf("could not add data stream config to policy: %w", err) -// } -// -// r.deletePolicyHandler = func(ctx context.Context) error { -// var merr multierror.Error -// -// logger.Debug("deleting benchmark policy...") -// if err := r.options.KibanaClient.DeletePolicy(ctx, policy.ID); err != nil { -// merr = append(merr, fmt.Errorf("error cleaning up benchmark policy: %w", err)) -// } -// -// if len(merr) > 0 { -// return merr -// } -// -// return nil -// } -// -// return policy, nil -// } - func (r *runner) createBenchmarkPolicy(ctx context.Context, pkgManifest *packages.PackageManifest, namespace string) (*kibana.Policy, error) { // Configure package (single data stream) via Ingest Manager APIs. logger.Debug("creating benchmark policy...") From ed610d437e49f40e64c9b6c37ffcf666c0135640 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Fri, 24 Oct 2025 17:11:50 +0200 Subject: [PATCH 19/23] Revert "Input packages do not use data stream vars" This reverts commit 7faec54598be5f77c573d0438b3287761b2c064b. --- internal/testrunner/runners/system/tester.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/testrunner/runners/system/tester.go b/internal/testrunner/runners/system/tester.go index 555509cb17..167f063925 100644 --- a/internal/testrunner/runners/system/tester.go +++ b/internal/testrunner/runners/system/tester.go @@ -1919,7 +1919,7 @@ func CreatePackageDatastream( suffix string, ) (kibana.PackageDataStream, error) { if pkg.Type == "input" { - return createInputPackageDatastream(kibanaPolicy, pkg, policyTemplate, cfgVars, suffix), nil + return createInputPackageDatastream(kibanaPolicy, pkg, policyTemplate, cfgVars, cfgDSVars, suffix), nil } if ds == nil { return kibana.PackageDataStream{}, fmt.Errorf("data stream manifest is required for integration packages") @@ -1991,7 +1991,7 @@ func createInputPackageDatastream( kibanaPolicy *kibana.Policy, pkg *packages.PackageManifest, policyTemplate packages.PolicyTemplate, - cfgVars common.MapStr, + cfgVars, cfgDSVars common.MapStr, suffix string, ) kibana.PackageDataStream { r := kibana.PackageDataStream{ From b20b0e5f407c54eac8ec5249becd6480df60f79b Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Fri, 24 Oct 2025 17:12:30 +0200 Subject: [PATCH 20/23] Remove more commented code --- internal/benchrunner/runners/system/runner.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/internal/benchrunner/runners/system/runner.go b/internal/benchrunner/runners/system/runner.go index ed9be00ee0..4a9620d59f 100644 --- a/internal/benchrunner/runners/system/runner.go +++ b/internal/benchrunner/runners/system/runner.go @@ -26,9 +26,6 @@ import ( "github.com/elastic/elastic-package/internal/benchrunner" "github.com/elastic/elastic-package/internal/benchrunner/reporters" "github.com/elastic/elastic-package/internal/benchrunner/runners/common" - - // commonHelpers "github.com/elastic/elastic-package/internal/common" - // commonHelpers "github.com/elastic/elastic-package/internal/common" "github.com/elastic/elastic-package/internal/configuration/locations" "github.com/elastic/elastic-package/internal/kibana" "github.com/elastic/elastic-package/internal/logger" From 34c86ed2a06e9c16be3b4b51f23ad105aed83a37 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Fri, 24 Oct 2025 17:43:21 +0200 Subject: [PATCH 21/23] Update comment --- internal/benchrunner/runners/system/runner.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/internal/benchrunner/runners/system/runner.go b/internal/benchrunner/runners/system/runner.go index 4a9620d59f..b34efab3a2 100644 --- a/internal/benchrunner/runners/system/runner.go +++ b/internal/benchrunner/runners/system/runner.go @@ -443,8 +443,10 @@ func (r *runner) createPackagePolicy(ctx context.Context, pkgManifest *packages. }, } - // All other policy templates and inputs must be disabled, - // otherwise Fleet will try to enable them too. + // By default, all policy templates are enabled when creating a package policy. + // This could lead to errors if other policy templates have required variables. + // Therefore, all other policy templates and inputs must be disabled since here + // just the variables for the current input are set. // NOTE: This data is retrieved from the local package manifest. for _, policyTemplate := range pkgManifest.PolicyTemplates { for _, input := range policyTemplate.Inputs { From cedd774cc87e19d12319b77b6fe9f1e75c4b7ec4 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Mon, 27 Oct 2025 12:43:55 +0100 Subject: [PATCH 22/23] Restore orka steps --- .buildkite/pipeline.trigger.integration.tests.sh | 16 ++++++++-------- .buildkite/pipeline.yml | 16 ++++++++-------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.buildkite/pipeline.trigger.integration.tests.sh b/.buildkite/pipeline.trigger.integration.tests.sh index fd98fcbc56..5dffc5d0e3 100755 --- a/.buildkite/pipeline.trigger.integration.tests.sh +++ b/.buildkite/pipeline.trigger.integration.tests.sh @@ -163,14 +163,14 @@ popd > /dev/null # TODO: Missing docker & docker-compose in MACOS ARM agent image, skip installation of packages in the meantime. # If docker and docker-compose are available for this platform/architecture, it could be added a step to test the stack commands (or even replace this one). -# echo " - label: \":macos: :go: Integration test: build-zip\"" -# echo " command: ./.buildkite/scripts/integration_tests.sh -t test-build-zip" -# echo " agents:" -# echo " provider: \"orka\"" -# echo " imagePrefix: \"${MACOS_ARM_AGENT_IMAGE}\"" -# echo " artifact_paths:" -# echo " - build/elastic-stack-dump/build-zip/logs/*.log" -# echo " - build/packages/*.sig" +echo " - label: \":macos: :go: Integration test: build-zip\"" +echo " command: ./.buildkite/scripts/integration_tests.sh -t test-build-zip" +echo " agents:" +echo " provider: \"orka\"" +echo " imagePrefix: \"${MACOS_ARM_AGENT_IMAGE}\"" +echo " artifact_paths:" +echo " - build/elastic-stack-dump/build-zip/logs/*.log" +echo " - build/packages/*.sig" echo " - label: \":go: Integration test: build-install-zip\"" echo " command: ./.buildkite/scripts/integration_tests.sh -t test-build-install-zip" diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml index 1c3361dd5f..6bb1b2b376 100644 --- a/.buildkite/pipeline.yml +++ b/.buildkite/pipeline.yml @@ -54,14 +54,14 @@ steps: artifact_paths: - "TEST-unit-windows.xml" - # - label: ":macos: Run unit tests" - # key: unit-tests-mac-arm - # command: ".buildkite/scripts/unit_tests_macos_arm.sh" - # agents: - # provider: "orka" - # imagePrefix: "${MACOS_ARM_AGENT_IMAGE}" - # artifact_paths: - # - "build/test-results/*.xml" + - label: ":macos: Run unit tests" + key: unit-tests-mac-arm + command: ".buildkite/scripts/unit_tests_macos_arm.sh" + agents: + provider: "orka" + imagePrefix: "${MACOS_ARM_AGENT_IMAGE}" + artifact_paths: + - "build/test-results/*.xml" - wait: ~ continue_on_failure: true From f7419dd0f8f0b396972ce6f3aa0753ad9fc4cc3d Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Mon, 27 Oct 2025 15:11:19 +0100 Subject: [PATCH 23/23] Add notes to system benchmarking docs --- docs/howto/system_benchmarking.md | 36 +++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/docs/howto/system_benchmarking.md b/docs/howto/system_benchmarking.md index 53ff88b84f..7592773955 100644 --- a/docs/howto/system_benchmarking.md +++ b/docs/howto/system_benchmarking.md @@ -62,7 +62,7 @@ resources using selected cloud provider and use them for testing (e.g. observe a Sample `main.tf` definition: -``` +```hcl variable "TEST_RUN_ID" { default = "detached" } @@ -97,7 +97,7 @@ For example, if a `SQS queue` is configured in terraform and if the `queue_url` Sample Terraform definition -``` +```hcl resource "aws_sqs_queue" "test" { } @@ -109,7 +109,7 @@ output "queue_url"{ Sample system test config -``` yaml +```yaml data_stream: vars: period: 5m @@ -122,7 +122,7 @@ data_stream: For complex outputs from terraform you can use `{{TF_OUTPUT_root_key.nested_key}}` -``` +```hcl output "root_key"{ value = someoutput.nested_key_value } @@ -143,7 +143,7 @@ output "root_key"{ } } ``` -``` yaml +```yaml data_stream: vars: queue_url: '{{TF_OUTPUT_root_key.nested_key}}' @@ -303,9 +303,13 @@ Placeholders used in the `.yml` must be enclosed in `{{` and `}}` deli Once the configuration is defined as described in the previous section, you are ready to run system benchmarks for a package. -First you must deploy the Elastic Stack. +First, build your package (if you have local changes) and deploy the Elastic Stack. + +```shell +# Build the package first if you've made local modifications. +# This step is required before starting the Elastic stack when testing local changes. +elastic-package build -``` elastic-package stack up -d ``` @@ -388,9 +392,23 @@ elastic-package benchmark system --benchmark logs-benchmark -v Done ``` +To re-run the system benchmark with local changes, follow these steps: +1. Uninstall the package to ensure your latest local changes are used: +```shell +elastic-package uninstall +``` +2. Build the package with your changes: +```shell +elastic-package build +``` +3. Restart the Package Registry service to load the updated package: +```shell +elastic-package stack up -d --services package-registry +``` + Finally, when you are done running the benchmark, bring down the Elastic Stack. -``` +```shell elastic-package stack down ``` @@ -421,6 +439,6 @@ The collected metrics include the following node stats: `nodes.*.breakers`, `nod Ingest pipelines metrics are only collected at the end since its own collection would affect the benchmark results. -You can see a sample collected metric [here](./sample_metric.json) +You can see a sample collected metric [here](./sample_metric.json). Additionally, if the `reindex-to-metricstore` flag is used, the data generated during the benchmark will be sent to the metricstore into an index called `bench-reindex-{datastream}-{testRunID}` for further analysis. The events will be enriched with metadata related to the benchmark run.