diff --git a/packages/sentinel_one/_dev/benchmark/rally/threat_event-benchmark.yml b/packages/sentinel_one/_dev/benchmark/rally/threat_event-benchmark.yml new file mode 100644 index 00000000000..c1b914149ad --- /dev/null +++ b/packages/sentinel_one/_dev/benchmark/rally/threat_event-benchmark.yml @@ -0,0 +1,14 @@ +--- +description: Benchmark 100000 sentinel_one.threat_event events ingested +data_stream: + name: threat_event +corpora: + generator: + total_events: 100000 + template: + type: gotext + path: ./threatevent-benchmark/template.ndjson + config: + path: ./threatevent-benchmark/config.yml + fields: + path: ./threatevent-benchmark/fields.yml diff --git a/packages/sentinel_one/_dev/benchmark/rally/threatevent-benchmark/config.yml b/packages/sentinel_one/_dev/benchmark/rally/threatevent-benchmark/config.yml new file mode 100644 index 00000000000..cdf406ce284 --- /dev/null +++ b/packages/sentinel_one/_dev/benchmark/rally/threatevent-benchmark/config.yml @@ -0,0 +1,192 @@ +fields: + - name: activeContentFileId + cardinality: 1000 + - name: activeContentHash + cardinality: 1000 + - name: activeContentPath + cardinality: 1000 + - name: agentDomain + cardinality: 1000 + - name: agentGroupId + cardinality: 1000 + - name: agentId + cardinality: 1000 + - name: agentIp + cardinality: 1000 + - name: agentMachineType + cardinality: 1000 + - name: agentName + cardinality: 1000 + - name: agentNetworkStatus + cardinality: 1000 + - name: agentOs + enum: + - linux + - windows + - macos + - unix + - android + - ios + - name: agentUuid + cardinality: 1000 + - name: agentVersion + cardinality: 1000 + - name: connectionStatus + cardinality: 1000 + - name: direction + cardinality: 1000 + - name: dnsRequest + cardinality: 1000 + - name: dnsResponse + cardinality: 1000 + - name: dstIp + cardinality: 1000 + - name: dstPort + range: + min: 0 + max: 65535 + - name: eventType + cardinality: 1000 + - name: fileFullName + cardinality: 1000 + - name: fileId + cardinality: 1000 + - name: fileMd5 + cardinality: 1000 + - name: fileSha1 + cardinality: 1000 + - name: fileSha256 + cardinality: 1000 + - name: fileSize + range: + min: 1 + max: 1000 + cardinality: 100 + - name: fileType + cardinality: 1000 + - name: hasActiveContent + - name: id + range: + min: 100000000000000000 + max: 999999999999999999 + cardinality: 100000 + - name: indicatorCategory + cardinality: 1000 + - name: indicatorDescription + cardinality: 1000 + - name: indicatorMetadata + cardinality: 1000 + - name: indicatorName + cardinality: 1000 + - name: loginsBaseType + cardinality: 1000 + - name: loginsUserName + cardinality: 1000 + - name: md5 + cardinality: 1000 + - name: networkMethod + cardinality: 1000 + - name: networkSource + cardinality: 1000 + - name: networkUrl + cardinality: 1000 + - name: objectType + cardinality: 1000 + - name: oldFileMd5 + cardinality: 1000 + - name: oldFileName + cardinality: 1000 + - name: oldFileSha1 + cardinality: 1000 + - name: oldFileSha256 + cardinality: 1000 + - name: parentPid + range: + min: 0 + max: 10000 + - name: parentProcessGroupId + cardinality: 1000 + - name: parentProcessName + cardinality: 1000 + - name: parentProcessUniqueKey + cardinality: 1000 + - name: pid + range: + min: 0 + max: 10000 + - name: processCmd + cardinality: 1000 + - name: processDisplayName + cardinality: 1000 + - name: processGroupId + cardinality: 1000 + - name: processImagePath + cardinality: 1000 + - name: processImageSha1Hash + cardinality: 1000 + - name: processIntegrityLevel + cardinality: 1000 + - name: processIsMalicious + - name: processIsRedirectedCommandProcessor + cardinality: 1000 + - name: processIsWow64 + cardinality: 1000 + - name: processName + cardinality: 1000 + - name: processRoot + cardinality: 1000 + - name: processSessionId + cardinality: 1000 + - name: processSubSystem + cardinality: 1000 + - name: processUniqueKey + cardinality: 1000 + - name: processUserName + cardinality: 1000 + - name: protocol + cardinality: 1000 + - name: publisher + cardinality: 1000 + - name: registryClassification + cardinality: 1000 + - name: registryId + cardinality: 1000 + - name: registryPath + cardinality: 1000 + - name: relatedToThreat + - name: rpid + cardinality: 1000 + - name: sha1 + cardinality: 1000 + - name: sha256 + cardinality: 1000 + - name: signatureSignedInvalidReason + cardinality: 1000 + - name: signedStatus + cardinality: 1000 + - name: siteId + cardinality: 1000 + - name: siteName + cardinality: 1000 + - name: srcIp + cardinality: 1000 + - name: srcPort + range: + min: 0 + max: 65535 + - name: storyline + cardinality: 1000 + - name: taskName + cardinality: 1000 + - name: taskPath + cardinality: 1000 + - name: threatStatus + cardinality: 1000 + - name: tid + cardinality: 1000 + - name: trueContext + cardinality: 1000 + - name: user + cardinality: 1000 + - name: verifiedStatus + cardinality: 1000 diff --git a/packages/sentinel_one/_dev/benchmark/rally/threatevent-benchmark/fields.yml b/packages/sentinel_one/_dev/benchmark/rally/threatevent-benchmark/fields.yml new file mode 100644 index 00000000000..fce60c44935 --- /dev/null +++ b/packages/sentinel_one/_dev/benchmark/rally/threatevent-benchmark/fields.yml @@ -0,0 +1,186 @@ +- name: activeContentFileId + type: keyword +- name: activeContentHash + type: keyword +- name: activeContentPath + type: keyword +- name: agentDomain + type: keyword +- name: agentGroupId + type: keyword +- name: agentId + type: keyword +- name: agentInfected + type: boolean +- name: agentIp + type: ip +- name: agentIsActive + type: boolean +- name: agentIsDecommissioned + type: boolean +- name: agentMachineType + type: keyword +- name: agentName + type: keyword +- name: agentNetworkStatus + type: keyword +- name: agentOs + type: keyword +- name: agentUuid + type: keyword +- name: agentVersion + type: keyword +- name: connectionStatus + type: keyword +- name: createdAt + type: date +- name: direction + type: keyword +- name: dnsRequest + type: keyword +- name: dnsResponse + type: keyword +- name: dstIp + type: ip +- name: dstPort + type: long +- name: eventType + type: keyword +- name: fileFullName + type: keyword +- name: fileId + type: keyword +- name: fileMd5 + type: keyword +- name: fileSha1 + type: keyword +- name: fileSha256 + type: keyword +- name: fileSize + type: long +- name: fileType + type: keyword +- name: hasActiveContent + type: boolean +- name: id + type: keyword +- name: indicatorCategory + type: keyword +- name: indicatorDescription + type: keyword +- name: indicatorMetadata + type: keyword +- name: indicatorName + type: keyword +- name: loginsBaseType + type: keyword +- name: loginsUserName + type: keyword +- name: md5 + type: keyword +- name: networkMethod + type: keyword +- name: networkSource + type: keyword +- name: networkUrl + type: keyword +- name: objectType + type: keyword +- name: oldFileMd5 + type: keyword +- name: oldFileName + type: keyword +- name: oldFileSha1 + type: keyword +- name: oldFileSha256 + type: keyword +- name: parentPid + type: long +- name: parentProcessGroupId + type: keyword +- name: parentProcessIsMalicious + type: boolean +- name: parentProcessName + type: keyword +- name: parentProcessUniqueKey + type: keyword +- name: pid + type: long +- name: processCmd + type: keyword +- name: processDisplayName + type: keyword +- name: processGroupId + type: keyword +- name: processImagePath + type: keyword +- name: processImageSha1Hash + type: keyword +- name: processIntegrityLevel + type: keyword +- name: processIsMalicious + type: boolean +- name: processIsRedirectedCommandProcessor + type: keyword +- name: processIsWow64 + type: keyword +- name: processName + type: keyword +- name: processRoot + type: keyword +- name: processSessionId + type: keyword +- name: processStartTime + type: date +- name: processSubSystem + type: keyword +- name: processUniqueKey + type: keyword +- name: processUserName + type: keyword +- name: protocol + type: keyword +- name: publisher + type: keyword +- name: registryClassification + type: keyword +- name: registryId + type: keyword +- name: registryPath + type: keyword +- name: relatedToThreat + type: boolean +- name: rpid + type: keyword +- name: sha1 + type: keyword +- name: sha256 + type: keyword +- name: signatureSignedInvalidReason + type: keyword +- name: signedStatus + type: keyword +- name: siteId + type: keyword +- name: siteName + type: keyword +- name: srcIp + type: ip +- name: srcPort + type: long +- name: storyline + type: keyword +- name: taskName + type: keyword +- name: taskPath + type: keyword +- name: threatStatus + type: keyword +- name: tid + type: keyword +- name: trueContext + type: keyword +- name: user + type: keyword +- name: verifiedStatus + type: keyword diff --git a/packages/sentinel_one/_dev/benchmark/rally/threatevent-benchmark/template.ndjson b/packages/sentinel_one/_dev/benchmark/rally/threatevent-benchmark/template.ndjson new file mode 100644 index 00000000000..79093aeed16 --- /dev/null +++ b/packages/sentinel_one/_dev/benchmark/rally/threatevent-benchmark/template.ndjson @@ -0,0 +1,217 @@ +{{- $activeContentFileId := generate "activeContentFileId" }} +{{- $activeContentHash := generate "activeContentHash" }} +{{- $activeContentPath := generate "activeContentPath" }} +{{- $agentDomain := generate "agentDomain" }} +{{- $agentGroupId := generate "agentGroupId" }} +{{- $agentId := generate "agentId" }} +{{- $agentInfected := generate "agentInfected" }} +{{- $agentIp := generate "agentIp" }} +{{- $agentIsActive := generate "agentIsActive" }} +{{- $agentIsDecommissioned := generate "agentIsDecommissioned" }} +{{- $agentMachineType := generate "agentMachineType" }} +{{- $agentName := generate "agentName" }} +{{- $agentNetworkStatus := generate "agentNetworkStatus" }} +{{- $agentOs := generate "agentOs" }} +{{- $agentUuid := generate "agentUuid" }} +{{- $agentVersion := generate "agentVersion" }} +{{- $connectionStatus := generate "connectionStatus" }} +{{- $direction := generate "direction" }} +{{- $dnsRequest := generate "dnsRequest" }} +{{- $dnsResponse := generate "dnsResponse" }} +{{- $dstIp := generate "dstIp" }} +{{- $dstPort := generate "dstPort" }} +{{- $eventType := generate "eventType" }} +{{- $fileFullName := generate "fileFullName" }} +{{- $fileId := generate "fileId" }} +{{- $fileMd5 := generate "fileMd5" }} +{{- $fileSha1 := generate "fileSha1" }} +{{- $fileSha256 := generate "fileSha256" }} +{{- $fileSize := generate "fileSize" }} +{{- $fileType := generate "fileType" }} +{{- $hasActiveContent := generate "hasActiveContent" }} +{{- $id := generate "id" }} +{{- $indicatorCategory := generate "indicatorCategory" }} +{{- $indicatorDescription := generate "indicatorDescription" }} +{{- $indicatorMetadata := generate "indicatorMetadata" }} +{{- $indicatorName := generate "indicatorName" }} +{{- $loginsBaseType := generate "loginsBaseType" }} +{{- $loginsUserName := generate "loginsUserName" }} +{{- $md5 := generate "md5" }} +{{- $networkMethod := generate "networkMethod" }} +{{- $networkSource := generate "networkSource" }} +{{- $networkUrl := generate "networkUrl" }} +{{- $objectType := generate "objectType" }} +{{- $oldFileMd5 := generate "oldFileMd5" }} +{{- $oldFileName := generate "oldFileName" }} +{{- $oldFileSha1 := generate "oldFileSha1" }} +{{- $oldFileSha256 := generate "oldFileSha256" }} +{{- $parentPid := generate "parentPid" }} +{{- $parentProcessGroupId := generate "parentProcessGroupId" }} +{{- $parentProcessIsMalicious := generate "parentProcessIsMalicious" }} +{{- $parentProcessName := generate "parentProcessName" }} +{{- $parentProcessUniqueKey := generate "parentProcessUniqueKey" }} +{{- $pid := generate "pid" }} +{{- $processCmd := generate "processCmd" }} +{{- $processDisplayName := generate "processDisplayName" }} +{{- $processGroupId := generate "processGroupId" }} +{{- $processImagePath := generate "processImagePath" }} +{{- $processImageSha1Hash := generate "processImageSha1Hash" }} +{{- $processIntegrityLevel := generate "processIntegrityLevel" }} +{{- $processIsMalicious := generate "processIsMalicious" }} +{{- $processIsRedirectedCommandProcessor := generate "processIsRedirectedCommandProcessor" }} +{{- $processIsWow64 := generate "processIsWow64" }} +{{- $processName := generate "processName" }} +{{- $processRoot := generate "processRoot" }} +{{- $processSessionId := generate "processSessionId" }} +{{- $processSubSystem := generate "processSubSystem" }} +{{- $processUniqueKey := generate "processUniqueKey" }} +{{- $processUserName := generate "processUserName" }} +{{- $protocol := generate "protocol" }} +{{- $publisher := generate "publisher" }} +{{- $registryClassification := generate "registryClassification" }} +{{- $registryId := generate "registryId" }} +{{- $registryPath := generate "registryPath" }} +{{- $relatedToThreat := generate "relatedToThreat" }} +{{- $rpid := generate "rpid" }} +{{- $sha1 := generate "sha1" }} +{{- $sha256 := generate "sha256" }} +{{- $signatureSignedInvalidReason := generate "signatureSignedInvalidReason" }} +{{- $signedStatus := generate "signedStatus" }} +{{- $siteId := generate "siteId" }} +{{- $siteName := generate "siteName" }} +{{- $srcIp := generate "srcIp" }} +{{- $srcPort := generate "srcPort" }} +{{- $storyline := generate "storyline" }} +{{- $taskName := generate "taskName" }} +{{- $taskPath := generate "taskPath" }} +{{- $threatStatus := generate "threatStatus" }} +{{- $tid := generate "tid" }} +{{- $trueContext := generate "trueContext" }} +{{- $user := generate "user" }} +{{- $verifiedStatus := generate "verifiedStatus" }} +{{- /* +{ + "activeContentFileId": "{{ $activeContentFileId}}", + "activeContentHash": "{{ $activeContentHash}}", + "activeContentPath": "{{ $activeContentPath}}", + "agentDomain": "{{ $agentDomain}}", + "agentGroupId": "{{ $agentGroupId}}", + "agentId": "{{ $agentId}}", + "agentInfected": "{{ $agentInfected}}", + "agentIp": "{{ $agentIp}}", + "agentIsActive": "{{ $agentIsActive}}", + "agentIsDecommissioned": "{{ $agentIsDecommissioned}}", + "agentMachineType": "{{ $agentMachineType}}", + "agentName": "{{ $agentName}}", + "agentNetworkStatus": "{{ $agentNetworkStatus}}", + "agentOs": "{{ $agentOs}}", + "agentUuid": "{{ $agentUuid}}", + "agentVersion": "{{ $agentVersion}}", + "connectionStatus": "{{ $connectionStatus}}", + "direction": "{{ $direction}}", + "dnsRequest": "{{ $dnsRequest}}", + "dnsResponse": "{{ $dnsResponse}}", + "dstIp": "{{ $dstIp}}", + "dstPort": "{{ $dstPort}}", + "eventType": "{{ $eventType}}", + "fileFullName": "{{ $fileFullName}}", + "fileId": "{{ $fileId}}", + "fileMd5": "{{ $fileMd5}}", + "fileSha1": "{{ $fileSha1}}", + "fileSha256": "{{ $fileSha256}}", + "fileSize": "{{ $fileSize}}", + "fileType": "{{ $fileType}}", + "hasActiveContent": "{{ $hasActiveContent}}", + "id": "{{ $id}}", + "indicatorCategory": "{{ $indicatorCategory}}", + "indicatorDescription": "{{ $indicatorDescription}}", + "indicatorMetadata": "{{ $indicatorMetadata}}", + "indicatorName": "{{ $indicatorName}}", + "loginsBaseType": "{{ $loginsBaseType}}", + "loginsUserName": "{{ $loginsUserName}}", + "md5": "{{ $md5}}", + "networkMethod": "{{ $networkMethod}}", + "networkSource": "{{ $networkSource}}", + "networkUrl": "{{ $networkUrl}}", + "objectType": "{{ $objectType}}", + "oldFileMd5": "{{ $oldFileMd5}}", + "oldFileName": "{{ $oldFileName}}", + "oldFileSha1": "{{ $oldFileSha1}}", + "oldFileSha256": "{{ $oldFileSha256}}", + "parentPid": "{{ $parentPid}}", + "parentProcessGroupId": "{{ $parentProcessGroupId}}", + "parentProcessIsMalicious": "{{ $parentProcessIsMalicious}}", + "parentProcessName": "{{ $parentProcessName}}", + "parentProcessUniqueKey": "{{ $parentProcessUniqueKey}}", + "pid": "{{ $pid}}", + "processCmd": "{{ $processCmd}}", + "processDisplayName": "{{ $processDisplayName}}", + "processGroupId": "{{ $processGroupId}}", + "processImagePath": "{{ $processImagePath}}", + "processImageSha1Hash": "{{ $processImageSha1Hash}}", + "processIntegrityLevel": "{{ $processIntegrityLevel}}", + "processIsMalicious": "{{ $processIsMalicious}}", + "processIsRedirectedCommandProcessor": "{{ $processIsRedirectedCommandProcessor}}", + "processIsWow64": "{{ $processIsWow64}}", + "processName": "{{ $processName}}", + "processRoot": "{{ $processRoot}}", + "processSessionId": "{{ $processSessionId}}", + "processSubSystem": "{{ $processSubSystem}}", + "processUniqueKey": "{{ $processUniqueKey}}", + "processUserName": "{{ $processUserName}}", + "protocol": "{{ $protocol}}", + "publisher": "{{ $publisher}}", + "registryClassification": "{{ $registryClassification}}", + "registryId": "{{ $registryId}}", + "registryPath": "{{ $registryPath}}", + "relatedToThreat": "{{ $relatedToThreat}}", + "rpid": "{{ $rpid}}", + "sha1": "{{ $sha1}}", + "sha256": "{{ $sha256}}", + "signatureSignedInvalidReason": "{{ $signatureSignedInvalidReason}}", + "signedStatus": "{{ $signedStatus}}", + "siteId": "{{ $siteId}}", + "siteName": "{{ $siteName}}", + "srcIp": "{{ $srcIp}}", + "srcPort": "{{ $srcPort}}", + "storyline": "{{ $storyline}}", + "taskName": "{{ $taskName}}", + "taskPath": "{{ $taskPath}}", + "threatStatus": "{{ $threatStatus}}", + "tid": "{{ $tid}}", + "trueContext": "{{ $trueContext}}", + "user": "{{ $user}}", + "verifiedStatus": "{{ $verifiedStatus}}" +} +*/ -}} +{ + "agent": { + "ephemeral_id": "cdaaaabb-be7e-432f-816b-bda019fd7c15", + "id": "da6cb4c8-c84c-4c5f-97c7-f8586a098af4", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "sentinel_one.threat_event", + "namespace": "93724", + "type": "logs" + }, + "elastic_agent": { + "id": "da6cb4c8-c84c-4c5f-97c7-f8586a098af4", + "snapshot": false, + "version": "8.18.0" + }, + "message": "{\"activeContentFileId\": \"{{ $activeContentFileId}}\", \"activeContentHash\": \"{{ $activeContentHash}}\", \"activeContentPath\": \"{{ $activeContentPath}}\", \"agentDomain\": \"{{ $agentDomain}}\", \"agentGroupId\": \"{{ $agentGroupId}}\", \"agentId\": \"{{ $agentId}}\", \"agentInfected\": \"{{ $agentInfected}}\", \"agentIp\": \"{{ $agentIp}}\", \"agentIsActive\": \"{{ $agentIsActive}}\", \"agentIsDecommissioned\": \"{{ $agentIsDecommissioned}}\", \"agentMachineType\": \"{{ $agentMachineType}}\", \"agentName\": \"{{ $agentName}}\", \"agentNetworkStatus\": \"{{ $agentNetworkStatus}}\", \"agentOs\": \"{{ $agentOs}}\", \"agentUuid\": \"{{ $agentUuid}}\", \"agentVersion\": \"{{ $agentVersion}}\", \"connectionStatus\": \"{{ $connectionStatus}}\", \"direction\": \"{{ $direction}}\", \"dnsRequest\": \"{{ $dnsRequest}}\", \"dnsResponse\": \"{{ $dnsResponse}}\", \"dstIp\": \"{{ $dstIp}}\", \"dstPort\": \"{{ $dstPort}}\", \"eventType\": \"{{ $eventType}}\", \"fileFullName\": \"{{ $fileFullName}}\", \"fileId\": \"{{ $fileId}}\", \"fileMd5\": \"{{ $fileMd5}}\", \"fileSha1\": \"{{ $fileSha1}}\", \"fileSha256\": \"{{ $fileSha256}}\", \"fileSize\": \"{{ $fileSize}}\", \"fileType\": \"{{ $fileType}}\", \"hasActiveContent\": \"{{ $hasActiveContent}}\", \"id\": \"{{ $id}}\", \"indicatorCategory\": \"{{ $indicatorCategory}}\", \"indicatorDescription\": \"{{ $indicatorDescription}}\", \"indicatorMetadata\": \"{{ $indicatorMetadata}}\", \"indicatorName\": \"{{ $indicatorName}}\", \"loginsBaseType\": \"{{ $loginsBaseType}}\", \"loginsUserName\": \"{{ $loginsUserName}}\", \"md5\": \"{{ $md5}}\", \"networkMethod\": \"{{ $networkMethod}}\", \"networkSource\": \"{{ $networkSource}}\", \"networkUrl\": \"{{ $networkUrl}}\", \"objectType\": \"{{ $objectType}}\", \"oldFileMd5\": \"{{ $oldFileMd5}}\", \"oldFileName\": \"{{ $oldFileName}}\", \"oldFileSha1\": \"{{ $oldFileSha1}}\", \"oldFileSha256\": \"{{ $oldFileSha256}}\", \"parentPid\": \"{{ $parentPid}}\", \"parentProcessGroupId\": \"{{ $parentProcessGroupId}}\", \"parentProcessIsMalicious\": \"{{ $parentProcessIsMalicious}}\", \"parentProcessName\": \"{{ $parentProcessName}}\", \"parentProcessUniqueKey\": \"{{ $parentProcessUniqueKey}}\", \"pid\": \"{{ $pid}}\", \"processCmd\": \"{{ $processCmd}}\", \"processDisplayName\": \"{{ $processDisplayName}}\", \"processGroupId\": \"{{ $processGroupId}}\", \"processImagePath\": \"{{ $processImagePath}}\", \"processImageSha1Hash\": \"{{ $processImageSha1Hash}}\", \"processIntegrityLevel\": \"{{ $processIntegrityLevel}}\", \"processIsMalicious\": \"{{ $processIsMalicious}}\", \"processIsRedirectedCommandProcessor\": \"{{ $processIsRedirectedCommandProcessor}}\", \"processIsWow64\": \"{{ $processIsWow64}}\", \"processName\": \"{{ $processName}}\", \"processRoot\": \"{{ $processRoot}}\", \"processSessionId\": \"{{ $processSessionId}}\", \"processSubSystem\": \"{{ $processSubSystem}}\", \"processUniqueKey\": \"{{ $processUniqueKey}}\", \"processUserName\": \"{{ $processUserName}}\", \"protocol\": \"{{ $protocol}}\", \"publisher\": \"{{ $publisher}}\", \"registryClassification\": \"{{ $registryClassification}}\", \"registryId\": \"{{ $registryId}}\", \"registryPath\": \"{{ $registryPath}}\", \"relatedToThreat\": \"{{ $relatedToThreat}}\", \"rpid\": \"{{ $rpid}}\", \"sha1\": \"{{ $sha1}}\", \"sha256\": \"{{ $sha256}}\", \"signatureSignedInvalidReason\": \"{{ $signatureSignedInvalidReason}}\", \"signedStatus\": \"{{ $signedStatus}}\", \"siteId\": \"{{ $siteId}}\", \"siteName\": \"{{ $siteName}}\", \"srcIp\": \"{{ $srcIp}}\", \"srcPort\": \"{{ $srcPort}}\", \"storyline\": \"{{ $storyline}}\", \"taskName\": \"{{ $taskName}}\", \"taskPath\": \"{{ $taskPath}}\", \"threatStatus\": \"{{ $threatStatus}}\", \"tid\": \"{{ $tid}}\", \"trueContext\": \"{{ $trueContext}}\", \"user\": \"{{ $user}}\", \"verifiedStatus\": \"{{ $verifiedStatus}}\"}", + "event": { + "dataset": "sentinel_one.threat_event" + }, + "input": { + "type": "cel" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "sentinel_one-threat_event" + ] +} diff --git a/packages/sentinel_one/_dev/build/docs/README.md b/packages/sentinel_one/_dev/build/docs/README.md index f4184803593..035559d7a77 100644 --- a/packages/sentinel_one/_dev/build/docs/README.md +++ b/packages/sentinel_one/_dev/build/docs/README.md @@ -1,17 +1,36 @@ -# SentinelOne +# SentinelOne Integration for Elastic + +## Overview The [SentinelOne](https://www.sentinelone.com/) integration collects and parses data from SentinelOne REST APIs. This integration also offers the capability to perform response actions on SentinelOne hosts directly through the Elastic Security interface (introduced with v8.12.0). Additional configuration is required; for detailed guidance, refer to [documentation](https://www.elastic.co/guide/en/security/current/response-actions-config.html). -## Agentless Enabled Integration -Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). +### Compatibility -Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. +This module has been tested against `SentinelOne Management Console API version 2.1`. -## Compatibility +### How it works -This module has been tested against `SentinelOne Management Console API version 2.1`. +This integration periodically queries the SentinelOne REST API to retrieve Activity, Agent, Alert, Application, Application Risk, Group, Threat and Threat Event logs. + +## What data does this integration collect? + +This integration collects log messages of the following types: + +- `Activity`: Captures general actions or events occurring within the SentinelOne environment, such as policy updates or administrative operations. +- `Agent`: Provides details about endpoint agents, including their status, configuration, and activity on protected devices. +- `Alert`: Represents security notifications triggered by detected suspicious or malicious activity requiring attention. +- `Application`: Logs information about installed or executed applications identified on endpoints. +- `Application Risk`: Assesses and records the risk level or reputation of discovered applications based on behavior and source. +- `Group`: Contains configuration and status information for endpoint groups within a site or tenant. +- `Threat`: Logs confirmed malicious detections, such as malware, exploits, or ransomware identified by SentinelOne. +- `Threat Event`: Provides detailed event-level information related to a specific threat, including process, file, and network indicators. + +### Supported use cases +Integrating SentinelOne Activity, Agent, Alert, Application, Application Risk, Group, Threat, and Threat Event logs with Elastic SIEM provides centralized visibility across endpoint operations and security events. Dashboards deliver insights into agent status, detections, application behavior, and threat lifecycle, helping SOC teams quickly identify malicious activity, enforce policy compliance, and accelerate investigation and response efforts. -## API token +## What do I need to use this integration? + +### From SentinelOne To collect data from SentinelOne APIs, you must have an API token. To create an API token, follow these steps: @@ -36,29 +55,63 @@ To collect data from SentinelOne APIs, you must have an API token. To create an | Application Risk | Applications -> viewRisks | | Group | Groups -> view | | Threat | Threats -> view | +| Threat Event | Threats -> view | ## Note The **alert** data stream depends on STAR Custom Rules. STAR Custom Rules are supported in Cloud environments, but are not supported in on-premises environments. Because of this, the **alert** data stream is not supported in on-premises environments. +## How do I deploy this integration? + +This integration supports both Elastic Agentless-based and Agent-based installations. + +### Agentless-based installation + +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. + +### Agent-based installation + +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host. + ## Troubleshooting - The API token generated by the user is time-limited. The user must reconfigure a new API token before it expires. - For console users, the default expiration time limit is 30 days. - For service users, the expiration time limit is the same as the duration specified while generating the API token. -## Alert severity mapping +## Setup + +1. In the top search bar in Kibana, search for **Integrations**. +2. In the search bar, type **SentinelOne**. +3. Select the **SentinelOne** integration from the search results. +4. Select **Add SentinelOne** to add the integration. +5. Enable and configure only the collection methods which you will use. + + * To **Collect SentinelOne logs via API**, you'll need to: + + - Configure **URL** and **API Token**. + - Enable/Disable the required datasets. + - For each dataset, adjust the integration configuration parameters if required, including the Interval, Preserve original event etc. to enable data collection. + +6. Select **Save and continue** to save the integration. + +### Validation -The values used in `event.severity` are consistent with Elastic Detection Rules. +#### Dashboards populated -| Severity Name | `event.severity` | -|---------------|:----------------:| -| Low | 21 | -| Medium | 47 | -| High | 73 | -| Critical | 99 | +1. In the top search bar in Kibana, search for **Dashboards**. +2. In the search bar, type **SentinelOne**. +3. Select a dashboard for the dataset you are collecting, and verify the dashboard information is populated. -## Logs +## Performance and scaling + +For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation. + +## Reference + +### Logs reference ### activity @@ -115,3 +168,11 @@ This is the `threat` dataset. {{event "threat"}} {{fields "threat"}} + +### threat event + +This is the `threat event` dataset. + +{{event "threat_event"}} + +{{fields "threat_event"}} diff --git a/packages/sentinel_one/_dev/deploy/docker/files/config.yml b/packages/sentinel_one/_dev/deploy/docker/files/config.yml index 60a91a45e79..73221840c2d 100644 --- a/packages/sentinel_one/_dev/deploy/docker/files/config.yml +++ b/packages/sentinel_one/_dev/deploy/docker/files/config.yml @@ -1256,7 +1256,7 @@ rules: "labels": null, "name": null }, - "id": "1234567890123456789", + "id": "abc123", "indicators": [], "kubernetesInfo": { "cluster": null, @@ -1887,3 +1887,531 @@ rules: } } `}} + - path: /web/api/v2.1/threats + methods: ["GET"] + query_params: + skipCount: "true" + limit: 2 + cursor: abcd + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [ + { + "id": "1234567890123456789", + "indicators": [], + "kubernetesInfo": { + "cluster": null, + "controllerKind": null, + "controllerLabels": null, + "controllerName": null, + "namespace": null, + "namespaceLabels": null, + "node": null, + "pod": null, + "podLabels": null + } + } + ], + "pagination": { + "nextCursor": null, + "totalItems": 0 + } + } + `}} + - path: /web/api/v2.1/threats + methods: ["GET"] + query_params: + skipCount: "true" + limit: 2 + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "data": [ + { + "id": "abc123", + "indicators": [], + "kubernetesInfo": { + "cluster": null, + "controllerKind": null, + "controllerLabels": null, + "controllerName": null, + "namespace": null, + "namespaceLabels": null, + "node": null, + "pod": null, + "podLabels": null + }, + "whiteningOptions": [ + "hash" + ] + } + ], + "pagination": { + "nextCursor": "abcd", + "totalItems": 0 + } + } + `}} + - path: /web/api/v2.1/threats/abc123/explore/events + methods: ['GET'] + query_params: + skipCount: "true" + limit: 2 + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "activeContentFileId": "fileid_001", + "activeContentHash": "hash_001", + "activeContentPath": "C:\\content\\file1", + "agentDomain": "domain1", + "agentGroupId": "group_01", + "agentId": "agent_001", + "agentInfected": false, + "agentIp": "89.160.20.128", + "agentIsActive": true, + "agentIsDecommissioned": false, + "agentMachineType": "x64", + "agentName": "Agent_1", + "agentNetworkStatus": "online", + "agentOs": "Windows 10", + "agentUuid": "uuid_001", + "agentVersion": "1.0.5", + "connectionStatus": "active", + "createdAt": "2025-10-25T10:15:30Z", + "direction": "outbound", + "dnsRequest": "example.com", + "dnsResponse": "192.168.0.1", + "dstIp": "127.0.0.1", + "dstPort": 80, + "eventType": "network", + "fileFullName": "C:\\Windows\\explorer.exe", + "fileId": "file_001", + "fileMd5": "md5_001", + "fileSha1": "sha1_001", + "fileSha256": "sha256_001", + "fileSize": "1024", + "fileType": "exe", + "hasActiveContent": true, + "id": "id_001", + "indicatorCategory": "malware", + "indicatorDescription": "suspicious activity", + "indicatorMetadata": "meta1", + "indicatorName": "Malware1", + "loginsBaseType": "local", + "loginsUserName": "user_login1", + "md5": "md5_sample", + "networkMethod": "GET", + "networkSource": "LAN", + "networkUrl": "http://example.com", + "objectType": "process", + "oldFileMd5": "old_md5", + "oldFileName": "explorer_old.exe", + "oldFileSha1": "old_sha1", + "oldFileSha256": "old_sha256", + "parentPid": "1001", + "parentProcessGroupId": "group_parent_01", + "parentProcessIsMalicious": false, + "parentProcessName": "cmd.exe", + "parentProcessUniqueKey": "unique_parent_001", + "pid": "1234", + "processCmd": "explorer /start", + "processDisplayName": "Windows Explorer", + "processGroupId": "group_01", + "processImagePath": "C:\\Windows\\explorer.exe", + "processImageSha1Hash": "sha1_process", + "processIntegrityLevel": "high", + "processIsMalicious": false, + "processIsRedirectedCommandProcessor": "false", + "processIsWow64": "false", + "processName": "explorer.exe", + "processRoot": "C:\\", + "processSessionId": "session_001", + "processStartTime": "2025-10-25T09:00:00Z", + "processSubSystem": "subsystem1", + "processUniqueKey": "unique_001", + "processUserName": "user1", + "protocol": "TCP", + "publisher": "Microsoft", + "registryClassification": "system", + "registryId": "reg_001", + "registryPath": "HKLM\\Software\\Test", + "relatedToThreat": false, + "rpid": "rpid_001", + "sha1": "sha1_sample", + "sha256": "sha256_sample", + "signatureSignedInvalidReason": "None", + "signedStatus": "Signed", + "siteId": "site_001", + "siteName": "SiteA", + "srcIp": "89.160.20.128", + "srcPort": 45678, + "storyline": "storyline1", + "taskName": "task1", + "taskPath": "C:\\Tasks\\task1", + "threatStatus": "clean", + "tid": "tid_001", + "trueContext": "context1", + "user": "user1", + "verifiedStatus": "Verified" + }, + { + "activeContentFileId": "fileid_002", + "activeContentHash": "hash_002", + "activeContentPath": "D:\\content\\file2", + "agentDomain": "domain2", + "agentGroupId": "group_02", + "agentId": "agent_002", + "agentInfected": true, + "agentIp": "89.160.20.156", + "agentIsActive": true, + "agentIsDecommissioned": false, + "agentMachineType": "x86", + "agentName": "Agent_2", + "agentNetworkStatus": "offline", + "agentOs": "Windows Server 2019", + "agentUuid": "uuid_002", + "agentVersion": "1.0.7", + "connectionStatus": "inactive", + "createdAt": "2025-10-24T14:20:00Z", + "direction": "inbound", + "dnsRequest": "test.com", + "dnsResponse": "192.168.0.2", + "dstIp": "127.0.0.1", + "dstPort": 443, + "eventType": "network", + "fileFullName": "C:\\Windows\\svchost.exe", + "fileId": "file_002", + "fileMd5": "md5_002", + "fileSha1": "sha1_002", + "fileSha256": "sha256_002", + "fileSize": "2048", + "fileType": "dll", + "hasActiveContent": false, + "id": "id_002", + "indicatorCategory": "adware", + "indicatorDescription": "suspicious file", + "indicatorMetadata": "meta2", + "indicatorName": "Adware2", + "loginsBaseType": "domain", + "loginsUserName": "user_login2", + "md5": "md5_sample2", + "networkMethod": "POST", + "networkSource": "WAN", + "networkUrl": "https://test.com", + "objectType": "process", + "oldFileMd5": "old_md52", + "oldFileName": "svchost_old.exe", + "oldFileSha1": "old_sha12", + "oldFileSha256": "old_sha2562", + "parentPid": "2001", + "parentProcessGroupId": "group_parent_02", + "parentProcessIsMalicious": true, + "parentProcessName": "explorer.exe", + "parentProcessUniqueKey": "unique_parent_002", + "pid": "2345", + "processCmd": "svchost /run", + "processDisplayName": "Service Host", + "processGroupId": "group_02", + "processImagePath": "C:\\Windows\\svchost.exe", + "processImageSha1Hash": "sha1_process2", + "processIntegrityLevel": "medium", + "processIsMalicious": true, + "processIsRedirectedCommandProcessor": "false", + "processIsWow64": "true", + "processName": "svchost.exe", + "processRoot": "D:\\", + "processSessionId": "session_002", + "processStartTime": "2025-10-24T13:00:00Z", + "processSubSystem": "subsystem2", + "processUniqueKey": "unique_002", + "processUserName": "user2", + "protocol": "UDP", + "publisher": "Adobe", + "registryClassification": "application", + "registryId": "reg_002", + "registryPath": "HKCU\\Software\\Test2", + "relatedToThreat": true, + "rpid": "rpid_002", + "sha1": "sha1_sample2", + "sha256": "sha256_sample2", + "signatureSignedInvalidReason": "Invalid", + "signedStatus": "Unsigned", + "siteId": "site_002", + "siteName": "SiteB", + "srcIp": "89.160.20.156", + "srcPort": 56789, + "storyline": "storyline2", + "taskName": "task2", + "taskPath": "D:\\Tasks\\task2", + "threatStatus": "threat", + "tid": "tid_002", + "trueContext": "context2", + "user": "user2", + "verifiedStatus": "Unverified" + } + ], + "pagination": { + "nextCursor": null, + "totalItems": 0 + } + } + `}} + - path: /web/api/v2.1/threats/1234567890123456789/explore/events + methods: ['GET'] + query_params: + skipCount: "true" + limit: 2 + cursor: abc + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [], + "pagination": { + "nextCursor": null, + "totalItems": 0 + } + } + `}} + - path: /web/api/v2.1/threats/1234567890123456789/explore/events + methods: ['GET'] + query_params: + skipCount: "true" + limit: 2 + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "activeContentFileId": "fileid_003", + "activeContentHash": "hash_003", + "activeContentPath": "C:\\content\\file3", + "agentDomain": "domain3", + "agentGroupId": "group_03", + "agentId": "agent_003", + "agentInfected": true, + "agentIp": "127.0.0.1", + "agentIsActive": false, + "agentIsDecommissioned": true, + "agentMachineType": "x64", + "agentName": "Agent_3", + "agentNetworkStatus": "online", + "agentOs": "Windows 11", + "agentUuid": "uuid_003", + "agentVersion": "1.2.0", + "connectionStatus": "active", + "createdAt": "2025-10-23T08:45:00Z", + "direction": "outbound", + "dnsRequest": "example.org", + "dnsResponse": "192.168.0.3", + "dstIp": "89.160.20.128", + "dstPort": 8080, + "eventType": "file", + "fileFullName": "C:\\Windows\\notepad.exe", + "fileId": "file_003", + "fileMd5": "md5_003", + "fileSha1": "sha1_003", + "fileSha256": "sha256_003", + "fileSize": "512", + "fileType": "exe", + "hasActiveContent": true, + "id": "id_003", + "indicatorCategory": "ransomware", + "indicatorDescription": "encrypted file", + "indicatorMetadata": "meta3", + "indicatorName": "Ransomware3", + "loginsBaseType": "local", + "loginsUserName": "user_login3", + "md5": "md5_sample3", + "networkMethod": "GET", + "networkSource": "LAN", + "networkUrl": "http://example.org", + "objectType": "process", + "oldFileMd5": "old_md53", + "oldFileName": "notepad_old.exe", + "oldFileSha1": "old_sha13", + "oldFileSha256": "old_sha2563", + "parentPid": "3001", + "parentProcessGroupId": "group_parent_03", + "parentProcessIsMalicious": true, + "parentProcessName": "explorer.exe", + "parentProcessUniqueKey": "unique_parent_003", + "pid": "3456", + "processCmd": "notepad.exe /open", + "processDisplayName": "Notepad", + "processGroupId": "group_03", + "processImagePath": "C:\\Windows\\notepad.exe", + "processImageSha1Hash": "sha1_process3", + "processIntegrityLevel": "low", + "processIsMalicious": true, + "processIsRedirectedCommandProcessor": "false", + "processIsWow64": "false", + "processName": "notepad.exe", + "processRoot": "C:\\", + "processSessionId": "session_003", + "processStartTime": "2025-10-23T08:30:00Z", + "processSubSystem": "subsystem3", + "processUniqueKey": "unique_003", + "processUserName": "user3", + "protocol": "TCP", + "publisher": "Microsoft", + "registryClassification": "system", + "registryId": "reg_003", + "registryPath": "HKLM\\Software\\Test3", + "relatedToThreat": true, + "rpid": "rpid_003", + "sha1": "sha1_sample3", + "sha256": "sha256_sample3", + "signatureSignedInvalidReason": "Expired", + "signedStatus": "Signed", + "siteId": "site_003", + "siteName": "SiteC", + "srcIp": "127.0.0.1", + "srcPort": 23456, + "storyline": "storyline3", + "taskName": "task3", + "taskPath": "C:\\Tasks\\task3", + "threatStatus": "threat", + "tid": "tid_003", + "trueContext": "context3", + "user": "user3", + "verifiedStatus": "Verified" + }, + { + "activeContentFileId": "fileid_004", + "activeContentHash": "hash_004", + "activeContentPath": "D:\\content\\file4", + "agentDomain": "domain4", + "agentGroupId": "group_04", + "agentId": "agent_004", + "agentInfected": false, + "agentIp": "89.160.20.156", + "agentIsActive": true, + "agentIsDecommissioned": false, + "agentMachineType": "x64", + "agentName": "Agent_4", + "agentNetworkStatus": "online", + "agentOs": "Windows 10", + "agentUuid": "uuid_004", + "agentVersion": "1.3.0", + "connectionStatus": "active", + "createdAt": "2025-10-22T11:30:00Z", + "direction": "outbound", + "dnsRequest": "google.com", + "dnsResponse": "8.8.8.8", + "dstIp": "89.160.20.128", + "dstPort": 443, + "eventType": "network", + "fileFullName": "C:\\Program Files\\Chrome\\chrome.exe", + "fileId": "file_004", + "fileMd5": "md5_004", + "fileSha1": "sha1_004", + "fileSha256": "sha256_004", + "fileSize": "4096", + "fileType": "exe", + "hasActiveContent": false, + "id": "id_004", + "indicatorCategory": "spyware", + "indicatorDescription": "tracking software", + "indicatorMetadata": "meta4", + "indicatorName": "Spyware4", + "loginsBaseType": "domain", + "loginsUserName": "user_login4", + "md5": "md5_sample4", + "networkMethod": "GET", + "networkSource": "WAN", + "networkUrl": "https://google.com", + "objectType": "process", + "oldFileMd5": "old_md54", + "oldFileName": "chrome_old.exe", + "oldFileSha1": "old_sha14", + "oldFileSha256": "old_sha2564", + "parentPid": "4001", + "parentProcessGroupId": "group_parent_04", + "parentProcessIsMalicious": false, + "parentProcessName": "explorer.exe", + "parentProcessUniqueKey": "unique_parent_004", + "pid": "4567", + "processCmd": "chrome.exe --new-tab", + "processDisplayName": "Google Chrome", + "processGroupId": "group_04", + "processImagePath": "C:\\Program Files\\Chrome\\chrome.exe", + "processImageSha1Hash": "sha1_process4", + "processIntegrityLevel": "medium", + "processIsMalicious": false, + "processIsRedirectedCommandProcessor": "false", + "processIsWow64": "false", + "processName": "chrome.exe", + "processRoot": "C:\\", + "processSessionId": "session_004", + "processStartTime": "2025-10-22T11:00:00Z", + "processSubSystem": "subsystem4", + "processUniqueKey": "unique_004", + "processUserName": "user4", + "protocol": "TCP", + "publisher": "Google", + "registryClassification": "application", + "registryId": "reg_004", + "registryPath": "HKCU\\Software\\Test4", + "relatedToThreat": false, + "rpid": "rpid_004", + "sha1": "sha1_sample4", + "sha256": "sha256_sample4", + "signatureSignedInvalidReason": "None", + "signedStatus": "Signed", + "siteId": "site_004", + "siteName": "SiteD", + "srcIp": "127.0.0.1", + "srcPort": 34567, + "storyline": "storyline4", + "taskName": "task4", + "taskPath": "C:\\Tasks\\task4", + "threatStatus": "clean", + "tid": "tid_004", + "trueContext": "context4", + "user": "user4", + "verifiedStatus": "Verified" + } + ], + "pagination": { + "nextCursor": "abc", + "totalItems": 0 + } + } + `}} diff --git a/packages/sentinel_one/changelog.yml b/packages/sentinel_one/changelog.yml index ca1de80d48e..9c38dd370a9 100644 --- a/packages/sentinel_one/changelog.yml +++ b/packages/sentinel_one/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.43.0" + changes: + - description: Add support for threat event data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/15771 - version: "1.42.0" changes: - description: Improved input section layout by updating titles to include data stream names. diff --git a/packages/sentinel_one/data_stream/activity/_dev/test/policy/test-all.expected b/packages/sentinel_one/data_stream/activity/_dev/test/policy/test-all.expected index 5eb0522116d..e4464d009f8 100644 --- a/packages/sentinel_one/data_stream/activity/_dev/test/policy/test-all.expected +++ b/packages/sentinel_one/data_stream/activity/_dev/test/policy/test-all.expected @@ -9,6 +9,7 @@ inputs: - config_version: 2 cursor: last_create_at: + ignore_empty_value: true value: '[[.last_event.createdAt]]' data_stream: dataset: sentinel_one.activity diff --git a/packages/sentinel_one/data_stream/activity/_dev/test/policy/test-default.expected b/packages/sentinel_one/data_stream/activity/_dev/test/policy/test-default.expected index 4d111fe108b..d4692157c27 100644 --- a/packages/sentinel_one/data_stream/activity/_dev/test/policy/test-default.expected +++ b/packages/sentinel_one/data_stream/activity/_dev/test/policy/test-default.expected @@ -9,6 +9,7 @@ inputs: - config_version: 2 cursor: last_create_at: + ignore_empty_value: true value: '[[.last_event.createdAt]]' data_stream: dataset: sentinel_one.activity diff --git a/packages/sentinel_one/data_stream/activity/agent/stream/httpjson.yml.hbs b/packages/sentinel_one/data_stream/activity/agent/stream/httpjson.yml.hbs index 5b324b615d9..eb0444feff8 100644 --- a/packages/sentinel_one/data_stream/activity/agent/stream/httpjson.yml.hbs +++ b/packages/sentinel_one/data_stream/activity/agent/stream/httpjson.yml.hbs @@ -42,6 +42,7 @@ response.pagination: cursor: last_create_at: value: '[[.last_event.createdAt]]' + ignore_empty_value: true response.split: target: body.data ignore_empty_value: true diff --git a/packages/sentinel_one/data_stream/agent/_dev/test/policy/test-all.expected b/packages/sentinel_one/data_stream/agent/_dev/test/policy/test-all.expected index 01a34ffbb3c..71338838df8 100644 --- a/packages/sentinel_one/data_stream/agent/_dev/test/policy/test-all.expected +++ b/packages/sentinel_one/data_stream/agent/_dev/test/policy/test-all.expected @@ -9,6 +9,7 @@ inputs: - config_version: 2 cursor: last_update_at: + ignore_empty_value: true value: '[[.last_event.updatedAt]]' data_stream: dataset: sentinel_one.agent diff --git a/packages/sentinel_one/data_stream/agent/_dev/test/policy/test-default.expected b/packages/sentinel_one/data_stream/agent/_dev/test/policy/test-default.expected index e746921b302..2d2dcd042bc 100644 --- a/packages/sentinel_one/data_stream/agent/_dev/test/policy/test-default.expected +++ b/packages/sentinel_one/data_stream/agent/_dev/test/policy/test-default.expected @@ -9,6 +9,7 @@ inputs: - config_version: 2 cursor: last_update_at: + ignore_empty_value: true value: '[[.last_event.updatedAt]]' data_stream: dataset: sentinel_one.agent diff --git a/packages/sentinel_one/data_stream/agent/agent/stream/httpjson.yml.hbs b/packages/sentinel_one/data_stream/agent/agent/stream/httpjson.yml.hbs index 099e3db2992..f4f1a63e9c6 100644 --- a/packages/sentinel_one/data_stream/agent/agent/stream/httpjson.yml.hbs +++ b/packages/sentinel_one/data_stream/agent/agent/stream/httpjson.yml.hbs @@ -42,6 +42,7 @@ response.pagination: cursor: last_update_at: value: '[[.last_event.updatedAt]]' + ignore_empty_value: true response.split: target: body.data ignore_empty_value: true diff --git a/packages/sentinel_one/data_stream/alert/_dev/test/policy/test-all.expected b/packages/sentinel_one/data_stream/alert/_dev/test/policy/test-all.expected index 29cebb8e610..db095f443cc 100644 --- a/packages/sentinel_one/data_stream/alert/_dev/test/policy/test-all.expected +++ b/packages/sentinel_one/data_stream/alert/_dev/test/policy/test-all.expected @@ -9,6 +9,7 @@ inputs: - config_version: 2 cursor: last_create_at: + ignore_empty_value: true value: '[[.last_event.alertInfo.createdAt]]' data_stream: dataset: sentinel_one.alert diff --git a/packages/sentinel_one/data_stream/alert/_dev/test/policy/test-default.expected b/packages/sentinel_one/data_stream/alert/_dev/test/policy/test-default.expected index 746d2cd968c..0c531798804 100644 --- a/packages/sentinel_one/data_stream/alert/_dev/test/policy/test-default.expected +++ b/packages/sentinel_one/data_stream/alert/_dev/test/policy/test-default.expected @@ -9,6 +9,7 @@ inputs: - config_version: 2 cursor: last_create_at: + ignore_empty_value: true value: '[[.last_event.alertInfo.createdAt]]' data_stream: dataset: sentinel_one.alert diff --git a/packages/sentinel_one/data_stream/alert/agent/stream/httpjson.yml.hbs b/packages/sentinel_one/data_stream/alert/agent/stream/httpjson.yml.hbs index 1e920c96a14..b3abd87d68f 100644 --- a/packages/sentinel_one/data_stream/alert/agent/stream/httpjson.yml.hbs +++ b/packages/sentinel_one/data_stream/alert/agent/stream/httpjson.yml.hbs @@ -42,6 +42,7 @@ response.pagination: cursor: last_create_at: value: '[[.last_event.alertInfo.createdAt]]' + ignore_empty_value: true response.split: target: body.data ignore_empty_value: true diff --git a/packages/sentinel_one/data_stream/group/_dev/test/policy/test-all.expected b/packages/sentinel_one/data_stream/group/_dev/test/policy/test-all.expected index dd9dd2ce2ce..966f1204f96 100644 --- a/packages/sentinel_one/data_stream/group/_dev/test/policy/test-all.expected +++ b/packages/sentinel_one/data_stream/group/_dev/test/policy/test-all.expected @@ -9,6 +9,7 @@ inputs: - config_version: 2 cursor: last_update_at: + ignore_empty_value: true value: '[[.last_event.updatedAt]]' data_stream: dataset: sentinel_one.group diff --git a/packages/sentinel_one/data_stream/group/_dev/test/policy/test-default.expected b/packages/sentinel_one/data_stream/group/_dev/test/policy/test-default.expected index b75be0deda1..267f007a7a3 100644 --- a/packages/sentinel_one/data_stream/group/_dev/test/policy/test-default.expected +++ b/packages/sentinel_one/data_stream/group/_dev/test/policy/test-default.expected @@ -9,6 +9,7 @@ inputs: - config_version: 2 cursor: last_update_at: + ignore_empty_value: true value: '[[.last_event.updatedAt]]' data_stream: dataset: sentinel_one.group diff --git a/packages/sentinel_one/data_stream/group/agent/stream/httpjson.yml.hbs b/packages/sentinel_one/data_stream/group/agent/stream/httpjson.yml.hbs index a8280253820..e0cdf3b9699 100644 --- a/packages/sentinel_one/data_stream/group/agent/stream/httpjson.yml.hbs +++ b/packages/sentinel_one/data_stream/group/agent/stream/httpjson.yml.hbs @@ -42,6 +42,7 @@ response.pagination: cursor: last_update_at: value: '[[.last_event.updatedAt]]' + ignore_empty_value: true response.split: target: body.data ignore_empty_value: true diff --git a/packages/sentinel_one/data_stream/threat/_dev/test/policy/test-all.expected b/packages/sentinel_one/data_stream/threat/_dev/test/policy/test-all.expected index 6437649f816..0e514b1973e 100644 --- a/packages/sentinel_one/data_stream/threat/_dev/test/policy/test-all.expected +++ b/packages/sentinel_one/data_stream/threat/_dev/test/policy/test-all.expected @@ -9,6 +9,7 @@ inputs: - config_version: 2 cursor: last_update_at: + ignore_empty_value: true value: '[[.last_event.threatInfo.updatedAt]]' data_stream: dataset: sentinel_one.threat diff --git a/packages/sentinel_one/data_stream/threat/_dev/test/policy/test-default.expected b/packages/sentinel_one/data_stream/threat/_dev/test/policy/test-default.expected index 8e37dba71b6..bb12cd6d8e8 100644 --- a/packages/sentinel_one/data_stream/threat/_dev/test/policy/test-default.expected +++ b/packages/sentinel_one/data_stream/threat/_dev/test/policy/test-default.expected @@ -9,6 +9,7 @@ inputs: - config_version: 2 cursor: last_update_at: + ignore_empty_value: true value: '[[.last_event.threatInfo.updatedAt]]' data_stream: dataset: sentinel_one.threat diff --git a/packages/sentinel_one/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/sentinel_one/data_stream/threat/agent/stream/httpjson.yml.hbs index cd9b2b892c9..952a7f74839 100644 --- a/packages/sentinel_one/data_stream/threat/agent/stream/httpjson.yml.hbs +++ b/packages/sentinel_one/data_stream/threat/agent/stream/httpjson.yml.hbs @@ -42,6 +42,7 @@ response.pagination: cursor: last_update_at: value: '[[.last_event.threatInfo.updatedAt]]' + ignore_empty_value: true response.split: target: body.data ignore_empty_value: true diff --git a/packages/sentinel_one/data_stream/threat_event/_dev/benchmark/pipeline/config.yml b/packages/sentinel_one/data_stream/threat_event/_dev/benchmark/pipeline/config.yml new file mode 100644 index 00000000000..30a2b50cf64 --- /dev/null +++ b/packages/sentinel_one/data_stream/threat_event/_dev/benchmark/pipeline/config.yml @@ -0,0 +1 @@ +num_docs: 10000 diff --git a/packages/sentinel_one/data_stream/threat_event/_dev/benchmark/pipeline/threat-event-sample.log b/packages/sentinel_one/data_stream/threat_event/_dev/benchmark/pipeline/threat-event-sample.log new file mode 100644 index 00000000000..8357ed6b223 --- /dev/null +++ b/packages/sentinel_one/data_stream/threat_event/_dev/benchmark/pipeline/threat-event-sample.log @@ -0,0 +1,3 @@ +{"id":"a1b2c3d4","objectType":"threat","createdAt":"2025-10-23T10:15:30Z","processName":"chrome.exe","agentName":"Agent-WIN10","agentGroupId":"group-01","agentId":"agent-12345","agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"workstation","agentNetworkStatus":"connected","agentOs":"Windows 10","agentVersion":"23.2.1.56","agentUuid":"b7f2a5a1-2d4f-48b3-9e4f-c4567890abcd","siteId":"site-001","siteName":"Default Site","pid":"5548","srcIp":"89.160.20.128","srcPort":52345,"dstIp":"127.0.0.1","dstPort":443,"fileSha1":"3b5d5c3712955042212316173ccf37be8009b8a1","fileSha256":"c1b0f222a1b4b2d38c16b2e3cf8a8d4fcb4b1a7a3e1b1b77cf92c9e8f75e8e9a","fileMd5":"e2fc714c4727ee9395f324cd2e7f331f","signatureSignedInvalidReason":"none","verifiedStatus":"verified","signedStatus":"signed","fileFullName":"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe","processCmd":"\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=renderer","processUserName":"john.doe","processStartTime":"2025-10-23T10:00:00Z","processIsMalicious":false,"protocol":"tcp"} +{"id":"b9c8d7e6","objectType":"file_event","createdAt":"2025-10-23T08:12:10Z","processName":"explorer.exe","agentName":"Agent-SVR1","agentGroupId":"group-02","agentId":"agent-67890","agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"server","agentNetworkStatus":"connected","agentOs":"Windows Server 2022","agentVersion":"24.1.0.11","agentUuid":"e4c1d333-987a-4bcb-80a2-2aee6c77b999","siteId":"site-002","siteName":"Production Site","pid":"2280","srcIp":"127.0.0.1","srcPort":49872,"dstIp":"89.160.20.156","dstPort":135,"fileSha1":"5d41402abc4b2a76b9719d911017c592","fileSha256":"2c26b46b68ffc68ff99b453c1d30413413422f1640a4b1b1a1a6b6a6b6a6b6a6","fileMd5":"098f6bcd4621d373cade4e832627b4f6","signatureSignedInvalidReason":"expired","verifiedStatus":"failed","signedStatus":"unsigned","fileFullName":"C:\\Temp\\suspicious.dll","processCmd":"rundll32.exe C:\\Temp\\suspicious.dll,EntryPoint","processUserName":"administrator","processStartTime":"2025-10-23T08:00:00Z","processIsMalicious":true,"protocol":"udp"} +{"id":"x9y8z7w6","objectType":"network_connection","createdAt":"2025-10-23T09:45:00Z","processName":"powershell.exe","agentName":"Agent-LINUX1","agentGroupId":"group-03","agentId":"agent-99999","agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"workstation","agentNetworkStatus":"disconnected","agentOs":"Ubuntu 22.04","agentVersion":"22.9.3","agentUuid":"9aa3c9b2-fddd-4b51-b3ea-8a7a5b555888","siteId":"site-003","siteName":"Testing Site","pid":"7745","srcIp":"89.160.20.156","srcPort":51514,"dstIp":"89.160.20.128","dstPort":80,"fileSha1":"7c211433f02071597741e6ff5a8ea34789abbf43","fileSha256":"9b74c9897bac770ffc029102a200c5de04c964c0ad3d6c5b7d1b4a4b2c6b8e0e","fileMd5":"d41d8cd98f00b204e9800998ecf8427e","verifiedStatus":"unknown","signedStatus":"n\/a","fileFullName":"\/usr\/bin\/powershell","processCmd":"powershell -ExecutionPolicy Bypass -File \/tmp\/script.ps1","processUserName":"ubuntu","processStartTime":"2025-10-23T09:30:00Z","processIsMalicious":false,"protocol":"http"} diff --git a/packages/sentinel_one/data_stream/threat_event/_dev/test/pipeline/test-common-config.yml b/packages/sentinel_one/data_stream/threat_event/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..37e8fa225fd --- /dev/null +++ b/packages/sentinel_one/data_stream/threat_event/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_duplicate_custom_fields diff --git a/packages/sentinel_one/data_stream/threat_event/_dev/test/pipeline/test-pipeline-application.log b/packages/sentinel_one/data_stream/threat_event/_dev/test/pipeline/test-pipeline-application.log new file mode 100644 index 00000000000..d761db523c5 --- /dev/null +++ b/packages/sentinel_one/data_stream/threat_event/_dev/test/pipeline/test-pipeline-application.log @@ -0,0 +1,4 @@ +{"activeContentFileId":"fileid_001","activeContentHash":"hash_001","activeContentPath":"C:\\content\\file1","agentDomain":"domain1","agentGroupId":"group_01","agentId":"agent_001","agentInfected":false,"agentIp":"89.160.20.128","agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"x64","agentName":"Agent_1","agentNetworkStatus":"online","agentOs":"Windows 10","agentUuid":"uuid_001","agentVersion":"1.0.5","connectionStatus":"active","createdAt":"2025-10-25T10:15:30Z","direction":"outbound","dnsRequest":"example.com","dnsResponse":"192.168.0.1","dstIp":"127.0.0.1","dstPort":80,"eventType":"network","fileFullName":"C:\\Windows\\explorer.exe","fileId":"file_001","fileMd5":"md5_001","fileSha1":"sha1_001","fileSha256":"sha256_001","fileSize":"1024","fileType":"exe","hasActiveContent":true,"id":"id_001","indicatorCategory":"malware","indicatorDescription":"suspicious activity","indicatorMetadata":"meta1","indicatorName":"Malware1","loginsBaseType":"local","loginsUserName":"user_login1","md5":"md5_sample","networkMethod":"GET","networkSource":"LAN","networkUrl":"http:\/\/example.com","objectType":"process","oldFileMd5":"old_md5","oldFileName":"explorer_old.exe","oldFileSha1":"old_sha1","oldFileSha256":"old_sha256","parentPid":"1001","parentProcessGroupId":"group_parent_01","parentProcessIsMalicious":false,"parentProcessName":"cmd.exe","parentProcessUniqueKey":"unique_parent_001","pid":"1234","processCmd":"explorer \/start","processDisplayName":"Windows Explorer","processGroupId":"group_01","processImagePath":"C:\\Windows\\explorer.exe","processImageSha1Hash":"sha1_process","processIntegrityLevel":"high","processIsMalicious":false,"processIsRedirectedCommandProcessor":"false","processIsWow64":"false","processName":"explorer.exe","processRoot":"C:\\","processSessionId":"session_001","processStartTime":"2025-10-25T09:00:00Z","processSubSystem":"subsystem1","processUniqueKey":"unique_001","processUserName":"user1","protocol":"TCP","publisher":"Microsoft","registryClassification":"system","registryId":"reg_001","registryPath":"HKLM\\Software\\Test","relatedToThreat":false,"rpid":"rpid_001","sha1":"sha1_sample","sha256":"sha256_sample","signatureSignedInvalidReason":"None","signedStatus":"Signed","siteId":"site_001","siteName":"SiteA","srcIp":"89.160.20.128","srcPort":45678,"storyline":"storyline1","taskName":"task1","taskPath":"C:\\Tasks\\task1","threatStatus":"clean","tid":"tid_001","trueContext":"context1","user":"user1","verifiedStatus":"Verified"} +{"activeContentFileId":"fileid_002","activeContentHash":"hash_002","activeContentPath":"D:\\content\\file2","agentDomain":"domain2","agentGroupId":"group_02","agentId":"agent_002","agentInfected":true,"agentIp":"89.160.20.156","agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"x86","agentName":"Agent_2","agentNetworkStatus":"offline","agentOs":"Windows Server 2019","agentUuid":"uuid_002","agentVersion":"1.0.7","connectionStatus":"inactive","createdAt":"2025-10-24T14:20:00Z","direction":"inbound","dnsRequest":"test.com","dnsResponse":"192.168.0.2","dstIp":"127.0.0.1","dstPort":443,"eventType":"network","fileFullName":"C:\\Windows\\svchost.exe","fileId":"file_002","fileMd5":"md5_002","fileSha1":"sha1_002","fileSha256":"sha256_002","fileSize":"2048","fileType":"dll","hasActiveContent":false,"id":"id_002","indicatorCategory":"adware","indicatorDescription":"suspicious file","indicatorMetadata":"meta2","indicatorName":"Adware2","loginsBaseType":"domain","loginsUserName":"user_login2","md5":"md5_sample2","networkMethod":"POST","networkSource":"WAN","networkUrl":"https:\/\/test.com","objectType":"process","oldFileMd5":"old_md52","oldFileName":"svchost_old.exe","oldFileSha1":"old_sha12","oldFileSha256":"old_sha2562","parentPid":"2001","parentProcessGroupId":"group_parent_02","parentProcessIsMalicious":true,"parentProcessName":"explorer.exe","parentProcessUniqueKey":"unique_parent_002","pid":"2345","processCmd":"svchost \/run","processDisplayName":"Service Host","processGroupId":"group_02","processImagePath":"C:\\Windows\\svchost.exe","processImageSha1Hash":"sha1_process2","processIntegrityLevel":"medium","processIsMalicious":true,"processIsRedirectedCommandProcessor":"false","processIsWow64":"true","processName":"svchost.exe","processRoot":"D:\\","processSessionId":"session_002","processStartTime":"2025-10-24T13:00:00Z","processSubSystem":"subsystem2","processUniqueKey":"unique_002","processUserName":"user2","protocol":"UDP","publisher":"Adobe","registryClassification":"application","registryId":"reg_002","registryPath":"HKCU\\Software\\Test2","relatedToThreat":true,"rpid":"rpid_002","sha1":"sha1_sample2","sha256":"sha256_sample2","signatureSignedInvalidReason":"Invalid","signedStatus":"Unsigned","siteId":"site_002","siteName":"SiteB","srcIp":"89.160.20.156","srcPort":56789,"storyline":"storyline2","taskName":"task2","taskPath":"D:\\Tasks\\task2","threatStatus":"threat","tid":"tid_002","trueContext":"context2","user":"user2","verifiedStatus":"Unverified"} +{"activeContentFileId":"fileid_003","activeContentHash":"hash_003","activeContentPath":"C:\\content\\file3","agentDomain":"domain3","agentGroupId":"group_03","agentId":"agent_003","agentInfected":true,"agentIp":"127.0.0.1","agentIsActive":false,"agentIsDecommissioned":true,"agentMachineType":"x64","agentName":"Agent_3","agentNetworkStatus":"online","agentOs":"Windows 11","agentUuid":"uuid_003","agentVersion":"1.2.0","connectionStatus":"active","createdAt":"2025-10-23T08:45:00Z","direction":"outbound","dnsRequest":"example.org","dnsResponse":"192.168.0.3","dstIp":"89.160.20.128","dstPort":8080,"eventType":"file","fileFullName":"C:\\Windows\\notepad.exe","fileId":"file_003","fileMd5":"md5_003","fileSha1":"sha1_003","fileSha256":"sha256_003","fileSize":"512","fileType":"exe","hasActiveContent":true,"id":"id_003","indicatorCategory":"ransomware","indicatorDescription":"encrypted file","indicatorMetadata":"meta3","indicatorName":"Ransomware3","loginsBaseType":"local","loginsUserName":"user_login3","md5":"md5_sample3","networkMethod":"GET","networkSource":"LAN","networkUrl":"http:\/\/example.org","objectType":"process","oldFileMd5":"old_md53","oldFileName":"notepad_old.exe","oldFileSha1":"old_sha13","oldFileSha256":"old_sha2563","parentPid":"3001","parentProcessGroupId":"group_parent_03","parentProcessIsMalicious":true,"parentProcessName":"explorer.exe","parentProcessUniqueKey":"unique_parent_003","pid":"3456","processCmd":"notepad.exe \/open","processDisplayName":"Notepad","processGroupId":"group_03","processImagePath":"C:\\Windows\\notepad.exe","processImageSha1Hash":"sha1_process3","processIntegrityLevel":"low","processIsMalicious":true,"processIsRedirectedCommandProcessor":"false","processIsWow64":"false","processName":"notepad.exe","processRoot":"C:\\","processSessionId":"session_003","processStartTime":"2025-10-23T08:30:00Z","processSubSystem":"subsystem3","processUniqueKey":"unique_003","processUserName":"user3","protocol":"TCP","publisher":"Microsoft","registryClassification":"system","registryId":"reg_003","registryPath":"HKLM\\Software\\Test3","relatedToThreat":true,"rpid":"rpid_003","sha1":"sha1_sample3","sha256":"sha256_sample3","signatureSignedInvalidReason":"Expired","signedStatus":"Signed","siteId":"site_003","siteName":"SiteC","srcIp":"127.0.0.1","srcPort":23456,"storyline":"storyline3","taskName":"task3","taskPath":"C:\\Tasks\\task3","threatStatus":"threat","tid":"tid_003","trueContext":"context3","user":"user3","verifiedStatus":"Verified"} +{"activeContentFileId":"fileid_004","activeContentHash":"hash_004","activeContentPath":"D:\\content\\file4","agentDomain":"domain4","agentGroupId":"group_04","agentId":"agent_004","agentInfected":false,"agentIp":"89.160.20.156","agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"x64","agentName":"Agent_4","agentNetworkStatus":"online","agentOs":"Windows 10","agentUuid":"uuid_004","agentVersion":"1.3.0","connectionStatus":"active","createdAt":"2025-10-22T11:30:00Z","direction":"outbound","dnsRequest":"google.com","dnsResponse":"8.8.8.8","dstIp":"89.160.20.128","dstPort":443,"eventType":"network","fileFullName":"C:\\Program Files\\Chrome\\chrome.exe","fileId":"file_004","fileMd5":"md5_004","fileSha1":"sha1_004","fileSha256":"sha256_004","fileSize":"4096","fileType":"exe","hasActiveContent":false,"id":"id_004","indicatorCategory":"spyware","indicatorDescription":"tracking software","indicatorMetadata":"meta4","indicatorName":"Spyware4","loginsBaseType":"domain","loginsUserName":"user_login4","md5":"md5_sample4","networkMethod":"GET","networkSource":"WAN","networkUrl":"https:\/\/google.com","objectType":"process","oldFileMd5":"old_md54","oldFileName":"chrome_old.exe","oldFileSha1":"old_sha14","oldFileSha256":"old_sha2564","parentPid":"4001","parentProcessGroupId":"group_parent_04","parentProcessIsMalicious":false,"parentProcessName":"explorer.exe","parentProcessUniqueKey":"unique_parent_004","pid":"4567","processCmd":"chrome.exe --new-tab","processDisplayName":"Google Chrome","processGroupId":"group_04","processImagePath":"C:\\Program Files\\Chrome\\chrome.exe","processImageSha1Hash":"sha1_process4","processIntegrityLevel":"medium","processIsMalicious":false,"processIsRedirectedCommandProcessor":"false","processIsWow64":"false","processName":"chrome.exe","processRoot":"C:\\","processSessionId":"session_004","processStartTime":"2025-10-22T11:00:00Z","processSubSystem":"subsystem4","processUniqueKey":"unique_004","processUserName":"user4","protocol":"TCP","publisher":"Google","registryClassification":"application","registryId":"reg_004","registryPath":"HKCU\\Software\\Test4","relatedToThreat":false,"rpid":"rpid_004","sha1":"sha1_sample4","sha256":"sha256_sample4","signatureSignedInvalidReason":"None","signedStatus":"Signed","siteId":"site_004","siteName":"SiteD","srcIp":"127.0.0.1","srcPort":34567,"storyline":"storyline4","taskName":"task4","taskPath":"C:\\Tasks\\task4","threatStatus":"clean","tid":"tid_004","trueContext":"context4","user":"user4","verifiedStatus":"Verified"} diff --git a/packages/sentinel_one/data_stream/threat_event/_dev/test/pipeline/test-pipeline-application.log-expected.json b/packages/sentinel_one/data_stream/threat_event/_dev/test/pipeline/test-pipeline-application.log-expected.json new file mode 100644 index 00000000000..30cb77b3e1a --- /dev/null +++ b/packages/sentinel_one/data_stream/threat_event/_dev/test/pipeline/test-pipeline-application.log-expected.json @@ -0,0 +1,825 @@ +{ + "expected": [ + { + "@timestamp": "2025-10-25T10:15:30.000Z", + "destination": { + "ip": "127.0.0.1", + "port": 80 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "created": "2025-10-25T10:15:30.000Z", + "id": "id_001", + "kind": "event", + "original": "{\"activeContentFileId\":\"fileid_001\",\"activeContentHash\":\"hash_001\",\"activeContentPath\":\"C:\\\\content\\\\file1\",\"agentDomain\":\"domain1\",\"agentGroupId\":\"group_01\",\"agentId\":\"agent_001\",\"agentInfected\":false,\"agentIp\":\"89.160.20.128\",\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"x64\",\"agentName\":\"Agent_1\",\"agentNetworkStatus\":\"online\",\"agentOs\":\"Windows 10\",\"agentUuid\":\"uuid_001\",\"agentVersion\":\"1.0.5\",\"connectionStatus\":\"active\",\"createdAt\":\"2025-10-25T10:15:30Z\",\"direction\":\"outbound\",\"dnsRequest\":\"example.com\",\"dnsResponse\":\"192.168.0.1\",\"dstIp\":\"127.0.0.1\",\"dstPort\":80,\"eventType\":\"network\",\"fileFullName\":\"C:\\\\Windows\\\\explorer.exe\",\"fileId\":\"file_001\",\"fileMd5\":\"md5_001\",\"fileSha1\":\"sha1_001\",\"fileSha256\":\"sha256_001\",\"fileSize\":\"1024\",\"fileType\":\"exe\",\"hasActiveContent\":true,\"id\":\"id_001\",\"indicatorCategory\":\"malware\",\"indicatorDescription\":\"suspicious activity\",\"indicatorMetadata\":\"meta1\",\"indicatorName\":\"Malware1\",\"loginsBaseType\":\"local\",\"loginsUserName\":\"user_login1\",\"md5\":\"md5_sample\",\"networkMethod\":\"GET\",\"networkSource\":\"LAN\",\"networkUrl\":\"http:\\/\\/example.com\",\"objectType\":\"process\",\"oldFileMd5\":\"old_md5\",\"oldFileName\":\"explorer_old.exe\",\"oldFileSha1\":\"old_sha1\",\"oldFileSha256\":\"old_sha256\",\"parentPid\":\"1001\",\"parentProcessGroupId\":\"group_parent_01\",\"parentProcessIsMalicious\":false,\"parentProcessName\":\"cmd.exe\",\"parentProcessUniqueKey\":\"unique_parent_001\",\"pid\":\"1234\",\"processCmd\":\"explorer \\/start\",\"processDisplayName\":\"Windows Explorer\",\"processGroupId\":\"group_01\",\"processImagePath\":\"C:\\\\Windows\\\\explorer.exe\",\"processImageSha1Hash\":\"sha1_process\",\"processIntegrityLevel\":\"high\",\"processIsMalicious\":false,\"processIsRedirectedCommandProcessor\":\"false\",\"processIsWow64\":\"false\",\"processName\":\"explorer.exe\",\"processRoot\":\"C:\\\\\",\"processSessionId\":\"session_001\",\"processStartTime\":\"2025-10-25T09:00:00Z\",\"processSubSystem\":\"subsystem1\",\"processUniqueKey\":\"unique_001\",\"processUserName\":\"user1\",\"protocol\":\"TCP\",\"publisher\":\"Microsoft\",\"registryClassification\":\"system\",\"registryId\":\"reg_001\",\"registryPath\":\"HKLM\\\\Software\\\\Test\",\"relatedToThreat\":false,\"rpid\":\"rpid_001\",\"sha1\":\"sha1_sample\",\"sha256\":\"sha256_sample\",\"signatureSignedInvalidReason\":\"None\",\"signedStatus\":\"Signed\",\"siteId\":\"site_001\",\"siteName\":\"SiteA\",\"srcIp\":\"89.160.20.128\",\"srcPort\":45678,\"storyline\":\"storyline1\",\"taskName\":\"task1\",\"taskPath\":\"C:\\\\Tasks\\\\task1\",\"threatStatus\":\"clean\",\"tid\":\"tid_001\",\"trueContext\":\"context1\",\"user\":\"user1\",\"verifiedStatus\":\"Verified\"}" + }, + "file": { + "hash": { + "md5": "md5_001", + "sha1": "sha1_001", + "sha256": "sha256_001" + }, + "name": "C:\\Windows\\explorer.exe", + "size": 1024, + "type": "exe" + }, + "network": { + "transport": "tcp" + }, + "process": { + "command_line": "explorer /start", + "executable": "C:\\Windows\\explorer.exe", + "hash": { + "sha1": "sha1_process" + }, + "name": "explorer.exe", + "parent": { + "name": "cmd.exe", + "pid": 1001 + }, + "pid": 1234, + "start": "2025-10-25T09:00:00.000Z", + "user": { + "name": "user1" + } + }, + "registry": { + "path": "HKLM\\Software\\Test" + }, + "related": { + "hash": [ + "sha1_001", + "sha256_001", + "md5_001", + "sha1_process" + ], + "ip": [ + "89.160.20.128", + "127.0.0.1" + ], + "user": [ + "user_login1", + "user1" + ] + }, + "sentinel_one": { + "threat_event": { + "active_content": { + "file_id": "fileid_001", + "hash": "hash_001", + "path": "C:\\content\\file1" + }, + "agent": { + "domain": "domain1", + "group_id": "group_01", + "id": "agent_001", + "infected": false, + "ip": "89.160.20.128", + "is_active": true, + "is_decommissioned": false, + "machine_type": "x64", + "name": "Agent_1", + "network_status": "online", + "os": "Windows 10", + "uuid": "uuid_001", + "version": "1.0.5" + }, + "connection_status": "active", + "created_at": "2025-10-25T10:15:30.000Z", + "direction": "outbound", + "dns_request": "example.com", + "dns_response": "192.168.0.1", + "dst": { + "ip": "127.0.0.1", + "port": 80 + }, + "event_type": "network", + "file": { + "full_name": "C:\\Windows\\explorer.exe", + "id": "file_001", + "md5": "md5_001", + "sha1": "sha1_001", + "sha256": "sha256_001", + "size": "1024", + "type": "exe" + }, + "has_active_content": true, + "id": "id_001", + "indicator": { + "category": "malware", + "description": "suspicious activity", + "metadata": "meta1", + "name": "Malware1" + }, + "logins_base_type": "local", + "logins_user_name": "user_login1", + "md5": "md5_sample", + "network": { + "method": "GET", + "source": "LAN", + "url": "http://example.com" + }, + "object_type": "process", + "old_file": { + "md5": "old_md5", + "name": "explorer_old.exe", + "sha1": "old_sha1", + "sha256": "old_sha256" + }, + "parent_pid": "1001", + "parent_process": { + "group_id": "group_parent_01", + "is_malicious": false, + "name": "cmd.exe", + "unique_key": "unique_parent_001" + }, + "pid": "1234", + "process": { + "cmd": "explorer /start", + "display_name": "Windows Explorer", + "group_id": "group_01", + "image_path": "C:\\Windows\\explorer.exe", + "image_sha1_hash": "sha1_process", + "integrity_level": "high", + "is_malicious": false, + "is_redirected_command_processor": "false", + "is_wow64": "false", + "name": "explorer.exe", + "root": "C:\\", + "session_id": "session_001", + "start_time": "2025-10-25T09:00:00.000Z", + "sub_system": "subsystem1", + "unique_key": "unique_001", + "user_name": "user1" + }, + "protocol": "TCP", + "publisher": "Microsoft", + "registry": { + "classification": "system", + "id": "reg_001", + "path": "HKLM\\Software\\Test" + }, + "related_to_threat": false, + "rpid": "rpid_001", + "sha1": "sha1_sample", + "sha256": "sha256_sample", + "signature_signed_invalid_reason": "None", + "signed_status": "Signed", + "site": { + "id": "site_001", + "name": "SiteA" + }, + "src": { + "ip": "89.160.20.128", + "port": 45678 + }, + "storyline": "storyline1", + "task_name": "task1", + "task_path": "C:\\Tasks\\task1", + "threat_status": "clean", + "tid": "tid_001", + "true_context": "context1", + "user": "user1", + "verified_status": "Verified" + } + }, + "source": { + "ip": "89.160.20.128", + "port": 45678 + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "description": "suspicious activity", + "name": "Malware1" + } + }, + "url": { + "full": "http://example.com" + }, + "user": { + "name": "user1" + } + }, + { + "@timestamp": "2025-10-24T14:20:00.000Z", + "destination": { + "ip": "127.0.0.1", + "port": 443 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "created": "2025-10-24T14:20:00.000Z", + "id": "id_002", + "kind": "event", + "original": "{\"activeContentFileId\":\"fileid_002\",\"activeContentHash\":\"hash_002\",\"activeContentPath\":\"D:\\\\content\\\\file2\",\"agentDomain\":\"domain2\",\"agentGroupId\":\"group_02\",\"agentId\":\"agent_002\",\"agentInfected\":true,\"agentIp\":\"89.160.20.156\",\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"x86\",\"agentName\":\"Agent_2\",\"agentNetworkStatus\":\"offline\",\"agentOs\":\"Windows Server 2019\",\"agentUuid\":\"uuid_002\",\"agentVersion\":\"1.0.7\",\"connectionStatus\":\"inactive\",\"createdAt\":\"2025-10-24T14:20:00Z\",\"direction\":\"inbound\",\"dnsRequest\":\"test.com\",\"dnsResponse\":\"192.168.0.2\",\"dstIp\":\"127.0.0.1\",\"dstPort\":443,\"eventType\":\"network\",\"fileFullName\":\"C:\\\\Windows\\\\svchost.exe\",\"fileId\":\"file_002\",\"fileMd5\":\"md5_002\",\"fileSha1\":\"sha1_002\",\"fileSha256\":\"sha256_002\",\"fileSize\":\"2048\",\"fileType\":\"dll\",\"hasActiveContent\":false,\"id\":\"id_002\",\"indicatorCategory\":\"adware\",\"indicatorDescription\":\"suspicious file\",\"indicatorMetadata\":\"meta2\",\"indicatorName\":\"Adware2\",\"loginsBaseType\":\"domain\",\"loginsUserName\":\"user_login2\",\"md5\":\"md5_sample2\",\"networkMethod\":\"POST\",\"networkSource\":\"WAN\",\"networkUrl\":\"https:\\/\\/test.com\",\"objectType\":\"process\",\"oldFileMd5\":\"old_md52\",\"oldFileName\":\"svchost_old.exe\",\"oldFileSha1\":\"old_sha12\",\"oldFileSha256\":\"old_sha2562\",\"parentPid\":\"2001\",\"parentProcessGroupId\":\"group_parent_02\",\"parentProcessIsMalicious\":true,\"parentProcessName\":\"explorer.exe\",\"parentProcessUniqueKey\":\"unique_parent_002\",\"pid\":\"2345\",\"processCmd\":\"svchost \\/run\",\"processDisplayName\":\"Service Host\",\"processGroupId\":\"group_02\",\"processImagePath\":\"C:\\\\Windows\\\\svchost.exe\",\"processImageSha1Hash\":\"sha1_process2\",\"processIntegrityLevel\":\"medium\",\"processIsMalicious\":true,\"processIsRedirectedCommandProcessor\":\"false\",\"processIsWow64\":\"true\",\"processName\":\"svchost.exe\",\"processRoot\":\"D:\\\\\",\"processSessionId\":\"session_002\",\"processStartTime\":\"2025-10-24T13:00:00Z\",\"processSubSystem\":\"subsystem2\",\"processUniqueKey\":\"unique_002\",\"processUserName\":\"user2\",\"protocol\":\"UDP\",\"publisher\":\"Adobe\",\"registryClassification\":\"application\",\"registryId\":\"reg_002\",\"registryPath\":\"HKCU\\\\Software\\\\Test2\",\"relatedToThreat\":true,\"rpid\":\"rpid_002\",\"sha1\":\"sha1_sample2\",\"sha256\":\"sha256_sample2\",\"signatureSignedInvalidReason\":\"Invalid\",\"signedStatus\":\"Unsigned\",\"siteId\":\"site_002\",\"siteName\":\"SiteB\",\"srcIp\":\"89.160.20.156\",\"srcPort\":56789,\"storyline\":\"storyline2\",\"taskName\":\"task2\",\"taskPath\":\"D:\\\\Tasks\\\\task2\",\"threatStatus\":\"threat\",\"tid\":\"tid_002\",\"trueContext\":\"context2\",\"user\":\"user2\",\"verifiedStatus\":\"Unverified\"}" + }, + "file": { + "hash": { + "md5": "md5_002", + "sha1": "sha1_002", + "sha256": "sha256_002" + }, + "name": "C:\\Windows\\svchost.exe", + "size": 2048, + "type": "dll" + }, + "network": { + "transport": "udp" + }, + "process": { + "command_line": "svchost /run", + "executable": "C:\\Windows\\svchost.exe", + "hash": { + "sha1": "sha1_process2" + }, + "name": "svchost.exe", + "parent": { + "name": "explorer.exe", + "pid": 2001 + }, + "pid": 2345, + "start": "2025-10-24T13:00:00.000Z", + "user": { + "name": "user2" + } + }, + "registry": { + "path": "HKCU\\Software\\Test2" + }, + "related": { + "hash": [ + "sha1_002", + "sha256_002", + "md5_002", + "sha1_process2" + ], + "ip": [ + "89.160.20.156", + "127.0.0.1" + ], + "user": [ + "user_login2", + "user2" + ] + }, + "sentinel_one": { + "threat_event": { + "active_content": { + "file_id": "fileid_002", + "hash": "hash_002", + "path": "D:\\content\\file2" + }, + "agent": { + "domain": "domain2", + "group_id": "group_02", + "id": "agent_002", + "infected": true, + "ip": "89.160.20.156", + "is_active": true, + "is_decommissioned": false, + "machine_type": "x86", + "name": "Agent_2", + "network_status": "offline", + "os": "Windows Server 2019", + "uuid": "uuid_002", + "version": "1.0.7" + }, + "connection_status": "inactive", + "created_at": "2025-10-24T14:20:00.000Z", + "direction": "inbound", + "dns_request": "test.com", + "dns_response": "192.168.0.2", + "dst": { + "ip": "127.0.0.1", + "port": 443 + }, + "event_type": "network", + "file": { + "full_name": "C:\\Windows\\svchost.exe", + "id": "file_002", + "md5": "md5_002", + "sha1": "sha1_002", + "sha256": "sha256_002", + "size": "2048", + "type": "dll" + }, + "has_active_content": false, + "id": "id_002", + "indicator": { + "category": "adware", + "description": "suspicious file", + "metadata": "meta2", + "name": "Adware2" + }, + "logins_base_type": "domain", + "logins_user_name": "user_login2", + "md5": "md5_sample2", + "network": { + "method": "POST", + "source": "WAN", + "url": "https://test.com" + }, + "object_type": "process", + "old_file": { + "md5": "old_md52", + "name": "svchost_old.exe", + "sha1": "old_sha12", + "sha256": "old_sha2562" + }, + "parent_pid": "2001", + "parent_process": { + "group_id": "group_parent_02", + "is_malicious": true, + "name": "explorer.exe", + "unique_key": "unique_parent_002" + }, + "pid": "2345", + "process": { + "cmd": "svchost /run", + "display_name": "Service Host", + "group_id": "group_02", + "image_path": "C:\\Windows\\svchost.exe", + "image_sha1_hash": "sha1_process2", + "integrity_level": "medium", + "is_malicious": true, + "is_redirected_command_processor": "false", + "is_wow64": "true", + "name": "svchost.exe", + "root": "D:\\", + "session_id": "session_002", + "start_time": "2025-10-24T13:00:00.000Z", + "sub_system": "subsystem2", + "unique_key": "unique_002", + "user_name": "user2" + }, + "protocol": "UDP", + "publisher": "Adobe", + "registry": { + "classification": "application", + "id": "reg_002", + "path": "HKCU\\Software\\Test2" + }, + "related_to_threat": true, + "rpid": "rpid_002", + "sha1": "sha1_sample2", + "sha256": "sha256_sample2", + "signature_signed_invalid_reason": "Invalid", + "signed_status": "Unsigned", + "site": { + "id": "site_002", + "name": "SiteB" + }, + "src": { + "ip": "89.160.20.156", + "port": 56789 + }, + "storyline": "storyline2", + "task_name": "task2", + "task_path": "D:\\Tasks\\task2", + "threat_status": "threat", + "tid": "tid_002", + "true_context": "context2", + "user": "user2", + "verified_status": "Unverified" + } + }, + "source": { + "ip": "89.160.20.156", + "port": 56789 + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "description": "suspicious file", + "name": "Adware2" + } + }, + "url": { + "full": "https://test.com" + }, + "user": { + "name": "user2" + } + }, + { + "@timestamp": "2025-10-23T08:45:00.000Z", + "destination": { + "ip": "89.160.20.128", + "port": 8080 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "created": "2025-10-23T08:45:00.000Z", + "id": "id_003", + "kind": "event", + "original": "{\"activeContentFileId\":\"fileid_003\",\"activeContentHash\":\"hash_003\",\"activeContentPath\":\"C:\\\\content\\\\file3\",\"agentDomain\":\"domain3\",\"agentGroupId\":\"group_03\",\"agentId\":\"agent_003\",\"agentInfected\":true,\"agentIp\":\"127.0.0.1\",\"agentIsActive\":false,\"agentIsDecommissioned\":true,\"agentMachineType\":\"x64\",\"agentName\":\"Agent_3\",\"agentNetworkStatus\":\"online\",\"agentOs\":\"Windows 11\",\"agentUuid\":\"uuid_003\",\"agentVersion\":\"1.2.0\",\"connectionStatus\":\"active\",\"createdAt\":\"2025-10-23T08:45:00Z\",\"direction\":\"outbound\",\"dnsRequest\":\"example.org\",\"dnsResponse\":\"192.168.0.3\",\"dstIp\":\"89.160.20.128\",\"dstPort\":8080,\"eventType\":\"file\",\"fileFullName\":\"C:\\\\Windows\\\\notepad.exe\",\"fileId\":\"file_003\",\"fileMd5\":\"md5_003\",\"fileSha1\":\"sha1_003\",\"fileSha256\":\"sha256_003\",\"fileSize\":\"512\",\"fileType\":\"exe\",\"hasActiveContent\":true,\"id\":\"id_003\",\"indicatorCategory\":\"ransomware\",\"indicatorDescription\":\"encrypted file\",\"indicatorMetadata\":\"meta3\",\"indicatorName\":\"Ransomware3\",\"loginsBaseType\":\"local\",\"loginsUserName\":\"user_login3\",\"md5\":\"md5_sample3\",\"networkMethod\":\"GET\",\"networkSource\":\"LAN\",\"networkUrl\":\"http:\\/\\/example.org\",\"objectType\":\"process\",\"oldFileMd5\":\"old_md53\",\"oldFileName\":\"notepad_old.exe\",\"oldFileSha1\":\"old_sha13\",\"oldFileSha256\":\"old_sha2563\",\"parentPid\":\"3001\",\"parentProcessGroupId\":\"group_parent_03\",\"parentProcessIsMalicious\":true,\"parentProcessName\":\"explorer.exe\",\"parentProcessUniqueKey\":\"unique_parent_003\",\"pid\":\"3456\",\"processCmd\":\"notepad.exe \\/open\",\"processDisplayName\":\"Notepad\",\"processGroupId\":\"group_03\",\"processImagePath\":\"C:\\\\Windows\\\\notepad.exe\",\"processImageSha1Hash\":\"sha1_process3\",\"processIntegrityLevel\":\"low\",\"processIsMalicious\":true,\"processIsRedirectedCommandProcessor\":\"false\",\"processIsWow64\":\"false\",\"processName\":\"notepad.exe\",\"processRoot\":\"C:\\\\\",\"processSessionId\":\"session_003\",\"processStartTime\":\"2025-10-23T08:30:00Z\",\"processSubSystem\":\"subsystem3\",\"processUniqueKey\":\"unique_003\",\"processUserName\":\"user3\",\"protocol\":\"TCP\",\"publisher\":\"Microsoft\",\"registryClassification\":\"system\",\"registryId\":\"reg_003\",\"registryPath\":\"HKLM\\\\Software\\\\Test3\",\"relatedToThreat\":true,\"rpid\":\"rpid_003\",\"sha1\":\"sha1_sample3\",\"sha256\":\"sha256_sample3\",\"signatureSignedInvalidReason\":\"Expired\",\"signedStatus\":\"Signed\",\"siteId\":\"site_003\",\"siteName\":\"SiteC\",\"srcIp\":\"127.0.0.1\",\"srcPort\":23456,\"storyline\":\"storyline3\",\"taskName\":\"task3\",\"taskPath\":\"C:\\\\Tasks\\\\task3\",\"threatStatus\":\"threat\",\"tid\":\"tid_003\",\"trueContext\":\"context3\",\"user\":\"user3\",\"verifiedStatus\":\"Verified\"}" + }, + "file": { + "hash": { + "md5": "md5_003", + "sha1": "sha1_003", + "sha256": "sha256_003" + }, + "name": "C:\\Windows\\notepad.exe", + "size": 512, + "type": "exe" + }, + "network": { + "transport": "tcp" + }, + "process": { + "command_line": "notepad.exe /open", + "executable": "C:\\Windows\\notepad.exe", + "hash": { + "sha1": "sha1_process3" + }, + "name": "notepad.exe", + "parent": { + "name": "explorer.exe", + "pid": 3001 + }, + "pid": 3456, + "start": "2025-10-23T08:30:00.000Z", + "user": { + "name": "user3" + } + }, + "registry": { + "path": "HKLM\\Software\\Test3" + }, + "related": { + "hash": [ + "sha1_003", + "sha256_003", + "md5_003", + "sha1_process3" + ], + "ip": [ + "127.0.0.1", + "89.160.20.128" + ], + "user": [ + "user_login3", + "user3" + ] + }, + "sentinel_one": { + "threat_event": { + "active_content": { + "file_id": "fileid_003", + "hash": "hash_003", + "path": "C:\\content\\file3" + }, + "agent": { + "domain": "domain3", + "group_id": "group_03", + "id": "agent_003", + "infected": true, + "ip": "127.0.0.1", + "is_active": false, + "is_decommissioned": true, + "machine_type": "x64", + "name": "Agent_3", + "network_status": "online", + "os": "Windows 11", + "uuid": "uuid_003", + "version": "1.2.0" + }, + "connection_status": "active", + "created_at": "2025-10-23T08:45:00.000Z", + "direction": "outbound", + "dns_request": "example.org", + "dns_response": "192.168.0.3", + "dst": { + "ip": "89.160.20.128", + "port": 8080 + }, + "event_type": "file", + "file": { + "full_name": "C:\\Windows\\notepad.exe", + "id": "file_003", + "md5": "md5_003", + "sha1": "sha1_003", + "sha256": "sha256_003", + "size": "512", + "type": "exe" + }, + "has_active_content": true, + "id": "id_003", + "indicator": { + "category": "ransomware", + "description": "encrypted file", + "metadata": "meta3", + "name": "Ransomware3" + }, + "logins_base_type": "local", + "logins_user_name": "user_login3", + "md5": "md5_sample3", + "network": { + "method": "GET", + "source": "LAN", + "url": "http://example.org" + }, + "object_type": "process", + "old_file": { + "md5": "old_md53", + "name": "notepad_old.exe", + "sha1": "old_sha13", + "sha256": "old_sha2563" + }, + "parent_pid": "3001", + "parent_process": { + "group_id": "group_parent_03", + "is_malicious": true, + "name": "explorer.exe", + "unique_key": "unique_parent_003" + }, + "pid": "3456", + "process": { + "cmd": "notepad.exe /open", + "display_name": "Notepad", + "group_id": "group_03", + "image_path": "C:\\Windows\\notepad.exe", + "image_sha1_hash": "sha1_process3", + "integrity_level": "low", + "is_malicious": true, + "is_redirected_command_processor": "false", + "is_wow64": "false", + "name": "notepad.exe", + "root": "C:\\", + "session_id": "session_003", + "start_time": "2025-10-23T08:30:00.000Z", + "sub_system": "subsystem3", + "unique_key": "unique_003", + "user_name": "user3" + }, + "protocol": "TCP", + "publisher": "Microsoft", + "registry": { + "classification": "system", + "id": "reg_003", + "path": "HKLM\\Software\\Test3" + }, + "related_to_threat": true, + "rpid": "rpid_003", + "sha1": "sha1_sample3", + "sha256": "sha256_sample3", + "signature_signed_invalid_reason": "Expired", + "signed_status": "Signed", + "site": { + "id": "site_003", + "name": "SiteC" + }, + "src": { + "ip": "127.0.0.1", + "port": 23456 + }, + "storyline": "storyline3", + "task_name": "task3", + "task_path": "C:\\Tasks\\task3", + "threat_status": "threat", + "tid": "tid_003", + "true_context": "context3", + "user": "user3", + "verified_status": "Verified" + } + }, + "source": { + "ip": "127.0.0.1", + "port": 23456 + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "description": "encrypted file", + "name": "Ransomware3" + } + }, + "url": { + "full": "http://example.org" + }, + "user": { + "name": "user3" + } + }, + { + "@timestamp": "2025-10-22T11:30:00.000Z", + "destination": { + "ip": "89.160.20.128", + "port": 443 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "created": "2025-10-22T11:30:00.000Z", + "id": "id_004", + "kind": "event", + "original": "{\"activeContentFileId\":\"fileid_004\",\"activeContentHash\":\"hash_004\",\"activeContentPath\":\"D:\\\\content\\\\file4\",\"agentDomain\":\"domain4\",\"agentGroupId\":\"group_04\",\"agentId\":\"agent_004\",\"agentInfected\":false,\"agentIp\":\"89.160.20.156\",\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"x64\",\"agentName\":\"Agent_4\",\"agentNetworkStatus\":\"online\",\"agentOs\":\"Windows 10\",\"agentUuid\":\"uuid_004\",\"agentVersion\":\"1.3.0\",\"connectionStatus\":\"active\",\"createdAt\":\"2025-10-22T11:30:00Z\",\"direction\":\"outbound\",\"dnsRequest\":\"google.com\",\"dnsResponse\":\"8.8.8.8\",\"dstIp\":\"89.160.20.128\",\"dstPort\":443,\"eventType\":\"network\",\"fileFullName\":\"C:\\\\Program Files\\\\Chrome\\\\chrome.exe\",\"fileId\":\"file_004\",\"fileMd5\":\"md5_004\",\"fileSha1\":\"sha1_004\",\"fileSha256\":\"sha256_004\",\"fileSize\":\"4096\",\"fileType\":\"exe\",\"hasActiveContent\":false,\"id\":\"id_004\",\"indicatorCategory\":\"spyware\",\"indicatorDescription\":\"tracking software\",\"indicatorMetadata\":\"meta4\",\"indicatorName\":\"Spyware4\",\"loginsBaseType\":\"domain\",\"loginsUserName\":\"user_login4\",\"md5\":\"md5_sample4\",\"networkMethod\":\"GET\",\"networkSource\":\"WAN\",\"networkUrl\":\"https:\\/\\/google.com\",\"objectType\":\"process\",\"oldFileMd5\":\"old_md54\",\"oldFileName\":\"chrome_old.exe\",\"oldFileSha1\":\"old_sha14\",\"oldFileSha256\":\"old_sha2564\",\"parentPid\":\"4001\",\"parentProcessGroupId\":\"group_parent_04\",\"parentProcessIsMalicious\":false,\"parentProcessName\":\"explorer.exe\",\"parentProcessUniqueKey\":\"unique_parent_004\",\"pid\":\"4567\",\"processCmd\":\"chrome.exe --new-tab\",\"processDisplayName\":\"Google Chrome\",\"processGroupId\":\"group_04\",\"processImagePath\":\"C:\\\\Program Files\\\\Chrome\\\\chrome.exe\",\"processImageSha1Hash\":\"sha1_process4\",\"processIntegrityLevel\":\"medium\",\"processIsMalicious\":false,\"processIsRedirectedCommandProcessor\":\"false\",\"processIsWow64\":\"false\",\"processName\":\"chrome.exe\",\"processRoot\":\"C:\\\\\",\"processSessionId\":\"session_004\",\"processStartTime\":\"2025-10-22T11:00:00Z\",\"processSubSystem\":\"subsystem4\",\"processUniqueKey\":\"unique_004\",\"processUserName\":\"user4\",\"protocol\":\"TCP\",\"publisher\":\"Google\",\"registryClassification\":\"application\",\"registryId\":\"reg_004\",\"registryPath\":\"HKCU\\\\Software\\\\Test4\",\"relatedToThreat\":false,\"rpid\":\"rpid_004\",\"sha1\":\"sha1_sample4\",\"sha256\":\"sha256_sample4\",\"signatureSignedInvalidReason\":\"None\",\"signedStatus\":\"Signed\",\"siteId\":\"site_004\",\"siteName\":\"SiteD\",\"srcIp\":\"127.0.0.1\",\"srcPort\":34567,\"storyline\":\"storyline4\",\"taskName\":\"task4\",\"taskPath\":\"C:\\\\Tasks\\\\task4\",\"threatStatus\":\"clean\",\"tid\":\"tid_004\",\"trueContext\":\"context4\",\"user\":\"user4\",\"verifiedStatus\":\"Verified\"}" + }, + "file": { + "hash": { + "md5": "md5_004", + "sha1": "sha1_004", + "sha256": "sha256_004" + }, + "name": "C:\\Program Files\\Chrome\\chrome.exe", + "size": 4096, + "type": "exe" + }, + "network": { + "transport": "tcp" + }, + "process": { + "command_line": "chrome.exe --new-tab", + "executable": "C:\\Program Files\\Chrome\\chrome.exe", + "hash": { + "sha1": "sha1_process4" + }, + "name": "chrome.exe", + "parent": { + "name": "explorer.exe", + "pid": 4001 + }, + "pid": 4567, + "start": "2025-10-22T11:00:00.000Z", + "user": { + "name": "user4" + } + }, + "registry": { + "path": "HKCU\\Software\\Test4" + }, + "related": { + "hash": [ + "sha1_004", + "sha256_004", + "md5_004", + "sha1_process4" + ], + "ip": [ + "89.160.20.156", + "127.0.0.1", + "89.160.20.128" + ], + "user": [ + "user_login4", + "user4" + ] + }, + "sentinel_one": { + "threat_event": { + "active_content": { + "file_id": "fileid_004", + "hash": "hash_004", + "path": "D:\\content\\file4" + }, + "agent": { + "domain": "domain4", + "group_id": "group_04", + "id": "agent_004", + "infected": false, + "ip": "89.160.20.156", + "is_active": true, + "is_decommissioned": false, + "machine_type": "x64", + "name": "Agent_4", + "network_status": "online", + "os": "Windows 10", + "uuid": "uuid_004", + "version": "1.3.0" + }, + "connection_status": "active", + "created_at": "2025-10-22T11:30:00.000Z", + "direction": "outbound", + "dns_request": "google.com", + "dns_response": "8.8.8.8", + "dst": { + "ip": "89.160.20.128", + "port": 443 + }, + "event_type": "network", + "file": { + "full_name": "C:\\Program Files\\Chrome\\chrome.exe", + "id": "file_004", + "md5": "md5_004", + "sha1": "sha1_004", + "sha256": "sha256_004", + "size": "4096", + "type": "exe" + }, + "has_active_content": false, + "id": "id_004", + "indicator": { + "category": "spyware", + "description": "tracking software", + "metadata": "meta4", + "name": "Spyware4" + }, + "logins_base_type": "domain", + "logins_user_name": "user_login4", + "md5": "md5_sample4", + "network": { + "method": "GET", + "source": "WAN", + "url": "https://google.com" + }, + "object_type": "process", + "old_file": { + "md5": "old_md54", + "name": "chrome_old.exe", + "sha1": "old_sha14", + "sha256": "old_sha2564" + }, + "parent_pid": "4001", + "parent_process": { + "group_id": "group_parent_04", + "is_malicious": false, + "name": "explorer.exe", + "unique_key": "unique_parent_004" + }, + "pid": "4567", + "process": { + "cmd": "chrome.exe --new-tab", + "display_name": "Google Chrome", + "group_id": "group_04", + "image_path": "C:\\Program Files\\Chrome\\chrome.exe", + "image_sha1_hash": "sha1_process4", + "integrity_level": "medium", + "is_malicious": false, + "is_redirected_command_processor": "false", + "is_wow64": "false", + "name": "chrome.exe", + "root": "C:\\", + "session_id": "session_004", + "start_time": "2025-10-22T11:00:00.000Z", + "sub_system": "subsystem4", + "unique_key": "unique_004", + "user_name": "user4" + }, + "protocol": "TCP", + "publisher": "Google", + "registry": { + "classification": "application", + "id": "reg_004", + "path": "HKCU\\Software\\Test4" + }, + "related_to_threat": false, + "rpid": "rpid_004", + "sha1": "sha1_sample4", + "sha256": "sha256_sample4", + "signature_signed_invalid_reason": "None", + "signed_status": "Signed", + "site": { + "id": "site_004", + "name": "SiteD" + }, + "src": { + "ip": "127.0.0.1", + "port": 34567 + }, + "storyline": "storyline4", + "task_name": "task4", + "task_path": "C:\\Tasks\\task4", + "threat_status": "clean", + "tid": "tid_004", + "true_context": "context4", + "user": "user4", + "verified_status": "Verified" + } + }, + "source": { + "ip": "127.0.0.1", + "port": 34567 + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "description": "tracking software", + "name": "Spyware4" + } + }, + "url": { + "full": "https://google.com" + }, + "user": { + "name": "user4" + } + } + ] +} diff --git a/packages/sentinel_one/data_stream/threat_event/_dev/test/policy/test-all.expected b/packages/sentinel_one/data_stream/threat_event/_dev/test/policy/test-all.expected new file mode 100644 index 00000000000..bef08aec6c1 --- /dev/null +++ b/packages/sentinel_one/data_stream/threat_event/_dev/test/policy/test-all.expected @@ -0,0 +1,255 @@ +inputs: + - data_stream: + namespace: ep + meta: + package: + name: sentinel_one + name: test-all-sentinel_one + streams: + - config_version: 2 + data_stream: + dataset: sentinel_one.threat_event + interval: 30s + processors: + - add_fields: + fields: + id: "574734885120952459" + name: myproject + target: project + - add_tags: + tags: + - web + - production + target: environment + program: |- + ( + (has(state.?worklist.data) && size(state.worklist.data) > 0) ? + state + : + state.with( + request( + "GET", + state.url.trim_right("/") + "/web/api/v2.1/threats?" + { + "skipCount": ["true"], + "limit": [string(state.batch_size)], + ?"siteIds": state.?site_ids.optMap(v, [string(v)]), + ?"cursor": state.?next_page.token.optMap(v, [v]), + }.format_query() + ).with( + { + "Header": { + "Authorization": ["ApiToken " + state.api_token], + }, + } + ).do_request().as(resp, (resp.StatusCode == 200) ? + resp.Body.decode_json().as(body, + { + "worklist": body, + "next_page": { + ?"token": (body.?pagination.nextCursor.orValue(null) != null) ? optional.of(body.pagination.nextCursor) : optional.none(), + }, + "fetch_more": body.?pagination.nextCursor.orValue(null) != null, + } + ) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET " + state.url.trim_right("/") + "/web/api/v2.1/threats: " + ( + (size(resp.Body) != 0) ? + string(resp.Body) + : + string(resp.Status) + " (" + string(resp.StatusCode) + ")" + ), + }, + }, + "want_more": false, + "offset": 0, + } + ) + ) + ).as(state, + state.with( + !has(state.worklist) ? // Exit early due to GET failure. + state + : (has(state.worklist.data) && size(state.worklist.data) > 0) ? + request( + "GET", + state.url.trim_right("/") + "/web/api/v2.1/threats/" + string(state.worklist.data[0].id) + "/explore/events?" + { + "skipCount": ["true"], + "limit": [string(state.batch_size)], + ?"cursor": state.?next_chain.token.optMap(v, [v]), + }.format_query() + ).with( + { + "Header": { + "Authorization": ["ApiToken " + state.api_token], + }, + } + ).do_request().as(resp, (resp.StatusCode == 200) ? + resp.Body.decode_json().as(body, + { + "events": (has(body.data) && body.data.size() > 0) ? + body.data.map(e, + { + "message": e.encode_json(), + } + ) + : + [{"message": "retry"}], + "next_chain": { + ?"token": (body.?pagination.nextCursor.orValue(null) != null) ? optional.of(body.pagination.nextCursor) : optional.none(), + }, + "worklist": { + "data": (body.?pagination.nextCursor.orValue(null) != null) ? state.worklist.data : tail(state.worklist.data), + }, + "want_more": state.?fetch_more.orValue(false) ? + state.fetch_more + : + size(state.worklist.data) > 1 || (body.?pagination.nextCursor.orValue(null) != null), + } + ) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET " + state.url.trim_right("/") + "/web/api/v2.1/threats/" + string(state.worklist.data[0].id) + "/explore/events: " + ( + (size(resp.Body) != 0) ? + string(resp.Body) + : + string(resp.Status) + " (" + string(resp.StatusCode) + ")" + ), + }, + }, + "want_more": false, + } + ) + : + { + "events": [], + "want_more": false, + } + ) + ) + publisher_pipeline.disable_host: true + redact: + fields: + - api_token + resource.proxy_url: https://user:P%40ssword%23@0.0.0.0:0000 + resource.ssl: + certificate: | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- + certificate_authorities: + - | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- + cipher_suites: + - ECDHE-ECDSA-AES-128-CBC-SHA + - ECDHE-ECDSA-AES-256-GCM-SHA384 + curve_types: + - P-256 + enabled: true + key: | + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI + sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP + Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F + KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2 + MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z + HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ + nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx + Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0 + eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/ + Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM + epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve + Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn + BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8 + VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU + zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5 + GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA + 5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7 + TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF + hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li + e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze + Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T + kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+ + kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav + NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K + 0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc + nygO9KTJuUiBrLr0AHEnqko= + -----END PRIVATE KEY----- + supported_protocols: + - TLSv1.2 + resource.timeout: 10s + resource.tracer: + enabled: true + filename: ../../logs/cel/http-request-trace-*.ndjson + maxbackups: 5 + resource.url: http://host.tld + state: + api_token: ${SECRET_0} + batch_size: 100 + site_ids: "123" + tags: + - preserve_original_event + - preserve_duplicate_custom_fields + - forwarded + - sentinel_one-threat_event + - test-policy + type: cel + use_output: default +output_permissions: + default: + _elastic_agent_checks: + cluster: + - monitor + _elastic_agent_monitoring: + indices: [] + uuid-for-permissions-on-related-indices: + indices: + - names: + - logs-sentinel_one.threat_event-ep + privileges: + - auto_configure + - create_doc +secret_references: + - {} diff --git a/packages/sentinel_one/data_stream/threat_event/_dev/test/policy/test-all.yml b/packages/sentinel_one/data_stream/threat_event/_dev/test/policy/test-all.yml new file mode 100644 index 00000000000..4cb397913a8 --- /dev/null +++ b/packages/sentinel_one/data_stream/threat_event/_dev/test/policy/test-all.yml @@ -0,0 +1,105 @@ +vars: + url: http://host.tld + api_token: test_api_token + proxy_url: https://user:P%40ssword%23@0.0.0.0:0000 + ssl: | + enabled: true + supported_protocols: + - TLSv1.2 + cipher_suites: + - ECDHE-ECDSA-AES-128-CBC-SHA + - ECDHE-ECDSA-AES-256-GCM-SHA384 + curve_types: + - P-256 + certificate_authorities: + - | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- + certificate: | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- + key: | + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI + sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP + Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F + KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2 + MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z + HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ + nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx + Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0 + eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/ + Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM + epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve + Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn + BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8 + VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU + zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5 + GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA + 5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7 + TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF + hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li + e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze + Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T + kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+ + kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav + NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K + 0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc + nygO9KTJuUiBrLr0AHEnqko= + -----END PRIVATE KEY----- +data_stream: + vars: + interval: 30s + batch_size: 100 + site_ids: 123 + tags: + - forwarded + - sentinel_one-threat_event + - test-policy + enable_request_tracer: true + preserve_original_event: true + preserve_duplicate_custom_fields: true + http_client_timeout: 10s + processors: | + - add_fields: + target: project + fields: + name: myproject + id: '574734885120952459' + - add_tags: + tags: [web, production] + target: "environment" diff --git a/packages/sentinel_one/data_stream/threat_event/_dev/test/policy/test-default.expected b/packages/sentinel_one/data_stream/threat_event/_dev/test/policy/test-default.expected new file mode 100644 index 00000000000..055e6988aef --- /dev/null +++ b/packages/sentinel_one/data_stream/threat_event/_dev/test/policy/test-default.expected @@ -0,0 +1,161 @@ +inputs: + - data_stream: + namespace: ep + meta: + package: + name: sentinel_one + name: test-default-sentinel_one + streams: + - config_version: 2 + data_stream: + dataset: sentinel_one.threat_event + interval: 24h + program: |- + ( + (has(state.?worklist.data) && size(state.worklist.data) > 0) ? + state + : + state.with( + request( + "GET", + state.url.trim_right("/") + "/web/api/v2.1/threats?" + { + "skipCount": ["true"], + "limit": [string(state.batch_size)], + ?"siteIds": state.?site_ids.optMap(v, [string(v)]), + ?"cursor": state.?next_page.token.optMap(v, [v]), + }.format_query() + ).with( + { + "Header": { + "Authorization": ["ApiToken " + state.api_token], + }, + } + ).do_request().as(resp, (resp.StatusCode == 200) ? + resp.Body.decode_json().as(body, + { + "worklist": body, + "next_page": { + ?"token": (body.?pagination.nextCursor.orValue(null) != null) ? optional.of(body.pagination.nextCursor) : optional.none(), + }, + "fetch_more": body.?pagination.nextCursor.orValue(null) != null, + } + ) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET " + state.url.trim_right("/") + "/web/api/v2.1/threats: " + ( + (size(resp.Body) != 0) ? + string(resp.Body) + : + string(resp.Status) + " (" + string(resp.StatusCode) + ")" + ), + }, + }, + "want_more": false, + "offset": 0, + } + ) + ) + ).as(state, + state.with( + !has(state.worklist) ? // Exit early due to GET failure. + state + : (has(state.worklist.data) && size(state.worklist.data) > 0) ? + request( + "GET", + state.url.trim_right("/") + "/web/api/v2.1/threats/" + string(state.worklist.data[0].id) + "/explore/events?" + { + "skipCount": ["true"], + "limit": [string(state.batch_size)], + ?"cursor": state.?next_chain.token.optMap(v, [v]), + }.format_query() + ).with( + { + "Header": { + "Authorization": ["ApiToken " + state.api_token], + }, + } + ).do_request().as(resp, (resp.StatusCode == 200) ? + resp.Body.decode_json().as(body, + { + "events": (has(body.data) && body.data.size() > 0) ? + body.data.map(e, + { + "message": e.encode_json(), + } + ) + : + [{"message": "retry"}], + "next_chain": { + ?"token": (body.?pagination.nextCursor.orValue(null) != null) ? optional.of(body.pagination.nextCursor) : optional.none(), + }, + "worklist": { + "data": (body.?pagination.nextCursor.orValue(null) != null) ? state.worklist.data : tail(state.worklist.data), + }, + "want_more": state.?fetch_more.orValue(false) ? + state.fetch_more + : + size(state.worklist.data) > 1 || (body.?pagination.nextCursor.orValue(null) != null), + } + ) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET " + state.url.trim_right("/") + "/web/api/v2.1/threats/" + string(state.worklist.data[0].id) + "/explore/events: " + ( + (size(resp.Body) != 0) ? + string(resp.Body) + : + string(resp.Status) + " (" + string(resp.StatusCode) + ")" + ), + }, + }, + "want_more": false, + } + ) + : + { + "events": [], + "want_more": false, + } + ) + ) + publisher_pipeline.disable_host: true + redact: + fields: + - api_token + resource.ssl: null + resource.timeout: 30s + resource.tracer: + enabled: false + filename: ../../logs/cel/http-request-trace-*.ndjson + maxbackups: 5 + resource.url: http://host.tld + state: + api_token: ${SECRET_0} + batch_size: 1000 + tags: + - forwarded + - sentinel_one-threat_event + type: cel + use_output: default +output_permissions: + default: + _elastic_agent_checks: + cluster: + - monitor + _elastic_agent_monitoring: + indices: [] + uuid-for-permissions-on-related-indices: + indices: + - names: + - logs-sentinel_one.threat_event-ep + privileges: + - auto_configure + - create_doc +secret_references: + - {} diff --git a/packages/sentinel_one/data_stream/threat_event/_dev/test/policy/test-default.yml b/packages/sentinel_one/data_stream/threat_event/_dev/test/policy/test-default.yml new file mode 100644 index 00000000000..e7e4437e204 --- /dev/null +++ b/packages/sentinel_one/data_stream/threat_event/_dev/test/policy/test-default.yml @@ -0,0 +1,13 @@ +vars: + url: http://host.tld + api_token: test_api_token +data_stream: + vars: + interval: 24h + batch_size: 1000 + enable_request_tracer: false + preserve_original_event: false + http_client_timeout: 30s + tags: + - forwarded + - sentinel_one-threat_event diff --git a/packages/sentinel_one/data_stream/threat_event/_dev/test/system/test-default-config.yml b/packages/sentinel_one/data_stream/threat_event/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..15e4f63bdeb --- /dev/null +++ b/packages/sentinel_one/data_stream/threat_event/_dev/test/system/test-default-config.yml @@ -0,0 +1,12 @@ +input: cel +service: sentinel_one +vars: + url: http://{{Hostname}}:{{Port}} + api_token: xxxx +data_stream: + vars: + batch_size: 2 + preserve_original_event: true + preserve_duplicate_custom_fields: true +assert: + hit_count: 4 diff --git a/packages/sentinel_one/data_stream/threat_event/agent/stream/cel.yml.hbs b/packages/sentinel_one/data_stream/threat_event/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..c7025c32696 --- /dev/null +++ b/packages/sentinel_one/data_stream/threat_event/agent/stream/cel.yml.hbs @@ -0,0 +1,156 @@ +config_version: 2 +interval: {{interval}} +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} +state: + api_token: {{api_token}} + batch_size: {{batch_size}} +{{#if site_ids }} + site_ids: !!str {{site_ids}} +{{/if}} +redact: + fields: + - api_token +program: |- + ( + (has(state.?worklist.data) && size(state.worklist.data) > 0) ? + state + : + state.with( + request( + "GET", + state.url.trim_right("/") + "/web/api/v2.1/threats?" + { + "skipCount": ["true"], + "limit": [string(state.batch_size)], + ?"siteIds": state.?site_ids.optMap(v, [string(v)]), + ?"cursor": state.?next_page.token.optMap(v, [v]), + }.format_query() + ).with( + { + "Header": { + "Authorization": ["ApiToken " + state.api_token], + }, + } + ).do_request().as(resp, (resp.StatusCode == 200) ? + resp.Body.decode_json().as(body, + { + "worklist": body, + "next_page": { + ?"token": (body.?pagination.nextCursor.orValue(null) != null) ? optional.of(body.pagination.nextCursor) : optional.none(), + }, + "fetch_more": body.?pagination.nextCursor.orValue(null) != null, + } + ) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET " + state.url.trim_right("/") + "/web/api/v2.1/threats: " + ( + (size(resp.Body) != 0) ? + string(resp.Body) + : + string(resp.Status) + " (" + string(resp.StatusCode) + ")" + ), + }, + }, + "want_more": false, + "offset": 0, + } + ) + ) + ).as(state, + state.with( + !has(state.worklist) ? // Exit early due to GET failure. + state + : (has(state.worklist.data) && size(state.worklist.data) > 0) ? + request( + "GET", + state.url.trim_right("/") + "/web/api/v2.1/threats/" + string(state.worklist.data[0].id) + "/explore/events?" + { + "skipCount": ["true"], + "limit": [string(state.batch_size)], + ?"cursor": state.?next_chain.token.optMap(v, [v]), + }.format_query() + ).with( + { + "Header": { + "Authorization": ["ApiToken " + state.api_token], + }, + } + ).do_request().as(resp, (resp.StatusCode == 200) ? + resp.Body.decode_json().as(body, + { + "events": (has(body.data) && body.data.size() > 0) ? + body.data.map(e, + { + "message": e.encode_json(), + } + ) + : + [{"message": "retry"}], + "next_chain": { + ?"token": (body.?pagination.nextCursor.orValue(null) != null) ? optional.of(body.pagination.nextCursor) : optional.none(), + }, + "worklist": { + "data": (body.?pagination.nextCursor.orValue(null) != null) ? state.worklist.data : tail(state.worklist.data), + }, + "want_more": state.?fetch_more.orValue(false) ? + state.fetch_more + : + size(state.worklist.data) > 1 || (body.?pagination.nextCursor.orValue(null) != null), + } + ) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET " + state.url.trim_right("/") + "/web/api/v2.1/threats/" + string(state.worklist.data[0].id) + "/explore/events: " + ( + (size(resp.Body) != 0) ? + string(resp.Body) + : + string(resp.Status) + " (" + string(resp.StatusCode) + ")" + ), + }, + }, + "want_more": false, + } + ) + : + { + "events": [], + "want_more": false, + } + ) + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/sentinel_one/data_stream/threat_event/elasticsearch/ilm/default_policy.json b/packages/sentinel_one/data_stream/threat_event/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..24bbfc79405 --- /dev/null +++ b/packages/sentinel_one/data_stream/threat_event/elasticsearch/ilm/default_policy.json @@ -0,0 +1,20 @@ +{ + "policy": { + "phases": { + "hot": { + "actions": { + "rollover": { + "max_age": "30d", + "max_primary_shard_size": "50gb" + } + } + }, + "delete": { + "min_age": "30d", + "actions": { + "delete": {} + } + } + } + } +} diff --git a/packages/sentinel_one/data_stream/threat_event/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/data_stream/threat_event/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..75502a61ee3 --- /dev/null +++ b/packages/sentinel_one/data_stream/threat_event/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,889 @@ +--- +description: Pipeline for processing threat_event logs. +processors: + - drop: + description: Ignore retry placeholder message. + if: ctx.message == "retry" + - set: + field: ecs.version + tag: set_ecs_version + value: 8.17.0 + - terminate: + tag: data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null + description: error message set and no data to process. + - set: + field: event.kind + tag: set_event_kind + value: event + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - remove: + field: + - organization + - division + - team + ignore_missing: true + if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String + tag: remove_agentless_tags + description: >- + Removes the fields added by Agentless as metadata, + as they can collide with ECS fields. + - json: + field: event.original + tag: json_event_original + target_field: json + - rename: + field: json.id + tag: rename_id + target_field: sentinel_one.threat_event.id + ignore_missing: true + - rename: + field: json.objectType + tag: rename_objectType + target_field: sentinel_one.threat_event.object_type + ignore_missing: true + - date: + field: json.createdAt + tag: date_createdAt + target_field: sentinel_one.threat_event.created_at + formats: + - ISO8601 + if: ctx.json?.createdAt != null && ctx.json.createdAt != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.processName + tag: rename_processName + target_field: sentinel_one.threat_event.process.name + ignore_missing: true + - rename: + field: json.agentName + tag: rename_agentName + target_field: sentinel_one.threat_event.agent.name + ignore_missing: true + - rename: + field: json.agentGroupId + tag: rename_agentGroupId + target_field: sentinel_one.threat_event.agent.group_id + ignore_missing: true + - rename: + field: json.agentId + tag: rename_agentId + target_field: sentinel_one.threat_event.agent.id + ignore_missing: true + - convert: + field: json.agentIsActive + tag: convert_agentIsActive_to_boolean + target_field: sentinel_one.threat_event.agent.is_active + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.agentIsDecommissioned + tag: convert_agentIsDecommissioned_to_boolean + target_field: sentinel_one.threat_event.agent.is_decommissioned + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.agentMachineType + tag: rename_agentMachineType + target_field: sentinel_one.threat_event.agent.machine_type + ignore_missing: true + - rename: + field: json.agentNetworkStatus + tag: rename_agentNetworkStatus + target_field: sentinel_one.threat_event.agent.network_status + ignore_missing: true + - rename: + field: json.agentOs + tag: rename_agentOs + target_field: sentinel_one.threat_event.agent.os + ignore_missing: true + - rename: + field: json.agentVersion + tag: rename_agentVersion + target_field: sentinel_one.threat_event.agent.version + ignore_missing: true + - rename: + field: json.agentUuid + tag: rename_agentUuid + target_field: sentinel_one.threat_event.agent.uuid + ignore_missing: true + - rename: + field: json.siteId + tag: rename_siteId + target_field: sentinel_one.threat_event.site.id + ignore_missing: true + - rename: + field: json.siteName + tag: rename_siteName + target_field: sentinel_one.threat_event.site.name + ignore_missing: true + - rename: + field: json.pid + tag: rename_pid + target_field: sentinel_one.threat_event.pid + ignore_missing: true + - convert: + field: json.srcIp + tag: convert_srcIp_to_ip + target_field: sentinel_one.threat_event.src.ip + type: ip + if: ctx.json?.srcIp != '' + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.srcPort + tag: convert_srcPort_to_long + target_field: sentinel_one.threat_event.src.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.dstIp + tag: convert_dstIp_to_ip + target_field: sentinel_one.threat_event.dst.ip + type: ip + if: ctx.json?.dstIp != '' + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.dstPort + tag: convert_dstPort_to_long + target_field: sentinel_one.threat_event.dst.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.fileSha1 + tag: rename_fileSha1 + target_field: sentinel_one.threat_event.file.sha1 + ignore_missing: true + - rename: + field: json.fileSha256 + tag: rename_fileSha256 + target_field: sentinel_one.threat_event.file.sha256 + ignore_missing: true + - rename: + field: json.fileMd5 + tag: rename_fileMd5 + target_field: sentinel_one.threat_event.file.md5 + ignore_missing: true + - rename: + field: json.oldFileSha1 + tag: rename_oldFileSha1 + target_field: sentinel_one.threat_event.old_file.sha1 + ignore_missing: true + - rename: + field: json.oldFileSha256 + tag: rename_oldFileSha256 + target_field: sentinel_one.threat_event.old_file.sha256 + ignore_missing: true + - rename: + field: json.oldFileMd5 + tag: rename_oldFileMd5 + target_field: sentinel_one.threat_event.old_file.md5 + ignore_missing: true + - rename: + field: json.signatureSignedInvalidReason + tag: rename_signatureSignedInvalidReason + target_field: sentinel_one.threat_event.signature_signed_invalid_reason + ignore_missing: true + - rename: + field: json.verifiedStatus + tag: rename_verifiedStatus + target_field: sentinel_one.threat_event.verified_status + ignore_missing: true + - rename: + field: json.signedStatus + tag: rename_signedStatus + target_field: sentinel_one.threat_event.signed_status + ignore_missing: true + - rename: + field: json.sha256 + tag: rename_sha256 + target_field: sentinel_one.threat_event.sha256 + ignore_missing: true + - rename: + field: json.sha1 + tag: rename_sha1 + target_field: sentinel_one.threat_event.sha1 + ignore_missing: true + - rename: + field: json.md5 + tag: rename_md5 + target_field: sentinel_one.threat_event.md5 + ignore_missing: true + - rename: + field: json.fileFullName + tag: rename_fileFullName + target_field: sentinel_one.threat_event.file.full_name + ignore_missing: true + - rename: + field: json.oldFileName + tag: rename_oldFileName + target_field: sentinel_one.threat_event.old_file.name + ignore_missing: true + - rename: + field: json.tid + tag: rename_tid + target_field: sentinel_one.threat_event.tid + ignore_missing: true + - rename: + field: json.rpid + tag: rename_rpid + target_field: sentinel_one.threat_event.rpid + ignore_missing: true + - rename: + field: json.dnsRequest + tag: rename_dnsRequest + target_field: sentinel_one.threat_event.dns_request + ignore_missing: true + - rename: + field: json.dnsResponse + tag: rename_dnsResponse + target_field: sentinel_one.threat_event.dns_response + ignore_missing: true + - rename: + field: json.processCmd + tag: rename_processCmd + target_field: sentinel_one.threat_event.process.cmd + ignore_missing: true + - rename: + field: json.processGroupId + tag: rename_processGroupId + target_field: sentinel_one.threat_event.process.group_id + ignore_missing: true + - rename: + field: json.processImagePath + tag: rename_processImagePath + target_field: sentinel_one.threat_event.process.image_path + ignore_missing: true + - rename: + field: json.processUserName + tag: rename_processUserName + target_field: sentinel_one.threat_event.process.user_name + ignore_missing: true + - rename: + field: json.processImageSha1Hash + tag: rename_processImageSha1Hash + target_field: sentinel_one.threat_event.process.image_sha1_hash + ignore_missing: true + - rename: + field: json.processUniqueKey + tag: rename_processUniqueKey + target_field: sentinel_one.threat_event.process.unique_key + ignore_missing: true + - date: + field: json.processStartTime + tag: date_processStartTime + target_field: sentinel_one.threat_event.process.start_time + formats: + - ISO8601 + if: ctx.json?.processStartTime != null && ctx.json.processStartTime != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.processSubSystem + tag: rename_processSubSystem + target_field: sentinel_one.threat_event.process.sub_system + ignore_missing: true + - rename: + field: json.processSessionId + tag: rename_processSessionId + target_field: sentinel_one.threat_event.process.session_id + ignore_missing: true + - rename: + field: json.processIntegrityLevel + tag: rename_processIntegrityLevel + target_field: sentinel_one.threat_event.process.integrity_level + ignore_missing: true + - rename: + field: json.processDisplayName + tag: rename_processDisplayName + target_field: sentinel_one.threat_event.process.display_name + ignore_missing: true + - rename: + field: json.processIsWow64 + tag: rename_processIsWow64 + target_field: sentinel_one.threat_event.process.is_wow64 + ignore_missing: true + - rename: + field: json.processIsRedirectedCommandProcessor + tag: rename_processIsRedirectedCommandProcessor + target_field: sentinel_one.threat_event.process.is_redirected_command_processor + ignore_missing: true + - rename: + field: json.processRoot + tag: rename_processRoot + target_field: sentinel_one.threat_event.process.root + ignore_missing: true + - rename: + field: json.parentProcessName + tag: rename_parentProcessName + target_field: sentinel_one.threat_event.parent_process.name + ignore_missing: true + - rename: + field: json.parentPid + tag: rename_parentPid + target_field: sentinel_one.threat_event.parent_pid + ignore_missing: true + - rename: + field: json.parentProcessUniqueKey + tag: rename_parentProcessUniqueKey + target_field: sentinel_one.threat_event.parent_process.unique_key + ignore_missing: true + - rename: + field: json.networkSource + tag: rename_networkSource + target_field: sentinel_one.threat_event.network.source + ignore_missing: true + - rename: + field: json.networkUrl + tag: rename_networkUrl + target_field: sentinel_one.threat_event.network.url + ignore_missing: true + - rename: + field: json.networkMethod + tag: rename_networkMethod + target_field: sentinel_one.threat_event.network.method + ignore_missing: true + - rename: + field: json.direction + tag: rename_direction + target_field: sentinel_one.threat_event.direction + ignore_missing: true + - rename: + field: json.eventType + tag: rename_eventType + target_field: sentinel_one.threat_event.event_type + ignore_missing: true + - rename: + field: json.registryPath + tag: rename_registryPath + target_field: sentinel_one.threat_event.registry.path + ignore_missing: true + - rename: + field: json.registryId + tag: rename_registryId + target_field: sentinel_one.threat_event.registry.id + ignore_missing: true + - rename: + field: json.registryClassification + tag: rename_registryClassification + target_field: sentinel_one.threat_event.registry.classification + ignore_missing: true + - rename: + field: json.taskName + tag: rename_taskName + target_field: sentinel_one.threat_event.task_name + ignore_missing: true + - rename: + field: json.taskPath + tag: rename_taskPath + target_field: sentinel_one.threat_event.task_path + ignore_missing: true + - rename: + field: json.trueContext + tag: rename_trueContext + target_field: sentinel_one.threat_event.true_context + ignore_missing: true + - rename: + field: json.storyline + tag: rename_storyline + target_field: sentinel_one.threat_event.storyline + ignore_missing: true + - rename: + field: json.fileId + tag: rename_fileId + target_field: sentinel_one.threat_event.file.id + ignore_missing: true + - rename: + field: json.loginsUserName + tag: rename_loginsUserName + target_field: sentinel_one.threat_event.logins_user_name + ignore_missing: true + - append: + field: related.user + tag: append_logins_user_name_into_related_user + value: '{{{sentinel_one.threat_event.logins_user_name}}}' + if: ctx.sentinel_one?.threat_event?.logins_user_name != null + allow_duplicates: false + - rename: + field: json.loginsBaseType + tag: rename_loginsBaseType + target_field: sentinel_one.threat_event.logins_base_type + ignore_missing: true + - rename: + field: json.indicatorCategory + tag: rename_indicatorCategory + target_field: sentinel_one.threat_event.indicator.category + ignore_missing: true + - rename: + field: json.indicatorDescription + tag: rename_indicatorDescription + target_field: sentinel_one.threat_event.indicator.description + ignore_missing: true + - rename: + field: json.indicatorMetadata + tag: rename_indicatorMetadata + target_field: sentinel_one.threat_event.indicator.metadata + ignore_missing: true + - rename: + field: json.indicatorName + tag: rename_indicatorName + target_field: sentinel_one.threat_event.indicator.name + ignore_missing: true + - rename: + field: json.connectionStatus + tag: rename_connectionStatus + target_field: sentinel_one.threat_event.connection_status + ignore_missing: true + - rename: + field: json.publisher + tag: rename_publisher + target_field: sentinel_one.threat_event.publisher + ignore_missing: true + - convert: + field: json.agentInfected + tag: convert_agentInfected_to_boolean + target_field: sentinel_one.threat_event.agent.infected + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.agentDomain + tag: rename_agentDomain + target_field: sentinel_one.threat_event.agent.domain + ignore_missing: true + - convert: + field: json.agentIp + tag: convert_agentIp_to_ip + target_field: sentinel_one.threat_event.agent.ip + type: ip + if: ctx.json?.agentIp != '' + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: related.ip + tag: append_agent_ip_into_related_ip + value: '{{{sentinel_one.threat_event.agent.ip}}}' + if: ctx.sentinel_one?.threat_event?.agent?.ip != null + allow_duplicates: false + - rename: + field: json.user + tag: rename_user + target_field: sentinel_one.threat_event.user + ignore_missing: true + - convert: + field: json.relatedToThreat + tag: convert_relatedToThreat_to_boolean + target_field: sentinel_one.threat_event.related_to_threat + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.threatStatus + tag: rename_threatStatus + target_field: sentinel_one.threat_event.threat_status + ignore_missing: true + - rename: + field: json.protocol + tag: rename_protocol + target_field: sentinel_one.threat_event.protocol + ignore_missing: true + - convert: + field: json.hasActiveContent + tag: convert_hasActiveContent_to_boolean + target_field: sentinel_one.threat_event.has_active_content + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.activeContentFileId + tag: rename_activeContentFileId + target_field: sentinel_one.threat_event.active_content.file_id + ignore_missing: true + - rename: + field: json.activeContentPath + tag: rename_activeContentPath + target_field: sentinel_one.threat_event.active_content.path + ignore_missing: true + - rename: + field: json.activeContentHash + tag: rename_activeContentHash + target_field: sentinel_one.threat_event.active_content.hash + ignore_missing: true + - convert: + field: json.processIsMalicious + tag: convert_processIsMalicious_to_boolean + target_field: sentinel_one.threat_event.process.is_malicious + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.parentProcessGroupId + tag: rename_parentProcessGroupId + target_field: sentinel_one.threat_event.parent_process.group_id + ignore_missing: true + - convert: + field: json.parentProcessIsMalicious + tag: convert_parentProcessIsMalicious_to_boolean + target_field: sentinel_one.threat_event.parent_process.is_malicious + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.fileSize + tag: rename_fileSize + target_field: sentinel_one.threat_event.file.size + ignore_missing: true + - rename: + field: json.fileType + tag: rename_fileType + target_field: sentinel_one.threat_event.file.type + ignore_missing: true + - set: + field: '@timestamp' + tag: set_timestamp + copy_from: sentinel_one.threat_event.created_at + ignore_empty_value: true + - set: + field: event.id + tag: set_event_id + copy_from: sentinel_one.threat_event.id + ignore_empty_value: true + - set: + field: event.created + tag: set_event_created + copy_from: sentinel_one.threat_event.created_at + ignore_empty_value: true + - set: + field: process.name + tag: set_process_name + copy_from: sentinel_one.threat_event.process.name + ignore_empty_value: true + - convert: + field: sentinel_one.threat_event.pid + tag: convert_event_pid_to_long + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.ip + tag: set_source_ip + copy_from: sentinel_one.threat_event.src.ip + ignore_empty_value: true + - append: + field: related.ip + tag: append_source_ip_into_related_ip + value: '{{{source.ip}}}' + if: ctx.source?.ip != null + allow_duplicates: false + - set: + field: source.port + tag: set_source_port + copy_from: sentinel_one.threat_event.src.port + ignore_empty_value: true + - set: + field: destination.ip + tag: set_destination_ip + copy_from: sentinel_one.threat_event.dst.ip + ignore_empty_value: true + - append: + field: related.ip + tag: append_destination_ip_into_related_ip + value: '{{{destination.ip}}}' + if: ctx.destination?.ip != null + allow_duplicates: false + - set: + field: destination.port + tag: set_destination_port + copy_from: sentinel_one.threat_event.dst.port + ignore_empty_value: true + - set: + field: file.hash.sha1 + tag: set_file_hash_sha1 + copy_from: sentinel_one.threat_event.file.sha1 + ignore_empty_value: true + - append: + field: related.hash + tag: append_file_hash_sha1_into_related_hash + value: '{{{file.hash.sha1}}}' + if: ctx.file?.hash?.sha1 != null + allow_duplicates: false + - set: + field: file.hash.sha256 + tag: set_file_hash_sha256 + copy_from: sentinel_one.threat_event.file.sha256 + ignore_empty_value: true + - append: + field: related.hash + tag: append_file_hash_sha256_into_related_hash + value: '{{{file.hash.sha256}}}' + if: ctx.file?.hash?.sha256 != null + allow_duplicates: false + - set: + field: file.hash.md5 + tag: set_file_hash_md5 + copy_from: sentinel_one.threat_event.file.md5 + ignore_empty_value: true + - append: + field: related.hash + tag: append_file_hash_md5_into_related_hash + value: '{{{file.hash.md5}}}' + if: ctx.file?.hash?.md5 != null + allow_duplicates: false + - set: + field: file.name + tag: set_file_name + copy_from: sentinel_one.threat_event.file.full_name + ignore_empty_value: true + - set: + field: process.command_line + tag: set_process_command_line + copy_from: sentinel_one.threat_event.process.cmd + ignore_empty_value: true + - set: + field: process.executable + tag: set_process_executable + copy_from: sentinel_one.threat_event.process.image_path + ignore_empty_value: true + - set: + field: process.user.name + tag: set_process_user_name + copy_from: sentinel_one.threat_event.process.user_name + ignore_empty_value: true + - append: + field: related.user + tag: append_process_user_name_into_related_user + value: '{{{process.user.name}}}' + if: ctx.process?.user?.name != null + allow_duplicates: false + - set: + field: process.hash.sha1 + tag: set_process_hash_sha1 + copy_from: sentinel_one.threat_event.process.image_sha1_hash + ignore_empty_value: true + - append: + field: related.hash + tag: append_process_hash_sha1_into_related_hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + - set: + field: process.start + tag: set_process_start + copy_from: sentinel_one.threat_event.process.start_time + ignore_empty_value: true + - set: + field: process.parent.name + tag: set_process_parent_name + copy_from: sentinel_one.threat_event.parent_process.name + ignore_empty_value: true + - convert: + field: sentinel_one.threat_event.parent_pid + tag: convert_event_parent_pid_to_long + target_field: process.parent.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: url.full + tag: set_url_full + copy_from: sentinel_one.threat_event.network.url + ignore_empty_value: true + - set: + field: registry.path + tag: set_registry_path + copy_from: sentinel_one.threat_event.registry.path + ignore_empty_value: true + - set: + field: threat.indicator.description + tag: set_threat_indicator_description + copy_from: sentinel_one.threat_event.indicator.description + ignore_empty_value: true + - set: + field: threat.indicator.name + tag: set_threat_indicator_name + copy_from: sentinel_one.threat_event.indicator.name + ignore_empty_value: true + - set: + field: user.name + tag: set_user_name + copy_from: sentinel_one.threat_event.user + ignore_empty_value: true + - append: + field: related.user + tag: append_user_name_into_related_user + value: '{{{user.name}}}' + if: ctx.user?.name != null + allow_duplicates: false + - lowercase: + field: sentinel_one.threat_event.protocol + tag: lowercase_network_transport + target_field: network.transport + ignore_missing: true + - convert: + field: sentinel_one.threat_event.file.size + tag: convert_file_size_to_long + target_field: file.size + type: long + if: ctx.sentinel_one?.threat_event?.file.size != '' + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: file.type + tag: set_file_type + copy_from: sentinel_one.threat_event.file.type + ignore_empty_value: true + - remove: + field: + - sentinel_one.threat_event.created_at + - sentinel_one.threat_event.dst.ip + - sentinel_one.threat_event.dst.port + - sentinel_one.threat_event.file.full_name + - sentinel_one.threat_event.file.md5 + - sentinel_one.threat_event.file.sha1 + - sentinel_one.threat_event.file.sha256 + - sentinel_one.threat_event.file.size + - sentinel_one.threat_event.file.type + - sentinel_one.threat_event.id + - sentinel_one.threat_event.indicator.description + - sentinel_one.threat_event.indicator.name + - sentinel_one.threat_event.network.url + - sentinel_one.threat_event.parent_pid + - sentinel_one.threat_event.parent_process.name + - sentinel_one.threat_event.pid + - sentinel_one.threat_event.process.cmd + - sentinel_one.threat_event.process.image_path + - sentinel_one.threat_event.process.image_sha1_hash + - sentinel_one.threat_event.process.name + - sentinel_one.threat_event.process.start_time + - sentinel_one.threat_event.process.user_name + - sentinel_one.threat_event.protocol + - sentinel_one.threat_event.registry.path + - sentinel_one.threat_event.src.ip + - sentinel_one.threat_event.src.port + - sentinel_one.threat_event.user + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + - remove: + field: json + tag: remove_json + ignore_missing: true + - script: + tag: script_to_drop_null_values + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: |- + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + - set: + field: event.kind + tag: set_pipeline_error_into_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/sentinel_one/data_stream/threat_event/fields/base-fields.yml b/packages/sentinel_one/data_stream/threat_event/fields/base-fields.yml new file mode 100644 index 00000000000..b70a66fc311 --- /dev/null +++ b/packages/sentinel_one/data_stream/threat_event/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs +- name: event.module + type: constant_keyword + external: ecs + value: sentinel_one +- name: event.dataset + type: constant_keyword + external: ecs + value: sentinel_one.threat_event +- name: '@timestamp' + external: ecs diff --git a/packages/sentinel_one/data_stream/threat_event/fields/beats.yml b/packages/sentinel_one/data_stream/threat_event/fields/beats.yml new file mode 100644 index 00000000000..4084f1dc7f5 --- /dev/null +++ b/packages/sentinel_one/data_stream/threat_event/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/sentinel_one/data_stream/threat_event/fields/fields.yml b/packages/sentinel_one/data_stream/threat_event/fields/fields.yml new file mode 100644 index 00000000000..6e0f674146a --- /dev/null +++ b/packages/sentinel_one/data_stream/threat_event/fields/fields.yml @@ -0,0 +1,228 @@ +- name: sentinel_one + type: group + fields: + - name: threat_event + type: group + fields: + - name: id + type: keyword + - name: object_type + type: keyword + - name: created_at + type: date + - name: process + type: group + fields: + - name: name + type: keyword + - name: cmd + type: keyword + - name: group_id + type: keyword + - name: image_path + type: keyword + - name: user_name + type: keyword + - name: image_sha1_hash + type: keyword + - name: unique_key + type: keyword + - name: start_time + type: date + - name: sub_system + type: keyword + - name: session_id + type: keyword + - name: integrity_level + type: keyword + - name: display_name + type: keyword + - name: is_wow64 + type: keyword + - name: is_redirected_command_processor + type: keyword + - name: root + type: keyword + - name: is_malicious + type: boolean + - name: agent + type: group + fields: + - name: name + type: keyword + - name: group_id + type: keyword + - name: id + type: keyword + - name: is_active + type: boolean + - name: is_decommissioned + type: boolean + - name: machine_type + type: keyword + - name: network_status + type: keyword + - name: os + type: keyword + - name: version + type: keyword + - name: uuid + type: keyword + - name: infected + type: boolean + - name: domain + type: keyword + - name: ip + type: ip + - name: site + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: pid + type: keyword + - name: src + type: group + fields: + - name: ip + type: ip + - name: port + type: long + - name: dst + type: group + fields: + - name: ip + type: ip + - name: port + type: long + - name: file + type: group + fields: + - name: sha1 + type: keyword + - name: sha256 + type: keyword + - name: md5 + type: keyword + - name: full_name + type: keyword + - name: id + type: keyword + - name: size + type: keyword + - name: type + type: keyword + - name: old_file + type: group + fields: + - name: sha1 + type: keyword + - name: sha256 + type: keyword + - name: md5 + type: keyword + - name: name + type: keyword + - name: signature_signed_invalid_reason + type: keyword + - name: verified_status + type: keyword + - name: signed_status + type: keyword + - name: sha256 + type: keyword + - name: sha1 + type: keyword + - name: md5 + type: keyword + - name: tid + type: keyword + - name: rpid + type: keyword + - name: dns_request + type: keyword + - name: dns_response + type: keyword + - name: parent_process + type: group + fields: + - name: name + type: keyword + - name: unique_key + type: keyword + - name: group_id + type: keyword + - name: is_malicious + type: boolean + - name: parent_pid + type: keyword + - name: network + type: group + fields: + - name: source + type: keyword + - name: url + type: keyword + - name: method + type: keyword + - name: direction + type: keyword + - name: event_type + type: keyword + - name: registry + type: group + fields: + - name: path + type: keyword + - name: id + type: keyword + - name: classification + type: keyword + - name: task_name + type: keyword + - name: task_path + type: keyword + - name: true_context + type: keyword + - name: storyline + type: keyword + - name: logins_user_name + type: keyword + - name: logins_base_type + type: keyword + - name: indicator + type: group + fields: + - name: category + type: keyword + - name: description + type: keyword + - name: metadata + type: keyword + - name: name + type: keyword + - name: connection_status + type: keyword + - name: publisher + type: keyword + - name: user + type: keyword + - name: related_to_threat + type: boolean + - name: threat_status + type: keyword + - name: protocol + type: keyword + - name: has_active_content + type: boolean + - name: active_content + type: group + fields: + - name: file_id + type: keyword + - name: path + type: keyword + - name: hash + type: keyword diff --git a/packages/sentinel_one/data_stream/threat_event/lifecycle.yml b/packages/sentinel_one/data_stream/threat_event/lifecycle.yml new file mode 100644 index 00000000000..b56a81e81d7 --- /dev/null +++ b/packages/sentinel_one/data_stream/threat_event/lifecycle.yml @@ -0,0 +1 @@ +data_retention: "30d" diff --git a/packages/sentinel_one/data_stream/threat_event/manifest.yml b/packages/sentinel_one/data_stream/threat_event/manifest.yml new file mode 100644 index 00000000000..0ede5556415 --- /dev/null +++ b/packages/sentinel_one/data_stream/threat_event/manifest.yml @@ -0,0 +1,81 @@ +title: Collect Threat Event logs from SentinelOne +type: logs +ilm_policy: logs-sentinel_one.threat_event-default_policy +streams: + - input: cel + title: Threat Event logs + description: Collect threat event logs from SentinelOne. + enabled: false + template_path: cel.yml.hbs + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the Sentinel One API. Supported units for this parameter are h/m/s. + default: 24h + multi: false + required: true + show_user: true + - name: batch_size + type: integer + title: Batch Size + description: Batch size for the response of the Sentinel One API. The maximum supported page size value is 1000. + default: 1000 + multi: false + required: true + show_user: false + - name: site_ids + type: text + title: Site IDs + multi: false + required: false + show_user: false + description: Comma separated list of Site IDs to filter by. Example - "225494730938493804,225494730938493915". + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: enable_request_tracer + type: bool + title: Enable request tracing + default: false + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - sentinel_one-threat_event + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: false + show_user: false + title: Preserve duplicate custom fields + description: Preserve sentinel_one.threat_event fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/sentinel_one/data_stream/threat_event/sample_event.json b/packages/sentinel_one/data_stream/threat_event/sample_event.json new file mode 100644 index 00000000000..ac10de66e7e --- /dev/null +++ b/packages/sentinel_one/data_stream/threat_event/sample_event.json @@ -0,0 +1,232 @@ +{ + "@timestamp": "2025-10-22T11:30:00.000Z", + "agent": { + "ephemeral_id": "cb480124-a03c-47cc-9451-f52e3e80bc47", + "id": "0d5383c7-da8f-4e33-a9c8-ea303876fbd9", + "name": "elastic-agent-26678", + "type": "filebeat", + "version": "8.18.7" + }, + "data_stream": { + "dataset": "sentinel_one.threat_event", + "namespace": "82630", + "type": "logs" + }, + "destination": { + "ip": "89.160.20.128", + "port": 443 + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "0d5383c7-da8f-4e33-a9c8-ea303876fbd9", + "snapshot": false, + "version": "8.18.7" + }, + "event": { + "agent_id_status": "verified", + "created": "2025-10-22T11:30:00.000Z", + "dataset": "sentinel_one.threat_event", + "id": "id_004", + "ingested": "2025-10-27T07:44:21Z", + "kind": "event", + "original": "{\"activeContentFileId\":\"fileid_004\",\"activeContentHash\":\"hash_004\",\"activeContentPath\":\"D:\\\\content\\\\file4\",\"agentDomain\":\"domain4\",\"agentGroupId\":\"group_04\",\"agentId\":\"agent_004\",\"agentInfected\":false,\"agentIp\":\"89.160.20.156\",\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"x64\",\"agentName\":\"Agent_4\",\"agentNetworkStatus\":\"online\",\"agentOs\":\"Windows 10\",\"agentUuid\":\"uuid_004\",\"agentVersion\":\"1.3.0\",\"connectionStatus\":\"active\",\"createdAt\":\"2025-10-22T11:30:00Z\",\"direction\":\"outbound\",\"dnsRequest\":\"google.com\",\"dnsResponse\":\"8.8.8.8\",\"dstIp\":\"89.160.20.128\",\"dstPort\":443,\"eventType\":\"network\",\"fileFullName\":\"C:\\\\Program Files\\\\Chrome\\\\chrome.exe\",\"fileId\":\"file_004\",\"fileMd5\":\"md5_004\",\"fileSha1\":\"sha1_004\",\"fileSha256\":\"sha256_004\",\"fileSize\":\"4096\",\"fileType\":\"exe\",\"hasActiveContent\":false,\"id\":\"id_004\",\"indicatorCategory\":\"spyware\",\"indicatorDescription\":\"tracking software\",\"indicatorMetadata\":\"meta4\",\"indicatorName\":\"Spyware4\",\"loginsBaseType\":\"domain\",\"loginsUserName\":\"user_login4\",\"md5\":\"md5_sample4\",\"networkMethod\":\"GET\",\"networkSource\":\"WAN\",\"networkUrl\":\"https://google.com\",\"objectType\":\"process\",\"oldFileMd5\":\"old_md54\",\"oldFileName\":\"chrome_old.exe\",\"oldFileSha1\":\"old_sha14\",\"oldFileSha256\":\"old_sha2564\",\"parentPid\":\"4001\",\"parentProcessGroupId\":\"group_parent_04\",\"parentProcessIsMalicious\":false,\"parentProcessName\":\"explorer.exe\",\"parentProcessUniqueKey\":\"unique_parent_004\",\"pid\":\"4567\",\"processCmd\":\"chrome.exe --new-tab\",\"processDisplayName\":\"Google Chrome\",\"processGroupId\":\"group_04\",\"processImagePath\":\"C:\\\\Program Files\\\\Chrome\\\\chrome.exe\",\"processImageSha1Hash\":\"sha1_process4\",\"processIntegrityLevel\":\"medium\",\"processIsMalicious\":false,\"processIsRedirectedCommandProcessor\":\"false\",\"processIsWow64\":\"false\",\"processName\":\"chrome.exe\",\"processRoot\":\"C:\\\\\",\"processSessionId\":\"session_004\",\"processStartTime\":\"2025-10-22T11:00:00Z\",\"processSubSystem\":\"subsystem4\",\"processUniqueKey\":\"unique_004\",\"processUserName\":\"user4\",\"protocol\":\"TCP\",\"publisher\":\"Google\",\"registryClassification\":\"application\",\"registryId\":\"reg_004\",\"registryPath\":\"HKCU\\\\Software\\\\Test4\",\"relatedToThreat\":false,\"rpid\":\"rpid_004\",\"sha1\":\"sha1_sample4\",\"sha256\":\"sha256_sample4\",\"signatureSignedInvalidReason\":\"None\",\"signedStatus\":\"Signed\",\"siteId\":\"site_004\",\"siteName\":\"SiteD\",\"srcIp\":\"127.0.0.1\",\"srcPort\":34567,\"storyline\":\"storyline4\",\"taskName\":\"task4\",\"taskPath\":\"C:\\\\Tasks\\\\task4\",\"threatStatus\":\"clean\",\"tid\":\"tid_004\",\"trueContext\":\"context4\",\"user\":\"user4\",\"verifiedStatus\":\"Verified\"}" + }, + "file": { + "hash": { + "md5": "md5_004", + "sha1": "sha1_004", + "sha256": "sha256_004" + }, + "name": "C:\\Program Files\\Chrome\\chrome.exe", + "size": 4096, + "type": "exe" + }, + "input": { + "type": "cel" + }, + "network": { + "transport": "tcp" + }, + "process": { + "command_line": "chrome.exe --new-tab", + "executable": "C:\\Program Files\\Chrome\\chrome.exe", + "hash": { + "sha1": "sha1_process4" + }, + "name": "chrome.exe", + "parent": { + "name": "explorer.exe", + "pid": 4001 + }, + "pid": 4567, + "start": "2025-10-22T11:00:00.000Z", + "user": { + "name": "user4" + } + }, + "registry": { + "path": "HKCU\\Software\\Test4" + }, + "related": { + "hash": [ + "sha1_004", + "sha256_004", + "md5_004", + "sha1_process4" + ], + "ip": [ + "89.160.20.156", + "127.0.0.1", + "89.160.20.128" + ], + "user": [ + "user_login4", + "user4" + ] + }, + "sentinel_one": { + "threat_event": { + "active_content": { + "file_id": "fileid_004", + "hash": "hash_004", + "path": "D:\\content\\file4" + }, + "agent": { + "domain": "domain4", + "group_id": "group_04", + "id": "agent_004", + "infected": false, + "ip": "89.160.20.156", + "is_active": true, + "is_decommissioned": false, + "machine_type": "x64", + "name": "Agent_4", + "network_status": "online", + "os": "Windows 10", + "uuid": "uuid_004", + "version": "1.3.0" + }, + "connection_status": "active", + "created_at": "2025-10-22T11:30:00.000Z", + "direction": "outbound", + "dns_request": "google.com", + "dns_response": "8.8.8.8", + "dst": { + "ip": "89.160.20.128", + "port": 443 + }, + "event_type": "network", + "file": { + "full_name": "C:\\Program Files\\Chrome\\chrome.exe", + "id": "file_004", + "md5": "md5_004", + "sha1": "sha1_004", + "sha256": "sha256_004", + "size": "4096", + "type": "exe" + }, + "has_active_content": false, + "id": "id_004", + "indicator": { + "category": "spyware", + "description": "tracking software", + "metadata": "meta4", + "name": "Spyware4" + }, + "logins_base_type": "domain", + "logins_user_name": "user_login4", + "md5": "md5_sample4", + "network": { + "method": "GET", + "source": "WAN", + "url": "https://google.com" + }, + "object_type": "process", + "old_file": { + "md5": "old_md54", + "name": "chrome_old.exe", + "sha1": "old_sha14", + "sha256": "old_sha2564" + }, + "parent_pid": "4001", + "parent_process": { + "group_id": "group_parent_04", + "is_malicious": false, + "name": "explorer.exe", + "unique_key": "unique_parent_004" + }, + "pid": "4567", + "process": { + "cmd": "chrome.exe --new-tab", + "display_name": "Google Chrome", + "group_id": "group_04", + "image_path": "C:\\Program Files\\Chrome\\chrome.exe", + "image_sha1_hash": "sha1_process4", + "integrity_level": "medium", + "is_malicious": false, + "is_redirected_command_processor": "false", + "is_wow64": "false", + "name": "chrome.exe", + "root": "C:\\", + "session_id": "session_004", + "start_time": "2025-10-22T11:00:00.000Z", + "sub_system": "subsystem4", + "unique_key": "unique_004", + "user_name": "user4" + }, + "protocol": "TCP", + "publisher": "Google", + "registry": { + "classification": "application", + "id": "reg_004", + "path": "HKCU\\Software\\Test4" + }, + "related_to_threat": false, + "rpid": "rpid_004", + "sha1": "sha1_sample4", + "sha256": "sha256_sample4", + "signature_signed_invalid_reason": "None", + "signed_status": "Signed", + "site": { + "id": "site_004", + "name": "SiteD" + }, + "src": { + "ip": "127.0.0.1", + "port": 34567 + }, + "storyline": "storyline4", + "task_name": "task4", + "task_path": "C:\\Tasks\\task4", + "threat_status": "clean", + "tid": "tid_004", + "true_context": "context4", + "user": "user4", + "verified_status": "Verified" + } + }, + "source": { + "ip": "127.0.0.1", + "port": 34567 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "sentinel_one-threat_event" + ], + "threat": { + "indicator": { + "description": "tracking software", + "name": "Spyware4" + } + }, + "url": { + "full": "https://google.com" + }, + "user": { + "name": "user4" + } +} diff --git a/packages/sentinel_one/docs/README.md b/packages/sentinel_one/docs/README.md index 96f18bc9714..3c65a1c247e 100644 --- a/packages/sentinel_one/docs/README.md +++ b/packages/sentinel_one/docs/README.md @@ -1,17 +1,36 @@ -# SentinelOne +# SentinelOne Integration for Elastic + +## Overview The [SentinelOne](https://www.sentinelone.com/) integration collects and parses data from SentinelOne REST APIs. This integration also offers the capability to perform response actions on SentinelOne hosts directly through the Elastic Security interface (introduced with v8.12.0). Additional configuration is required; for detailed guidance, refer to [documentation](https://www.elastic.co/guide/en/security/current/response-actions-config.html). -## Agentless Enabled Integration -Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). +### Compatibility -Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. +This module has been tested against `SentinelOne Management Console API version 2.1`. -## Compatibility +### How it works -This module has been tested against `SentinelOne Management Console API version 2.1`. +This integration periodically queries the SentinelOne REST API to retrieve Activity, Agent, Alert, Application, Application Risk, Group, Threat and Threat Event logs. + +## What data does this integration collect? + +This integration collects log messages of the following types: + +- `Activity`: Captures general actions or events occurring within the SentinelOne environment, such as policy updates or administrative operations. +- `Agent`: Provides details about endpoint agents, including their status, configuration, and activity on protected devices. +- `Alert`: Represents security notifications triggered by detected suspicious or malicious activity requiring attention. +- `Application`: Logs information about installed or executed applications identified on endpoints. +- `Application Risk`: Assesses and records the risk level or reputation of discovered applications based on behavior and source. +- `Group`: Contains configuration and status information for endpoint groups within a site or tenant. +- `Threat`: Logs confirmed malicious detections, such as malware, exploits, or ransomware identified by SentinelOne. +- `Threat Event`: Provides detailed event-level information related to a specific threat, including process, file, and network indicators. + +### Supported use cases +Integrating SentinelOne Activity, Agent, Alert, Application, Application Risk, Group, Threat, and Threat Event logs with Elastic SIEM provides centralized visibility across endpoint operations and security events. Dashboards deliver insights into agent status, detections, application behavior, and threat lifecycle, helping SOC teams quickly identify malicious activity, enforce policy compliance, and accelerate investigation and response efforts. + +## What do I need to use this integration? -## API token +### From SentinelOne To collect data from SentinelOne APIs, you must have an API token. To create an API token, follow these steps: @@ -36,29 +55,63 @@ To collect data from SentinelOne APIs, you must have an API token. To create an | Application Risk | Applications -> viewRisks | | Group | Groups -> view | | Threat | Threats -> view | +| Threat Event | Threats -> view | ## Note The **alert** data stream depends on STAR Custom Rules. STAR Custom Rules are supported in Cloud environments, but are not supported in on-premises environments. Because of this, the **alert** data stream is not supported in on-premises environments. +## How do I deploy this integration? + +This integration supports both Elastic Agentless-based and Agent-based installations. + +### Agentless-based installation + +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. + +### Agent-based installation + +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host. + ## Troubleshooting - The API token generated by the user is time-limited. The user must reconfigure a new API token before it expires. - For console users, the default expiration time limit is 30 days. - For service users, the expiration time limit is the same as the duration specified while generating the API token. -## Alert severity mapping +## Setup -The values used in `event.severity` are consistent with Elastic Detection Rules. +1. In the top search bar in Kibana, search for **Integrations**. +2. In the search bar, type **SentinelOne**. +3. Select the **SentinelOne** integration from the search results. +4. Select **Add SentinelOne** to add the integration. +5. Enable and configure only the collection methods which you will use. -| Severity Name | `event.severity` | -|---------------|:----------------:| -| Low | 21 | -| Medium | 47 | -| High | 73 | -| Critical | 99 | + * To **Collect SentinelOne logs via API**, you'll need to: -## Logs + - Configure **URL** and **API Token**. + - Enable/Disable the required datasets. + - For each dataset, adjust the integration configuration parameters if required, including the Interval, Preserve original event etc. to enable data collection. + +6. Select **Save and continue** to save the integration. + +### Validation + +#### Dashboards populated + +1. In the top search bar in Kibana, search for **Dashboards**. +2. In the search bar, type **SentinelOne**. +3. Select a dashboard for the dataset you are collecting, and verify the dashboard information is populated. + +## Performance and scaling + +For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation. + +## Reference + +### Logs reference ### activity @@ -1732,3 +1785,351 @@ An example event for `threat` looks as following: | sentinel_one.threat.threat_id | Threat id. | keyword | | sentinel_one.threat.whitening_option | Whitening options. | keyword | + +### threat event + +This is the `threat event` dataset. + +An example event for `threat_event` looks as following: + +```json +{ + "@timestamp": "2025-10-22T11:30:00.000Z", + "agent": { + "ephemeral_id": "cb480124-a03c-47cc-9451-f52e3e80bc47", + "id": "0d5383c7-da8f-4e33-a9c8-ea303876fbd9", + "name": "elastic-agent-26678", + "type": "filebeat", + "version": "8.18.7" + }, + "data_stream": { + "dataset": "sentinel_one.threat_event", + "namespace": "82630", + "type": "logs" + }, + "destination": { + "ip": "89.160.20.128", + "port": 443 + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "0d5383c7-da8f-4e33-a9c8-ea303876fbd9", + "snapshot": false, + "version": "8.18.7" + }, + "event": { + "agent_id_status": "verified", + "created": "2025-10-22T11:30:00.000Z", + "dataset": "sentinel_one.threat_event", + "id": "id_004", + "ingested": "2025-10-27T07:44:21Z", + "kind": "event", + "original": "{\"activeContentFileId\":\"fileid_004\",\"activeContentHash\":\"hash_004\",\"activeContentPath\":\"D:\\\\content\\\\file4\",\"agentDomain\":\"domain4\",\"agentGroupId\":\"group_04\",\"agentId\":\"agent_004\",\"agentInfected\":false,\"agentIp\":\"89.160.20.156\",\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"x64\",\"agentName\":\"Agent_4\",\"agentNetworkStatus\":\"online\",\"agentOs\":\"Windows 10\",\"agentUuid\":\"uuid_004\",\"agentVersion\":\"1.3.0\",\"connectionStatus\":\"active\",\"createdAt\":\"2025-10-22T11:30:00Z\",\"direction\":\"outbound\",\"dnsRequest\":\"google.com\",\"dnsResponse\":\"8.8.8.8\",\"dstIp\":\"89.160.20.128\",\"dstPort\":443,\"eventType\":\"network\",\"fileFullName\":\"C:\\\\Program Files\\\\Chrome\\\\chrome.exe\",\"fileId\":\"file_004\",\"fileMd5\":\"md5_004\",\"fileSha1\":\"sha1_004\",\"fileSha256\":\"sha256_004\",\"fileSize\":\"4096\",\"fileType\":\"exe\",\"hasActiveContent\":false,\"id\":\"id_004\",\"indicatorCategory\":\"spyware\",\"indicatorDescription\":\"tracking software\",\"indicatorMetadata\":\"meta4\",\"indicatorName\":\"Spyware4\",\"loginsBaseType\":\"domain\",\"loginsUserName\":\"user_login4\",\"md5\":\"md5_sample4\",\"networkMethod\":\"GET\",\"networkSource\":\"WAN\",\"networkUrl\":\"https://google.com\",\"objectType\":\"process\",\"oldFileMd5\":\"old_md54\",\"oldFileName\":\"chrome_old.exe\",\"oldFileSha1\":\"old_sha14\",\"oldFileSha256\":\"old_sha2564\",\"parentPid\":\"4001\",\"parentProcessGroupId\":\"group_parent_04\",\"parentProcessIsMalicious\":false,\"parentProcessName\":\"explorer.exe\",\"parentProcessUniqueKey\":\"unique_parent_004\",\"pid\":\"4567\",\"processCmd\":\"chrome.exe --new-tab\",\"processDisplayName\":\"Google Chrome\",\"processGroupId\":\"group_04\",\"processImagePath\":\"C:\\\\Program Files\\\\Chrome\\\\chrome.exe\",\"processImageSha1Hash\":\"sha1_process4\",\"processIntegrityLevel\":\"medium\",\"processIsMalicious\":false,\"processIsRedirectedCommandProcessor\":\"false\",\"processIsWow64\":\"false\",\"processName\":\"chrome.exe\",\"processRoot\":\"C:\\\\\",\"processSessionId\":\"session_004\",\"processStartTime\":\"2025-10-22T11:00:00Z\",\"processSubSystem\":\"subsystem4\",\"processUniqueKey\":\"unique_004\",\"processUserName\":\"user4\",\"protocol\":\"TCP\",\"publisher\":\"Google\",\"registryClassification\":\"application\",\"registryId\":\"reg_004\",\"registryPath\":\"HKCU\\\\Software\\\\Test4\",\"relatedToThreat\":false,\"rpid\":\"rpid_004\",\"sha1\":\"sha1_sample4\",\"sha256\":\"sha256_sample4\",\"signatureSignedInvalidReason\":\"None\",\"signedStatus\":\"Signed\",\"siteId\":\"site_004\",\"siteName\":\"SiteD\",\"srcIp\":\"127.0.0.1\",\"srcPort\":34567,\"storyline\":\"storyline4\",\"taskName\":\"task4\",\"taskPath\":\"C:\\\\Tasks\\\\task4\",\"threatStatus\":\"clean\",\"tid\":\"tid_004\",\"trueContext\":\"context4\",\"user\":\"user4\",\"verifiedStatus\":\"Verified\"}" + }, + "file": { + "hash": { + "md5": "md5_004", + "sha1": "sha1_004", + "sha256": "sha256_004" + }, + "name": "C:\\Program Files\\Chrome\\chrome.exe", + "size": 4096, + "type": "exe" + }, + "input": { + "type": "cel" + }, + "network": { + "transport": "tcp" + }, + "process": { + "command_line": "chrome.exe --new-tab", + "executable": "C:\\Program Files\\Chrome\\chrome.exe", + "hash": { + "sha1": "sha1_process4" + }, + "name": "chrome.exe", + "parent": { + "name": "explorer.exe", + "pid": 4001 + }, + "pid": 4567, + "start": "2025-10-22T11:00:00.000Z", + "user": { + "name": "user4" + } + }, + "registry": { + "path": "HKCU\\Software\\Test4" + }, + "related": { + "hash": [ + "sha1_004", + "sha256_004", + "md5_004", + "sha1_process4" + ], + "ip": [ + "89.160.20.156", + "127.0.0.1", + "89.160.20.128" + ], + "user": [ + "user_login4", + "user4" + ] + }, + "sentinel_one": { + "threat_event": { + "active_content": { + "file_id": "fileid_004", + "hash": "hash_004", + "path": "D:\\content\\file4" + }, + "agent": { + "domain": "domain4", + "group_id": "group_04", + "id": "agent_004", + "infected": false, + "ip": "89.160.20.156", + "is_active": true, + "is_decommissioned": false, + "machine_type": "x64", + "name": "Agent_4", + "network_status": "online", + "os": "Windows 10", + "uuid": "uuid_004", + "version": "1.3.0" + }, + "connection_status": "active", + "created_at": "2025-10-22T11:30:00.000Z", + "direction": "outbound", + "dns_request": "google.com", + "dns_response": "8.8.8.8", + "dst": { + "ip": "89.160.20.128", + "port": 443 + }, + "event_type": "network", + "file": { + "full_name": "C:\\Program Files\\Chrome\\chrome.exe", + "id": "file_004", + "md5": "md5_004", + "sha1": "sha1_004", + "sha256": "sha256_004", + "size": "4096", + "type": "exe" + }, + "has_active_content": false, + "id": "id_004", + "indicator": { + "category": "spyware", + "description": "tracking software", + "metadata": "meta4", + "name": "Spyware4" + }, + "logins_base_type": "domain", + "logins_user_name": "user_login4", + "md5": "md5_sample4", + "network": { + "method": "GET", + "source": "WAN", + "url": "https://google.com" + }, + "object_type": "process", + "old_file": { + "md5": "old_md54", + "name": "chrome_old.exe", + "sha1": "old_sha14", + "sha256": "old_sha2564" + }, + "parent_pid": "4001", + "parent_process": { + "group_id": "group_parent_04", + "is_malicious": false, + "name": "explorer.exe", + "unique_key": "unique_parent_004" + }, + "pid": "4567", + "process": { + "cmd": "chrome.exe --new-tab", + "display_name": "Google Chrome", + "group_id": "group_04", + "image_path": "C:\\Program Files\\Chrome\\chrome.exe", + "image_sha1_hash": "sha1_process4", + "integrity_level": "medium", + "is_malicious": false, + "is_redirected_command_processor": "false", + "is_wow64": "false", + "name": "chrome.exe", + "root": "C:\\", + "session_id": "session_004", + "start_time": "2025-10-22T11:00:00.000Z", + "sub_system": "subsystem4", + "unique_key": "unique_004", + "user_name": "user4" + }, + "protocol": "TCP", + "publisher": "Google", + "registry": { + "classification": "application", + "id": "reg_004", + "path": "HKCU\\Software\\Test4" + }, + "related_to_threat": false, + "rpid": "rpid_004", + "sha1": "sha1_sample4", + "sha256": "sha256_sample4", + "signature_signed_invalid_reason": "None", + "signed_status": "Signed", + "site": { + "id": "site_004", + "name": "SiteD" + }, + "src": { + "ip": "127.0.0.1", + "port": 34567 + }, + "storyline": "storyline4", + "task_name": "task4", + "task_path": "C:\\Tasks\\task4", + "threat_status": "clean", + "tid": "tid_004", + "true_context": "context4", + "user": "user4", + "verified_status": "Verified" + } + }, + "source": { + "ip": "127.0.0.1", + "port": 34567 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "sentinel_one-threat_event" + ], + "threat": { + "indicator": { + "description": "tracking software", + "name": "Spyware4" + } + }, + "url": { + "full": "https://google.com" + }, + "user": { + "name": "user4" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | +| input.type | Type of filebeat input. | keyword | +| log.offset | Log offset. | long | +| sentinel_one.threat_event.active_content.file_id | | keyword | +| sentinel_one.threat_event.active_content.hash | | keyword | +| sentinel_one.threat_event.active_content.path | | keyword | +| sentinel_one.threat_event.agent.domain | | keyword | +| sentinel_one.threat_event.agent.group_id | | keyword | +| sentinel_one.threat_event.agent.id | | keyword | +| sentinel_one.threat_event.agent.infected | | boolean | +| sentinel_one.threat_event.agent.ip | | ip | +| sentinel_one.threat_event.agent.is_active | | boolean | +| sentinel_one.threat_event.agent.is_decommissioned | | boolean | +| sentinel_one.threat_event.agent.machine_type | | keyword | +| sentinel_one.threat_event.agent.name | | keyword | +| sentinel_one.threat_event.agent.network_status | | keyword | +| sentinel_one.threat_event.agent.os | | keyword | +| sentinel_one.threat_event.agent.uuid | | keyword | +| sentinel_one.threat_event.agent.version | | keyword | +| sentinel_one.threat_event.connection_status | | keyword | +| sentinel_one.threat_event.created_at | | date | +| sentinel_one.threat_event.direction | | keyword | +| sentinel_one.threat_event.dns_request | | keyword | +| sentinel_one.threat_event.dns_response | | keyword | +| sentinel_one.threat_event.dst.ip | | ip | +| sentinel_one.threat_event.dst.port | | long | +| sentinel_one.threat_event.event_type | | keyword | +| sentinel_one.threat_event.file.full_name | | keyword | +| sentinel_one.threat_event.file.id | | keyword | +| sentinel_one.threat_event.file.md5 | | keyword | +| sentinel_one.threat_event.file.sha1 | | keyword | +| sentinel_one.threat_event.file.sha256 | | keyword | +| sentinel_one.threat_event.file.size | | keyword | +| sentinel_one.threat_event.file.type | | keyword | +| sentinel_one.threat_event.has_active_content | | boolean | +| sentinel_one.threat_event.id | | keyword | +| sentinel_one.threat_event.indicator.category | | keyword | +| sentinel_one.threat_event.indicator.description | | keyword | +| sentinel_one.threat_event.indicator.metadata | | keyword | +| sentinel_one.threat_event.indicator.name | | keyword | +| sentinel_one.threat_event.logins_base_type | | keyword | +| sentinel_one.threat_event.logins_user_name | | keyword | +| sentinel_one.threat_event.md5 | | keyword | +| sentinel_one.threat_event.network.method | | keyword | +| sentinel_one.threat_event.network.source | | keyword | +| sentinel_one.threat_event.network.url | | keyword | +| sentinel_one.threat_event.object_type | | keyword | +| sentinel_one.threat_event.old_file.md5 | | keyword | +| sentinel_one.threat_event.old_file.name | | keyword | +| sentinel_one.threat_event.old_file.sha1 | | keyword | +| sentinel_one.threat_event.old_file.sha256 | | keyword | +| sentinel_one.threat_event.parent_pid | | keyword | +| sentinel_one.threat_event.parent_process.group_id | | keyword | +| sentinel_one.threat_event.parent_process.is_malicious | | boolean | +| sentinel_one.threat_event.parent_process.name | | keyword | +| sentinel_one.threat_event.parent_process.unique_key | | keyword | +| sentinel_one.threat_event.pid | | keyword | +| sentinel_one.threat_event.process.cmd | | keyword | +| sentinel_one.threat_event.process.display_name | | keyword | +| sentinel_one.threat_event.process.group_id | | keyword | +| sentinel_one.threat_event.process.image_path | | keyword | +| sentinel_one.threat_event.process.image_sha1_hash | | keyword | +| sentinel_one.threat_event.process.integrity_level | | keyword | +| sentinel_one.threat_event.process.is_malicious | | boolean | +| sentinel_one.threat_event.process.is_redirected_command_processor | | keyword | +| sentinel_one.threat_event.process.is_wow64 | | keyword | +| sentinel_one.threat_event.process.name | | keyword | +| sentinel_one.threat_event.process.root | | keyword | +| sentinel_one.threat_event.process.session_id | | keyword | +| sentinel_one.threat_event.process.start_time | | date | +| sentinel_one.threat_event.process.sub_system | | keyword | +| sentinel_one.threat_event.process.unique_key | | keyword | +| sentinel_one.threat_event.process.user_name | | keyword | +| sentinel_one.threat_event.protocol | | keyword | +| sentinel_one.threat_event.publisher | | keyword | +| sentinel_one.threat_event.registry.classification | | keyword | +| sentinel_one.threat_event.registry.id | | keyword | +| sentinel_one.threat_event.registry.path | | keyword | +| sentinel_one.threat_event.related_to_threat | | boolean | +| sentinel_one.threat_event.rpid | | keyword | +| sentinel_one.threat_event.sha1 | | keyword | +| sentinel_one.threat_event.sha256 | | keyword | +| sentinel_one.threat_event.signature_signed_invalid_reason | | keyword | +| sentinel_one.threat_event.signed_status | | keyword | +| sentinel_one.threat_event.site.id | | keyword | +| sentinel_one.threat_event.site.name | | keyword | +| sentinel_one.threat_event.src.ip | | ip | +| sentinel_one.threat_event.src.port | | long | +| sentinel_one.threat_event.storyline | | keyword | +| sentinel_one.threat_event.task_name | | keyword | +| sentinel_one.threat_event.task_path | | keyword | +| sentinel_one.threat_event.threat_status | | keyword | +| sentinel_one.threat_event.tid | | keyword | +| sentinel_one.threat_event.true_context | | keyword | +| sentinel_one.threat_event.user | | keyword | +| sentinel_one.threat_event.verified_status | | keyword | + diff --git a/packages/sentinel_one/elasticsearch/transform/latest_threat_event/fields/base-fields.yml b/packages/sentinel_one/elasticsearch/transform/latest_threat_event/fields/base-fields.yml new file mode 100644 index 00000000000..41d0c4dac0d --- /dev/null +++ b/packages/sentinel_one/elasticsearch/transform/latest_threat_event/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs +- name: "@timestamp" + external: ecs +- name: event.module + type: constant_keyword + external: ecs + value: sentinel_one +- name: event.dataset + type: constant_keyword + external: ecs + value: sentinel_one.threat_event diff --git a/packages/sentinel_one/elasticsearch/transform/latest_threat_event/fields/beats.yml b/packages/sentinel_one/elasticsearch/transform/latest_threat_event/fields/beats.yml new file mode 100644 index 00000000000..d5fd38748ba --- /dev/null +++ b/packages/sentinel_one/elasticsearch/transform/latest_threat_event/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/sentinel_one/elasticsearch/transform/latest_threat_event/fields/ecs.yml b/packages/sentinel_one/elasticsearch/transform/latest_threat_event/fields/ecs.yml new file mode 100644 index 00000000000..eb8a0e1c2c2 --- /dev/null +++ b/packages/sentinel_one/elasticsearch/transform/latest_threat_event/fields/ecs.yml @@ -0,0 +1,54 @@ +- name: destination.ip + external: ecs +- name: destination.port + external: ecs +- name: event.created + external: ecs +- name: event.id + external: ecs +- name: file.hash.md5 + external: ecs +- name: file.hash.sha1 + external: ecs +- name: file.hash.sha256 + external: ecs +- name: file.name + external: ecs +- name: file.size + external: ecs +- name: file.type + external: ecs +- name: network.transport + external: ecs +- name: process.command_line + external: ecs +- name: process.executable + external: ecs +- name: process.hash.sha1 + external: ecs +- name: process.name + external: ecs +- name: process.parent.name + external: ecs +- name: process.parent.pid + external: ecs +- name: process.pid + external: ecs +- name: process.start + external: ecs +- name: process.user.name + external: ecs +- name: registry.path + external: ecs +- name: source.ip + external: ecs +- name: source.port + external: ecs +- name: threat.indicator.description + external: ecs +- name: threat.indicator.name + external: ecs +- name: url.full + external: ecs +- name: user.name + external: ecs diff --git a/packages/sentinel_one/elasticsearch/transform/latest_threat_event/fields/fields.yml b/packages/sentinel_one/elasticsearch/transform/latest_threat_event/fields/fields.yml new file mode 100644 index 00000000000..6e0f674146a --- /dev/null +++ b/packages/sentinel_one/elasticsearch/transform/latest_threat_event/fields/fields.yml @@ -0,0 +1,228 @@ +- name: sentinel_one + type: group + fields: + - name: threat_event + type: group + fields: + - name: id + type: keyword + - name: object_type + type: keyword + - name: created_at + type: date + - name: process + type: group + fields: + - name: name + type: keyword + - name: cmd + type: keyword + - name: group_id + type: keyword + - name: image_path + type: keyword + - name: user_name + type: keyword + - name: image_sha1_hash + type: keyword + - name: unique_key + type: keyword + - name: start_time + type: date + - name: sub_system + type: keyword + - name: session_id + type: keyword + - name: integrity_level + type: keyword + - name: display_name + type: keyword + - name: is_wow64 + type: keyword + - name: is_redirected_command_processor + type: keyword + - name: root + type: keyword + - name: is_malicious + type: boolean + - name: agent + type: group + fields: + - name: name + type: keyword + - name: group_id + type: keyword + - name: id + type: keyword + - name: is_active + type: boolean + - name: is_decommissioned + type: boolean + - name: machine_type + type: keyword + - name: network_status + type: keyword + - name: os + type: keyword + - name: version + type: keyword + - name: uuid + type: keyword + - name: infected + type: boolean + - name: domain + type: keyword + - name: ip + type: ip + - name: site + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: pid + type: keyword + - name: src + type: group + fields: + - name: ip + type: ip + - name: port + type: long + - name: dst + type: group + fields: + - name: ip + type: ip + - name: port + type: long + - name: file + type: group + fields: + - name: sha1 + type: keyword + - name: sha256 + type: keyword + - name: md5 + type: keyword + - name: full_name + type: keyword + - name: id + type: keyword + - name: size + type: keyword + - name: type + type: keyword + - name: old_file + type: group + fields: + - name: sha1 + type: keyword + - name: sha256 + type: keyword + - name: md5 + type: keyword + - name: name + type: keyword + - name: signature_signed_invalid_reason + type: keyword + - name: verified_status + type: keyword + - name: signed_status + type: keyword + - name: sha256 + type: keyword + - name: sha1 + type: keyword + - name: md5 + type: keyword + - name: tid + type: keyword + - name: rpid + type: keyword + - name: dns_request + type: keyword + - name: dns_response + type: keyword + - name: parent_process + type: group + fields: + - name: name + type: keyword + - name: unique_key + type: keyword + - name: group_id + type: keyword + - name: is_malicious + type: boolean + - name: parent_pid + type: keyword + - name: network + type: group + fields: + - name: source + type: keyword + - name: url + type: keyword + - name: method + type: keyword + - name: direction + type: keyword + - name: event_type + type: keyword + - name: registry + type: group + fields: + - name: path + type: keyword + - name: id + type: keyword + - name: classification + type: keyword + - name: task_name + type: keyword + - name: task_path + type: keyword + - name: true_context + type: keyword + - name: storyline + type: keyword + - name: logins_user_name + type: keyword + - name: logins_base_type + type: keyword + - name: indicator + type: group + fields: + - name: category + type: keyword + - name: description + type: keyword + - name: metadata + type: keyword + - name: name + type: keyword + - name: connection_status + type: keyword + - name: publisher + type: keyword + - name: user + type: keyword + - name: related_to_threat + type: boolean + - name: threat_status + type: keyword + - name: protocol + type: keyword + - name: has_active_content + type: boolean + - name: active_content + type: group + fields: + - name: file_id + type: keyword + - name: path + type: keyword + - name: hash + type: keyword diff --git a/packages/sentinel_one/elasticsearch/transform/latest_threat_event/fields/is-transform-source-false.yml b/packages/sentinel_one/elasticsearch/transform/latest_threat_event/fields/is-transform-source-false.yml new file mode 100644 index 00000000000..490a079e7a7 --- /dev/null +++ b/packages/sentinel_one/elasticsearch/transform/latest_threat_event/fields/is-transform-source-false.yml @@ -0,0 +1,4 @@ +- name: labels.is_transform_source + type: constant_keyword + description: Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering. + value: "false" diff --git a/packages/sentinel_one/elasticsearch/transform/latest_threat_event/manifest.yml b/packages/sentinel_one/elasticsearch/transform/latest_threat_event/manifest.yml new file mode 100644 index 00000000000..24e9e926793 --- /dev/null +++ b/packages/sentinel_one/elasticsearch/transform/latest_threat_event/manifest.yml @@ -0,0 +1,11 @@ +start: true +destination_index_template: + mappings: + dynamic: true + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/sentinel_one/elasticsearch/transform/latest_threat_event/transform.yml b/packages/sentinel_one/elasticsearch/transform/latest_threat_event/transform.yml new file mode 100644 index 00000000000..b217f5243e3 --- /dev/null +++ b/packages/sentinel_one/elasticsearch/transform/latest_threat_event/transform.yml @@ -0,0 +1,37 @@ +# Use of "*" to use all namespaces defined. +source: + index: + - "logs-sentinel_one.threat_event-*" +dest: + index: "logs-sentinel_one_latest.dest_threat_event-1" + aliases: + - alias: "logs-sentinel_one_latest.threat_event" + move_on_creation: true +latest: + unique_key: + - event.dataset + - event.id + sort: "@timestamp" +description: >- + Latest threat event from SentinelOne. As threat event get updated and deleted, this transform stores only the latest state of each threat event inside the destination index. Thus the transform's destination index contains only the latest state of the threat event. +frequency: 30s +settings: + # This is required to prevent the transform from clobbering the Fleet-managed mappings. + deduce_mappings: false + unattended: true +sync: + time: + field: "event.ingested" + # Updated to 120s because of refresh delay in Serverless. With default 60s, + # sometimes transform wouldn't process all documents. + delay: 120s +retention_policy: + time: + field: "event.ingested" + max_age: 30d +_meta: + managed: false + # Bump this version to delete, reinstall, and restart the transform during + # package installation. + fleet_transform_version: 0.1.0 + run_as_kibana_system: false diff --git a/packages/sentinel_one/img/sentinel-one-dashboard.png b/packages/sentinel_one/img/sentinel-one-dashboard.png new file mode 100644 index 00000000000..ed1b2bbb145 Binary files /dev/null and b/packages/sentinel_one/img/sentinel-one-dashboard.png differ diff --git a/packages/sentinel_one/img/sentinel-one-threat-event-dashboard.png b/packages/sentinel_one/img/sentinel-one-threat-event-dashboard.png new file mode 100644 index 00000000000..43ee7335a63 Binary files /dev/null and b/packages/sentinel_one/img/sentinel-one-threat-event-dashboard.png differ diff --git a/packages/sentinel_one/kibana/dashboard/sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538.json b/packages/sentinel_one/kibana/dashboard/sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538.json index efe1fa706ba..54ea2048b10 100644 --- a/packages/sentinel_one/kibana/dashboard/sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538.json +++ b/packages/sentinel_one/kibana/dashboard/sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538.json @@ -232,7 +232,7 @@ "i": "b8f90700-ca73-40c7-9257-8612aa86cc9f", "w": 24, "x": 0, - "y": 57 + "y": 59 }, "panelIndex": "b8f90700-ca73-40c7-9257-8612aa86cc9f", "type": "lens" @@ -403,7 +403,7 @@ "i": "9bdf752f-f767-44a4-bf05-51e0a27b7bbf", "w": 24, "x": 24, - "y": 57 + "y": 59 }, "panelIndex": "9bdf752f-f767-44a4-bf05-51e0a27b7bbf", "type": "lens" @@ -561,7 +561,7 @@ "i": "ed9a7061-e640-41f3-a838-3772f86e4be4", "w": 24, "x": 0, - "y": 72 + "y": 74 }, "panelIndex": "ed9a7061-e640-41f3-a838-3772f86e4be4", "type": "lens" @@ -734,7 +734,7 @@ "i": "e17f8b5f-d5de-4921-bb3a-9d3e7ef58ae4", "w": 24, "x": 24, - "y": 72 + "y": 74 }, "panelIndex": "e17f8b5f-d5de-4921-bb3a-9d3e7ef58ae4", "title": "Distribution of Threats by Incident Status", @@ -909,7 +909,7 @@ "i": "3e6f6367-85e2-45ee-a9c2-a14d5739f952", "w": 24, "x": 0, - "y": 87 + "y": 89 }, "panelIndex": "3e6f6367-85e2-45ee-a9c2-a14d5739f952", "title": "Top 10 Threat Techniques", @@ -1123,7 +1123,7 @@ "i": "1888de07-0e2f-4fc4-80e9-f3102e8b97b3", "w": 24, "x": 24, - "y": 87 + "y": 89 }, "panelIndex": "1888de07-0e2f-4fc4-80e9-f3102e8b97b3", "title": "Distribution of Threats by Infected Agents", @@ -1282,7 +1282,7 @@ "i": "6080a8f0-54d7-4fae-884f-f34dbed69ea8", "w": 24, "x": 0, - "y": 102 + "y": 104 }, "panelIndex": "6080a8f0-54d7-4fae-884f-f34dbed69ea8", "title": "Distribution of Threats by Detection Engine ", @@ -1456,116 +1456,12 @@ "i": "f7c0e875-f75f-4d06-b4dd-a8e50965eabe", "w": 24, "x": 24, - "y": 102 + "y": 104 }, "panelIndex": "f7c0e875-f75f-4d06-b4dd-a8e50965eabe", "title": "Top 10 Threats by Classification", "type": "lens" }, - { - "embeddableConfig": { - "attributes": { - "layout": "vertical", - "links": [ - { - "destinationRefName": "link_f4098683-cf5c-4602-9b24-9aea15918578_dashboard", - "id": "f4098683-cf5c-4602-9b24-9aea15918578", - "label": "Activities", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 0, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_8deb9939-2ec5-4132-ba5f-b1df63e439b7_dashboard", - "id": "8deb9939-2ec5-4132-ba5f-b1df63e439b7", - "label": "Agents", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 1, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_87aa4d55-d0ff-4287-aa67-de9fd33bdcaf_dashboard", - "id": "87aa4d55-d0ff-4287-aa67-de9fd33bdcaf", - "label": "Alerts", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 2, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_255c3f86-ba80-43a5-b1c9-077b54a35cae_dashboard", - "id": "255c3f86-ba80-43a5-b1c9-077b54a35cae", - "label": "Application", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 3, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_e4098063-4b72-4076-9062-e0ec2cbaacdd_dashboard", - "id": "e4098063-4b72-4076-9062-e0ec2cbaacdd", - "label": "Application Risk", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 4, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_a6a5c107-3f8e-48bd-b142-6aa46defabd2_dashboard", - "id": "a6a5c107-3f8e-48bd-b142-6aa46defabd2", - "label": "Groups", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 5, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_8cbb5cad-64bb-48fc-a682-8083e3b46f94_dashboard", - "id": "8cbb5cad-64bb-48fc-a682-8083e3b46f94", - "label": "Threats", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 6, - "type": "dashboardLink" - } - ] - }, - "enhancements": {} - }, - "gridData": { - "h": 11, - "i": "96d47662-1411-4c98-a33d-8eccf5f23307", - "w": 10, - "x": 0, - "y": 0 - }, - "panelIndex": "96d47662-1411-4c98-a33d-8eccf5f23307", - "title": "Navigation", - "type": "links" - }, { "embeddableConfig": { "attributes": { @@ -3248,7 +3144,7 @@ "i": "049f4aed-442b-4fd9-b46a-4ae161ec46d6", "w": 10, "x": 0, - "y": 11 + "y": 13 }, "panelIndex": "049f4aed-442b-4fd9-b46a-4ae161ec46d6", "title": "Table of Contents", @@ -3261,12 +3157,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-a64559b1-90c9-4859-9d5f-2585172bcda4", + "name": "indexpattern-datasource-layer-c5e5c6f0-5d4d-48f4-9ad4-727d5f1c0ebd", "type": "index-pattern" }, { "id": "logs-*", - "name": "6f8ea6e2-8a4c-45ec-aa08-b533cc8e6ac4", + "name": "af63bf2a-f185-4472-99fa-9c42ffadb4bc", "type": "index-pattern" } ], @@ -3275,39 +3171,39 @@ "datasourceStates": { "formBased": { "layers": { - "a64559b1-90c9-4859-9d5f-2585172bcda4": { + "c5e5c6f0-5d4d-48f4-9ad4-727d5f1c0ebd": { "columnOrder": [ - "e8b50532-e3ed-47d7-a0d4-7aaced47afa3", - "ad08fd36-cbe4-4baa-ac1d-9454a3fd297b" + "039a2941-5111-4bf1-a02a-af4a8fe09609", + "86f6d3c9-4b8b-4d98-afae-df8ba9fd0e43" ], "columns": { - "ad08fd36-cbe4-4baa-ac1d-9454a3fd297b": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "sentinel_one.threat.id" - }, - "e8b50532-e3ed-47d7-a0d4-7aaced47afa3": { + "039a2941-5111-4bf1-a02a-af4a8fe09609": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Mitigation Mode", + "label": "Mitigation Status", "operationType": "terms", "params": { "missingBucket": false, "orderBy": { - "columnId": "ad08fd36-cbe4-4baa-ac1d-9454a3fd297b", + "columnId": "86f6d3c9-4b8b-4d98-afae-df8ba9fd0e43", "type": "column" }, "orderDirection": "desc", "otherBucket": true, - "size": 10 + "size": 5 }, "scale": "ordinal", - "sourceField": "sentinel_one.threat.agent.mitigation_mode" + "sourceField": "sentinel_one.threat.mitigation_status.status" + }, + "86f6d3c9-4b8b-4d98-afae-df8ba9fd0e43": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "sentinel_one.threat.id" } }, "incompleteColumns": {} @@ -3324,7 +3220,7 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "6f8ea6e2-8a4c-45ec-aa08-b533cc8e6ac4", + "index": "af63bf2a-f185-4472-99fa-9c42ffadb4bc", "key": "data_stream.dataset", "negate": false, "params": { @@ -3347,37 +3243,28 @@ "visualization": { "layers": [ { - "accessors": [ - "ad08fd36-cbe4-4baa-ac1d-9454a3fd297b" - ], - "layerId": "a64559b1-90c9-4859-9d5f-2585172bcda4", + "categoryDisplay": "default", + "layerId": "c5e5c6f0-5d4d-48f4-9ad4-727d5f1c0ebd", "layerType": "data", - "position": "top", - "seriesType": "bar_stacked", - "showGridlines": false, - "xAccessor": "e8b50532-e3ed-47d7-a0d4-7aaced47afa3" + "legendDisplay": "show", + "legendSize": "auto", + "metrics": [ + "86f6d3c9-4b8b-4d98-afae-df8ba9fd0e43" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "039a2941-5111-4bf1-a02a-af4a8fe09609" + ], + "truncateLegend": false } ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right", - "shouldTruncate": false - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - } + "shape": "pie" } }, - "title": "Distribution of Threats by Agent Mitigation Mode", + "title": "Distribution of Threats by Mitigation Status", "type": "lens", - "visualizationType": "lnsXY" + "visualizationType": "lnsPie" }, "enhancements": { "dynamicActions": { @@ -3393,7 +3280,7 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "6f8ea6e2-8a4c-45ec-aa08-b533cc8e6ac4", + "index": "af63bf2a-f185-4472-99fa-9c42ffadb4bc", "key": "data_stream.dataset", "negate": false, "params": { @@ -3417,13 +3304,13 @@ "syncTooltips": false }, "gridData": { - "h": 14, - "i": "301b13f1-59c8-40e0-80f8-ecc1892b938d", - "w": 20, - "x": 28, - "y": 28 + "h": 15, + "i": "accf3797-c215-44a4-829d-c9ff30758f7b", + "w": 15, + "x": 0, + "y": 44 }, - "panelIndex": "301b13f1-59c8-40e0-80f8-ecc1892b938d", + "panelIndex": "accf3797-c215-44a4-829d-c9ff30758f7b", "type": "lens" }, { @@ -3433,17 +3320,17 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-f83c655e-003c-4cc5-a2e3-789acb23b691", + "name": "indexpattern-datasource-layer-9d8d04b8-42e9-488a-9c18-39f38153e46a", "type": "index-pattern" }, { "id": "logs-*", - "name": "eabcac79-7f09-4f55-8d66-0df00a4f4358", + "name": "5eccfc13-a814-49f3-9b20-9be2db6b75a9", "type": "index-pattern" }, { "id": "logs-*", - "name": "33030a53-9eef-4416-9030-de2b09f3100f", + "name": "2dfeb86f-904e-4f76-bd4a-502859e3ffa4", "type": "index-pattern" } ], @@ -3452,13 +3339,13 @@ "datasourceStates": { "formBased": { "layers": { - "f83c655e-003c-4cc5-a2e3-789acb23b691": { + "9d8d04b8-42e9-488a-9c18-39f38153e46a": { "columnOrder": [ - "d427f2bd-912c-476e-85a7-3110216b3b8d", - "7fead18f-d40b-4539-ace7-5328e84140d2" + "3629412b-4ee6-4169-92d4-d5d8ebb7ab62", + "324989fb-f85e-4bbc-b7f9-b85472d54928" ], "columns": { - "7fead18f-d40b-4539-ace7-5328e84140d2": { + "324989fb-f85e-4bbc-b7f9-b85472d54928": { "customLabel": true, "dataType": "number", "isBucketed": false, @@ -3467,30 +3354,24 @@ "scale": "ratio", "sourceField": "sentinel_one.threat.id" }, - "d427f2bd-912c-476e-85a7-3110216b3b8d": { + "3629412b-4ee6-4169-92d4-d5d8ebb7ab62": { + "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Filters", - "operationType": "filters", + "label": "Prevalent Threats", + "operationType": "terms", "params": { - "filters": [ - { - "input": { - "language": "kuery", - "query": "sentinel_one.threat.agent.is_active : true " - }, - "label": "Active Agents" - }, - { - "input": { - "language": "kuery", - "query": "sentinel_one.threat.agent.is_active : false " - }, - "label": "Inactive Agents" - } - ] + "missingBucket": false, + "orderBy": { + "columnId": "324989fb-f85e-4bbc-b7f9-b85472d54928", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 }, - "scale": "ordinal" + "scale": "ordinal", + "sourceField": "sentinel_one.threat.name" } }, "incompleteColumns": {} @@ -3506,17 +3387,19 @@ "meta": { "alias": null, "disabled": false, - "index": "eabcac79-7f09-4f55-8d66-0df00a4f4358", - "key": "sentinel_one.threat.agent.is_active", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "sentinel_one.threat.agent.is_active" - } - } + "index": "5eccfc13-a814-49f3-9b20-9be2db6b75a9", + "key": "sentinel_one.threat.incident.status", + "negate": true, + "params": { + "query": "resolved" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "sentinel_one.threat.incident.status": "resolved" + } + } }, { "$state": { @@ -3526,7 +3409,7 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "33030a53-9eef-4416-9030-de2b09f3100f", + "index": "2dfeb86f-904e-4f76-bd4a-502859e3ffa4", "key": "data_stream.dataset", "negate": false, "params": { @@ -3549,28 +3432,39 @@ "visualization": { "layers": [ { - "categoryDisplay": "default", - "layerId": "f83c655e-003c-4cc5-a2e3-789acb23b691", - "layerType": "data", - "legendDisplay": "show", - "legendSize": "auto", - "metrics": [ - "7fead18f-d40b-4539-ace7-5328e84140d2" - ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "d427f2bd-912c-476e-85a7-3110216b3b8d" + "accessors": [ + "324989fb-f85e-4bbc-b7f9-b85472d54928" ], - "truncateLegend": false + "layerId": "9d8d04b8-42e9-488a-9c18-39f38153e46a", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "3629412b-4ee6-4169-92d4-d5d8ebb7ab62" } ], - "shape": "pie" + "legend": { + "isInside": false, + "isVisible": true, + "legendSize": "auto", + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } } }, - "title": "Distribution of Threats by Agent Status", + "title": "Most Prevalent Threats", "type": "lens", - "visualizationType": "lnsPie" + "visualizationType": "lnsXY" }, "enhancements": { "dynamicActions": { @@ -3585,15 +3479,17 @@ "meta": { "alias": null, "disabled": false, - "index": "eabcac79-7f09-4f55-8d66-0df00a4f4358", - "key": "sentinel_one.threat.agent.is_active", - "negate": false, - "type": "exists", - "value": "exists" + "index": "5eccfc13-a814-49f3-9b20-9be2db6b75a9", + "key": "sentinel_one.threat.incident.status", + "negate": true, + "params": { + "query": "resolved" + }, + "type": "phrase" }, "query": { - "exists": { - "field": "sentinel_one.threat.agent.is_active" + "match_phrase": { + "sentinel_one.threat.incident.status": "resolved" } } }, @@ -3605,7 +3501,7 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "33030a53-9eef-4416-9030-de2b09f3100f", + "index": "2dfeb86f-904e-4f76-bd4a-502859e3ffa4", "key": "data_stream.dataset", "negate": false, "params": { @@ -3620,7 +3516,6 @@ } } ], - "hidePanelTitles": false, "query": { "language": "kuery", "query": "" @@ -3630,15 +3525,126 @@ "syncTooltips": false }, "gridData": { - "h": 14, - "i": "dc9ba6b7-0c35-4333-99ad-653d57c20fd7", - "w": 18, - "x": 10, - "y": 28 + "h": 15, + "i": "213a2279-8bb5-491b-b0f0-d5a7a2473670", + "w": 33, + "x": 15, + "y": 44 }, - "panelIndex": "dc9ba6b7-0c35-4333-99ad-653d57c20fd7", + "panelIndex": "213a2279-8bb5-491b-b0f0-d5a7a2473670", "type": "lens" }, + { + "embeddableConfig": { + "attributes": { + "layout": "vertical", + "links": [ + { + "destinationRefName": "link_f4098683-cf5c-4602-9b24-9aea15918578_dashboard", + "id": "f4098683-cf5c-4602-9b24-9aea15918578", + "label": "Activities", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 0, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_8deb9939-2ec5-4132-ba5f-b1df63e439b7_dashboard", + "id": "8deb9939-2ec5-4132-ba5f-b1df63e439b7", + "label": "Agents", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 1, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_87aa4d55-d0ff-4287-aa67-de9fd33bdcaf_dashboard", + "id": "87aa4d55-d0ff-4287-aa67-de9fd33bdcaf", + "label": "Alerts", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 2, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_255c3f86-ba80-43a5-b1c9-077b54a35cae_dashboard", + "id": "255c3f86-ba80-43a5-b1c9-077b54a35cae", + "label": "Application", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 3, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_e4098063-4b72-4076-9062-e0ec2cbaacdd_dashboard", + "id": "e4098063-4b72-4076-9062-e0ec2cbaacdd", + "label": "Application Risk", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 4, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_a6a5c107-3f8e-48bd-b142-6aa46defabd2_dashboard", + "id": "a6a5c107-3f8e-48bd-b142-6aa46defabd2", + "label": "Groups", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 5, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_8cbb5cad-64bb-48fc-a682-8083e3b46f94_dashboard", + "id": "8cbb5cad-64bb-48fc-a682-8083e3b46f94", + "label": "Threats", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 6, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_f9cecb5e-18b1-4c47-9b7e-7269f673a147_dashboard", + "id": "f9cecb5e-18b1-4c47-9b7e-7269f673a147", + "label": "Threat Events", + "order": 7, + "type": "dashboardLink" + } + ] + }, + "enhancements": {} + }, + "gridData": { + "h": 13, + "i": "96d47662-1411-4c98-a33d-8eccf5f23307", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "96d47662-1411-4c98-a33d-8eccf5f23307", + "title": "Navigation", + "type": "links" + }, { "embeddableConfig": { "attributes": { @@ -3646,12 +3652,17 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-c5e5c6f0-5d4d-48f4-9ad4-727d5f1c0ebd", + "name": "indexpattern-datasource-layer-f83c655e-003c-4cc5-a2e3-789acb23b691", "type": "index-pattern" }, { "id": "logs-*", - "name": "af63bf2a-f185-4472-99fa-9c42ffadb4bc", + "name": "eabcac79-7f09-4f55-8d66-0df00a4f4358", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "33030a53-9eef-4416-9030-de2b09f3100f", "type": "index-pattern" } ], @@ -3660,32 +3671,13 @@ "datasourceStates": { "formBased": { "layers": { - "c5e5c6f0-5d4d-48f4-9ad4-727d5f1c0ebd": { + "f83c655e-003c-4cc5-a2e3-789acb23b691": { "columnOrder": [ - "039a2941-5111-4bf1-a02a-af4a8fe09609", - "86f6d3c9-4b8b-4d98-afae-df8ba9fd0e43" + "d427f2bd-912c-476e-85a7-3110216b3b8d", + "7fead18f-d40b-4539-ace7-5328e84140d2" ], "columns": { - "039a2941-5111-4bf1-a02a-af4a8fe09609": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Mitigation Status", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "86f6d3c9-4b8b-4d98-afae-df8ba9fd0e43", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "sentinel_one.threat.mitigation_status.status" - }, - "86f6d3c9-4b8b-4d98-afae-df8ba9fd0e43": { + "7fead18f-d40b-4539-ace7-5328e84140d2": { "customLabel": true, "dataType": "number", "isBucketed": false, @@ -3693,6 +3685,31 @@ "operationType": "unique_count", "scale": "ratio", "sourceField": "sentinel_one.threat.id" + }, + "d427f2bd-912c-476e-85a7-3110216b3b8d": { + "dataType": "string", + "isBucketed": true, + "label": "Filters", + "operationType": "filters", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "sentinel_one.threat.agent.is_active : true " + }, + "label": "Active Agents" + }, + { + "input": { + "language": "kuery", + "query": "sentinel_one.threat.agent.is_active : false " + }, + "label": "Inactive Agents" + } + ] + }, + "scale": "ordinal" } }, "incompleteColumns": {} @@ -3701,6 +3718,25 @@ } }, "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "eabcac79-7f09-4f55-8d66-0df00a4f4358", + "key": "sentinel_one.threat.agent.is_active", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "sentinel_one.threat.agent.is_active" + } + } + }, { "$state": { "store": "appState" @@ -3709,7 +3745,7 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "af63bf2a-f185-4472-99fa-9c42ffadb4bc", + "index": "33030a53-9eef-4416-9030-de2b09f3100f", "key": "data_stream.dataset", "negate": false, "params": { @@ -3733,17 +3769,17 @@ "layers": [ { "categoryDisplay": "default", - "layerId": "c5e5c6f0-5d4d-48f4-9ad4-727d5f1c0ebd", + "layerId": "f83c655e-003c-4cc5-a2e3-789acb23b691", "layerType": "data", "legendDisplay": "show", "legendSize": "auto", "metrics": [ - "86f6d3c9-4b8b-4d98-afae-df8ba9fd0e43" + "7fead18f-d40b-4539-ace7-5328e84140d2" ], "nestedLegend": false, "numberDisplay": "percent", "primaryGroups": [ - "039a2941-5111-4bf1-a02a-af4a8fe09609" + "d427f2bd-912c-476e-85a7-3110216b3b8d" ], "truncateLegend": false } @@ -3751,7 +3787,7 @@ "shape": "pie" } }, - "title": "Distribution of Threats by Mitigation Status", + "title": "Distribution of Threats by Agent Status", "type": "lens", "visualizationType": "lnsPie" }, @@ -3761,6 +3797,25 @@ } }, "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "eabcac79-7f09-4f55-8d66-0df00a4f4358", + "key": "sentinel_one.threat.agent.is_active", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "sentinel_one.threat.agent.is_active" + } + } + }, { "$state": { "store": "appState" @@ -3769,7 +3824,7 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "af63bf2a-f185-4472-99fa-9c42ffadb4bc", + "index": "33030a53-9eef-4416-9030-de2b09f3100f", "key": "data_stream.dataset", "negate": false, "params": { @@ -3784,6 +3839,7 @@ } } ], + "hidePanelTitles": false, "query": { "language": "kuery", "query": "" @@ -3793,13 +3849,13 @@ "syncTooltips": false }, "gridData": { - "h": 15, - "i": "accf3797-c215-44a4-829d-c9ff30758f7b", - "w": 15, - "x": 0, - "y": 42 + "h": 16, + "i": "dc9ba6b7-0c35-4333-99ad-653d57c20fd7", + "w": 18, + "x": 10, + "y": 28 }, - "panelIndex": "accf3797-c215-44a4-829d-c9ff30758f7b", + "panelIndex": "dc9ba6b7-0c35-4333-99ad-653d57c20fd7", "type": "lens" }, { @@ -3809,17 +3865,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-9d8d04b8-42e9-488a-9c18-39f38153e46a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5eccfc13-a814-49f3-9b20-9be2db6b75a9", + "name": "indexpattern-datasource-layer-a64559b1-90c9-4859-9d5f-2585172bcda4", "type": "index-pattern" }, { "id": "logs-*", - "name": "2dfeb86f-904e-4f76-bd4a-502859e3ffa4", + "name": "6f8ea6e2-8a4c-45ec-aa08-b533cc8e6ac4", "type": "index-pattern" } ], @@ -3828,13 +3879,13 @@ "datasourceStates": { "formBased": { "layers": { - "9d8d04b8-42e9-488a-9c18-39f38153e46a": { + "a64559b1-90c9-4859-9d5f-2585172bcda4": { "columnOrder": [ - "3629412b-4ee6-4169-92d4-d5d8ebb7ab62", - "324989fb-f85e-4bbc-b7f9-b85472d54928" + "e8b50532-e3ed-47d7-a0d4-7aaced47afa3", + "ad08fd36-cbe4-4baa-ac1d-9454a3fd297b" ], "columns": { - "324989fb-f85e-4bbc-b7f9-b85472d54928": { + "ad08fd36-cbe4-4baa-ac1d-9454a3fd297b": { "customLabel": true, "dataType": "number", "isBucketed": false, @@ -3843,16 +3894,16 @@ "scale": "ratio", "sourceField": "sentinel_one.threat.id" }, - "3629412b-4ee6-4169-92d4-d5d8ebb7ab62": { + "e8b50532-e3ed-47d7-a0d4-7aaced47afa3": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Prevalent Threats", + "label": "Mitigation Mode", "operationType": "terms", "params": { "missingBucket": false, "orderBy": { - "columnId": "324989fb-f85e-4bbc-b7f9-b85472d54928", + "columnId": "ad08fd36-cbe4-4baa-ac1d-9454a3fd297b", "type": "column" }, "orderDirection": "desc", @@ -3860,7 +3911,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "sentinel_one.threat.name" + "sourceField": "sentinel_one.threat.agent.mitigation_mode" } }, "incompleteColumns": {} @@ -3869,27 +3920,6 @@ } }, "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "5eccfc13-a814-49f3-9b20-9be2db6b75a9", - "key": "sentinel_one.threat.incident.status", - "negate": true, - "params": { - "query": "resolved" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "sentinel_one.threat.incident.status": "resolved" - } - } - }, { "$state": { "store": "appState" @@ -3898,7 +3928,7 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "2dfeb86f-904e-4f76-bd4a-502859e3ffa4", + "index": "6f8ea6e2-8a4c-45ec-aa08-b533cc8e6ac4", "key": "data_stream.dataset", "negate": false, "params": { @@ -3922,23 +3952,21 @@ "layers": [ { "accessors": [ - "324989fb-f85e-4bbc-b7f9-b85472d54928" + "ad08fd36-cbe4-4baa-ac1d-9454a3fd297b" ], - "layerId": "9d8d04b8-42e9-488a-9c18-39f38153e46a", + "layerId": "a64559b1-90c9-4859-9d5f-2585172bcda4", "layerType": "data", "position": "top", - "seriesType": "bar_horizontal_stacked", + "seriesType": "bar_stacked", "showGridlines": false, - "xAccessor": "3629412b-4ee6-4169-92d4-d5d8ebb7ab62" + "xAccessor": "e8b50532-e3ed-47d7-a0d4-7aaced47afa3" } ], "legend": { - "isInside": false, "isVisible": true, "legendSize": "auto", "position": "right", - "shouldTruncate": false, - "showSingleSeries": false + "shouldTruncate": false }, "preferredSeriesType": "bar_stacked", "title": "Empty XY chart", @@ -3951,7 +3979,7 @@ } } }, - "title": "Most Prevalent Threats", + "title": "Distribution of Threats by Agent Mitigation Mode", "type": "lens", "visualizationType": "lnsXY" }, @@ -3961,27 +3989,6 @@ } }, "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "5eccfc13-a814-49f3-9b20-9be2db6b75a9", - "key": "sentinel_one.threat.incident.status", - "negate": true, - "params": { - "query": "resolved" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "sentinel_one.threat.incident.status": "resolved" - } - } - }, { "$state": { "store": "appState" @@ -3990,7 +3997,7 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "2dfeb86f-904e-4f76-bd4a-502859e3ffa4", + "index": "6f8ea6e2-8a4c-45ec-aa08-b533cc8e6ac4", "key": "data_stream.dataset", "negate": false, "params": { @@ -4014,13 +4021,13 @@ "syncTooltips": false }, "gridData": { - "h": 15, - "i": "213a2279-8bb5-491b-b0f0-d5a7a2473670", - "w": 33, - "x": 15, - "y": 42 + "h": 16, + "i": "301b13f1-59c8-40e0-80f8-ecc1892b938d", + "w": 20, + "x": 28, + "y": 28 }, - "panelIndex": "213a2279-8bb5-491b-b0f0-d5a7a2473670", + "panelIndex": "301b13f1-59c8-40e0-80f8-ecc1892b938d", "type": "lens" } ], @@ -4029,7 +4036,7 @@ "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-10-06T10:09:52.045Z", + "created_at": "2025-10-27T19:44:47.686Z", "id": "sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538", "references": [ { @@ -4127,41 +4134,6 @@ "name": "f7c0e875-f75f-4d06-b4dd-a8e50965eabe:9cde3279-3409-4cdf-99ab-f18b887a92cf", "type": "index-pattern" }, - { - "id": "sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538", - "name": "96d47662-1411-4c98-a33d-8eccf5f23307:link_f4098683-cf5c-4602-9b24-9aea15918578_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538", - "name": "96d47662-1411-4c98-a33d-8eccf5f23307:link_8deb9939-2ec5-4132-ba5f-b1df63e439b7_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538", - "name": "96d47662-1411-4c98-a33d-8eccf5f23307:link_87aa4d55-d0ff-4287-aa67-de9fd33bdcaf_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-acd472d9-a6b7-4a53-a58d-06c315764c8d", - "name": "96d47662-1411-4c98-a33d-8eccf5f23307:link_255c3f86-ba80-43a5-b1c9-077b54a35cae_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5", - "name": "96d47662-1411-4c98-a33d-8eccf5f23307:link_e4098063-4b72-4076-9062-e0ec2cbaacdd_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538", - "name": "96d47662-1411-4c98-a33d-8eccf5f23307:link_a6a5c107-3f8e-48bd-b142-6aa46defabd2_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538", - "name": "96d47662-1411-4c98-a33d-8eccf5f23307:link_8cbb5cad-64bb-48fc-a682-8083e3b46f94_dashboard", - "type": "dashboard" - }, { "id": "logs-*", "name": "1684da14-7484-42a6-91d6-b9659883e20d:indexpattern-datasource-layer-01d7bdc3-638b-4d23-9ae6-d24678743470", @@ -4229,52 +4201,92 @@ }, { "id": "logs-*", - "name": "301b13f1-59c8-40e0-80f8-ecc1892b938d:indexpattern-datasource-layer-a64559b1-90c9-4859-9d5f-2585172bcda4", + "name": "accf3797-c215-44a4-829d-c9ff30758f7b:indexpattern-datasource-layer-c5e5c6f0-5d4d-48f4-9ad4-727d5f1c0ebd", "type": "index-pattern" }, { "id": "logs-*", - "name": "301b13f1-59c8-40e0-80f8-ecc1892b938d:6f8ea6e2-8a4c-45ec-aa08-b533cc8e6ac4", + "name": "accf3797-c215-44a4-829d-c9ff30758f7b:af63bf2a-f185-4472-99fa-9c42ffadb4bc", "type": "index-pattern" }, { "id": "logs-*", - "name": "dc9ba6b7-0c35-4333-99ad-653d57c20fd7:indexpattern-datasource-layer-f83c655e-003c-4cc5-a2e3-789acb23b691", + "name": "213a2279-8bb5-491b-b0f0-d5a7a2473670:indexpattern-datasource-layer-9d8d04b8-42e9-488a-9c18-39f38153e46a", "type": "index-pattern" }, { "id": "logs-*", - "name": "dc9ba6b7-0c35-4333-99ad-653d57c20fd7:eabcac79-7f09-4f55-8d66-0df00a4f4358", + "name": "213a2279-8bb5-491b-b0f0-d5a7a2473670:5eccfc13-a814-49f3-9b20-9be2db6b75a9", "type": "index-pattern" }, { "id": "logs-*", - "name": "dc9ba6b7-0c35-4333-99ad-653d57c20fd7:33030a53-9eef-4416-9030-de2b09f3100f", + "name": "213a2279-8bb5-491b-b0f0-d5a7a2473670:2dfeb86f-904e-4f76-bd4a-502859e3ffa4", "type": "index-pattern" }, + { + "id": "sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538", + "name": "96d47662-1411-4c98-a33d-8eccf5f23307:link_f4098683-cf5c-4602-9b24-9aea15918578_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538", + "name": "96d47662-1411-4c98-a33d-8eccf5f23307:link_8deb9939-2ec5-4132-ba5f-b1df63e439b7_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538", + "name": "96d47662-1411-4c98-a33d-8eccf5f23307:link_87aa4d55-d0ff-4287-aa67-de9fd33bdcaf_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-acd472d9-a6b7-4a53-a58d-06c315764c8d", + "name": "96d47662-1411-4c98-a33d-8eccf5f23307:link_255c3f86-ba80-43a5-b1c9-077b54a35cae_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5", + "name": "96d47662-1411-4c98-a33d-8eccf5f23307:link_e4098063-4b72-4076-9062-e0ec2cbaacdd_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538", + "name": "96d47662-1411-4c98-a33d-8eccf5f23307:link_a6a5c107-3f8e-48bd-b142-6aa46defabd2_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538", + "name": "96d47662-1411-4c98-a33d-8eccf5f23307:link_8cbb5cad-64bb-48fc-a682-8083e3b46f94_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-413bf268-78f7-4bea-b668-55b5adacbf08", + "name": "96d47662-1411-4c98-a33d-8eccf5f23307:link_f9cecb5e-18b1-4c47-9b7e-7269f673a147_dashboard", + "type": "dashboard" + }, { "id": "logs-*", - "name": "accf3797-c215-44a4-829d-c9ff30758f7b:indexpattern-datasource-layer-c5e5c6f0-5d4d-48f4-9ad4-727d5f1c0ebd", + "name": "dc9ba6b7-0c35-4333-99ad-653d57c20fd7:indexpattern-datasource-layer-f83c655e-003c-4cc5-a2e3-789acb23b691", "type": "index-pattern" }, { "id": "logs-*", - "name": "accf3797-c215-44a4-829d-c9ff30758f7b:af63bf2a-f185-4472-99fa-9c42ffadb4bc", + "name": "dc9ba6b7-0c35-4333-99ad-653d57c20fd7:eabcac79-7f09-4f55-8d66-0df00a4f4358", "type": "index-pattern" }, { "id": "logs-*", - "name": "213a2279-8bb5-491b-b0f0-d5a7a2473670:indexpattern-datasource-layer-9d8d04b8-42e9-488a-9c18-39f38153e46a", + "name": "dc9ba6b7-0c35-4333-99ad-653d57c20fd7:33030a53-9eef-4416-9030-de2b09f3100f", "type": "index-pattern" }, { "id": "logs-*", - "name": "213a2279-8bb5-491b-b0f0-d5a7a2473670:5eccfc13-a814-49f3-9b20-9be2db6b75a9", + "name": "301b13f1-59c8-40e0-80f8-ecc1892b938d:indexpattern-datasource-layer-a64559b1-90c9-4859-9d5f-2585172bcda4", "type": "index-pattern" }, { "id": "logs-*", - "name": "213a2279-8bb5-491b-b0f0-d5a7a2473670:2dfeb86f-904e-4f76-bd4a-502859e3ffa4", + "name": "301b13f1-59c8-40e0-80f8-ecc1892b938d:6f8ea6e2-8a4c-45ec-aa08-b533cc8e6ac4", "type": "index-pattern" }, { diff --git a/packages/sentinel_one/kibana/dashboard/sentinel_one-413bf268-78f7-4bea-b668-55b5adacbf08.json b/packages/sentinel_one/kibana/dashboard/sentinel_one-413bf268-78f7-4bea-b668-55b5adacbf08.json new file mode 100644 index 00000000000..20e6ef2ca71 --- /dev/null +++ b/packages/sentinel_one/kibana/dashboard/sentinel_one-413bf268-78f7-4bea-b668-55b5adacbf08.json @@ -0,0 +1,1656 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "54be5b45-06d1-4e3b-9717-449bd247105d": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "user.name", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "User Name" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + }, + "e77e3fdd-579c-407d-8947-4579dd191531": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "event.id", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Event ID" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-84b3f5e8-3f77-4321-be5a-509c706f64fc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "84b3f5e8-3f77-4321-be5a-509c706f64fc": { + "columnOrder": [ + "5df1c211-1eb3-4a81-a499-b48ddfac2a7e", + "dde9e6e9-ff36-4f27-ac4b-bfc9a52df9b5" + ], + "columns": { + "5df1c211-1eb3-4a81-a499-b48ddfac2a7e": { + "dataType": "string", + "isBucketed": true, + "label": "Top 30 values of file.type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [ + "Unknown" + ], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "dde9e6e9-ff36-4f27-ac4b-bfc9a52df9b5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 30 + }, + "scale": "ordinal", + "sourceField": "file.type" + }, + "dde9e6e9-ff36-4f27-ac4b-bfc9a52df9b5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "84b3f5e8-3f77-4321-be5a-509c706f64fc", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "dde9e6e9-ff36-4f27-ac4b-bfc9a52df9b5" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "5df1c211-1eb3-4a81-a499-b48ddfac2a7e" + ], + "secondaryGroups": null, + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "1d969a62-fef3-49cf-9cb7-e85f58838945", + "w": 24, + "x": 24, + "y": 39 + }, + "panelIndex": "1d969a62-fef3-49cf-9cb7-e85f58838945", + "title": "Threat Events by User", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "layout": "vertical", + "links": [ + { + "destinationRefName": "link_7f353e09-4ed5-48db-b5e9-a7c061fe6f2c_dashboard", + "id": "7f353e09-4ed5-48db-b5e9-a7c061fe6f2c", + "label": "Activities", + "order": 0, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_dca4702c-fe3a-4370-bcb9-6b0b1d916bda_dashboard", + "id": "dca4702c-fe3a-4370-bcb9-6b0b1d916bda", + "label": "Agents", + "order": 1, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_9b517a21-1545-4647-b27d-9ae352625d5a_dashboard", + "id": "9b517a21-1545-4647-b27d-9ae352625d5a", + "label": "Alerts", + "order": 2, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_b9d6a48b-8734-4307-a47d-879e237fee6b_dashboard", + "id": "b9d6a48b-8734-4307-a47d-879e237fee6b", + "label": "Application", + "order": 3, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_710ca0e7-8ab2-411e-9a7e-ff317d99a750_dashboard", + "id": "710ca0e7-8ab2-411e-9a7e-ff317d99a750", + "label": "Application Risk", + "order": 4, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_81cbde88-b25e-47cb-ab85-659afe99cf83_dashboard", + "id": "81cbde88-b25e-47cb-ab85-659afe99cf83", + "label": "Groups", + "order": 5, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_4221b0f1-92f7-4984-9c87-7a48ffa93828_dashboard", + "id": "4221b0f1-92f7-4984-9c87-7a48ffa93828", + "label": "Threats", + "order": 6, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_d32aebbf-b3b8-430c-b720-54ec75f85e22_dashboard", + "id": "d32aebbf-b3b8-430c-b720-54ec75f85e22", + "label": "Threat Events", + "order": 7, + "type": "dashboardLink" + } + ] + }, + "enhancements": {} + }, + "gridData": { + "h": 13, + "i": "5d7434d7-fc6e-4928-9a04-330d7a1517e9", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "5d7434d7-fc6e-4928-9a04-330d7a1517e9", + "title": "Navigation", + "type": "links" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-bd39ffce-e2d8-4023-8eef-4558a4b1632f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9ddd4c62-8efa-4c22-8800-c6a4b4d4153f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c186ee58-4044-4c4d-bb9a-c92d89d97511", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "bd39ffce-e2d8-4023-8eef-4558a4b1632f": { + "columnOrder": [ + "00e6fa2b-060a-442c-aa66-a3b8496dd9d4", + "d5b1287c-7588-400a-a974-f5b9aa3f53cb" + ], + "columns": { + "00e6fa2b-060a-442c-aa66-a3b8496dd9d4": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "d5b1287c-7588-400a-a974-f5b9aa3f53cb": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "9ddd4c62-8efa-4c22-8800-c6a4b4d4153f", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "sentinel_one.threat_event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "sentinel_one.threat_event" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_transform_source", + "index": "c186ee58-4044-4c4d-bb9a-c92d89d97511", + "key": "labels.is_transform_source", + "negate": false, + "params": { + "query": "false" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_transform_source": "false" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "d5b1287c-7588-400a-a974-f5b9aa3f53cb" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "bd39ffce-e2d8-4023-8eef-4558a4b1632f", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "00e6fa2b-060a-442c-aa66-a3b8496dd9d4" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "9ddd4c62-8efa-4c22-8800-c6a4b4d4153f", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "sentinel_one.threat_event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "sentinel_one.threat_event" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_transform_source", + "index": "c186ee58-4044-4c4d-bb9a-c92d89d97511", + "key": "labels.is_transform_source", + "negate": false, + "params": { + "query": "false" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_transform_source": "false" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 17, + "i": "52e8196e-a441-49e7-901b-2c13a072cd6e", + "w": 38, + "x": 10, + "y": 0 + }, + "panelIndex": "52e8196e-a441-49e7-901b-2c13a072cd6e", + "title": "Threat Events over Time", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Overview**\n\nThis dashboard provides a comprehensive view of SentinelOne Threat Events, helping analysts monitor and investigate potential security incidents effectively. The Threat Events Over Time trend highlights activity spikes and emerging threats, while Threat Events by User and Indicator Name visualize which users and threat indicators are most frequently involved. Threat Events by File Type offers insight into commonly targeted or malicious file formats. Additionally, the Top Source and Destination IPs tables identify key network endpoints associated with threat activity, aiding in rapid detection, containment, and response.\n\n[**Integrations Page**](/app/integrations/detail/sentinel_one/overview)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 26, + "i": "276efa99-fcfe-462c-a23c-13c8afb83cd2", + "w": 10, + "x": 0, + "y": 13 + }, + "panelIndex": "276efa99-fcfe-462c-a23c-13c8afb83cd2", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-6adecb30-ba39-4c43-aa8a-d750b53794d2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ccc8b035-b93a-4ac2-9f45-a9ff469a454d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "56a806ff-3e27-4f78-b768-a4dd0e4c14ce", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6adecb30-ba39-4c43-aa8a-d750b53794d2": { + "columnOrder": [ + "5825ba7a-1ec3-4c52-a0fe-c1ae519db875", + "95317bc8-1e22-4bba-a554-5956c5f3aa22" + ], + "columns": { + "5825ba7a-1ec3-4c52-a0fe-c1ae519db875": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "File Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "95317bc8-1e22-4bba-a554-5956c5f3aa22", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "file.type" + }, + "95317bc8-1e22-4bba-a554-5956c5f3aa22": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "ccc8b035-b93a-4ac2-9f45-a9ff469a454d", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "sentinel_one.threat_event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "sentinel_one.threat_event" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_transform_source", + "index": "56a806ff-3e27-4f78-b768-a4dd0e4c14ce", + "key": "labels.is_transform_source", + "negate": false, + "params": { + "query": "false" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_transform_source": "false" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "95317bc8-1e22-4bba-a554-5956c5f3aa22" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "6adecb30-ba39-4c43-aa8a-d750b53794d2", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "5825ba7a-1ec3-4c52-a0fe-c1ae519db875" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "ccc8b035-b93a-4ac2-9f45-a9ff469a454d", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "sentinel_one.threat_event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "sentinel_one.threat_event" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_transform_source", + "index": "56a806ff-3e27-4f78-b768-a4dd0e4c14ce", + "key": "labels.is_transform_source", + "negate": false, + "params": { + "query": "false" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_transform_source": "false" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "b346c136-462f-42be-971d-c2fd569925f8", + "w": 24, + "x": 0, + "y": 39 + }, + "panelIndex": "b346c136-462f-42be-971d-c2fd569925f8", + "title": "Threat Events by File Type", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-bb455125-92a9-4a19-812b-4c606c76bcbd", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "16b529d5-9f9d-4333-bc1c-24b3a4758088", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "971f9173-93ed-44ba-bdfe-b83ede1616b3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "bb455125-92a9-4a19-812b-4c606c76bcbd": { + "columnOrder": [ + "93dbffe0-4c92-4948-9f76-95244f8c364d", + "8422488d-992e-40d5-9a45-93f68bb7f191" + ], + "columns": { + "8422488d-992e-40d5-9a45-93f68bb7f191": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "93dbffe0-4c92-4948-9f76-95244f8c364d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Threat Indicator Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "8422488d-992e-40d5-9a45-93f68bb7f191", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "16b529d5-9f9d-4333-bc1c-24b3a4758088", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "sentinel_one.threat_event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "sentinel_one.threat_event" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_transform_source", + "index": "971f9173-93ed-44ba-bdfe-b83ede1616b3", + "key": "labels.is_transform_source", + "negate": false, + "params": { + "query": "false" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_transform_source": "false" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "8422488d-992e-40d5-9a45-93f68bb7f191" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "bb455125-92a9-4a19-812b-4c606c76bcbd", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "93dbffe0-4c92-4948-9f76-95244f8c364d" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "16b529d5-9f9d-4333-bc1c-24b3a4758088", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "sentinel_one.threat_event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "sentinel_one.threat_event" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_transform_source", + "index": "971f9173-93ed-44ba-bdfe-b83ede1616b3", + "key": "labels.is_transform_source", + "negate": false, + "params": { + "query": "false" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_transform_source": "false" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 16, + "i": "6cc85613-d12a-4896-af43-becf646b9c9e", + "w": 48, + "x": 0, + "y": 54 + }, + "panelIndex": "6cc85613-d12a-4896-af43-becf646b9c9e", + "title": "Threat Events by Indicator Name", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-98d2b68c-ac37-421d-8f2f-8585794b1500", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "98d2b68c-ac37-421d-8f2f-8585794b1500": { + "columnOrder": [ + "035729af-810d-4528-9099-40465fc27f17", + "019e0104-5c05-4068-a089-36eef7da3ca7" + ], + "columns": { + "019e0104-5c05-4068-a089-36eef7da3ca7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "035729af-810d-4528-9099-40465fc27f17": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Destination IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "019e0104-5c05-4068-a089-36eef7da3ca7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "destination.ip" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "initialContext": null, + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "80d05f75-7116-4866-b839-bfa5142e90ca", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "sentinel_one.threat_event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "sentinel_one.threat_event" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_transform_source", + "index": "b15fffb5-0bd4-47e5-abbc-73f745aff02a", + "key": "labels.is_transform_source", + "negate": false, + "params": { + "query": "false" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_transform_source": "false" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "035729af-810d-4528-9099-40465fc27f17", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "019e0104-5c05-4068-a089-36eef7da3ca7", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "98d2b68c-ac37-421d-8f2f-8585794b1500", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "80d05f75-7116-4866-b839-bfa5142e90ca", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "sentinel_one.threat_event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "sentinel_one.threat_event" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_transform_source", + "index": "b15fffb5-0bd4-47e5-abbc-73f745aff02a", + "key": "labels.is_transform_source", + "negate": false, + "params": { + "query": "false" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_transform_source": "false" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 22, + "i": "b50512ff-53e3-4e0d-96f1-0698031602fd", + "w": 19, + "x": 29, + "y": 17 + }, + "panelIndex": "b50512ff-53e3-4e0d-96f1-0698031602fd", + "title": "Top Destination IPs", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-01c0b982-7c4c-43a8-a239-1ef6a6d14de1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0434ab6d-b665-4280-9c7e-db2227f4290c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "78dbbf0c-8fa6-45a9-97ce-f01dc71c303d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "01c0b982-7c4c-43a8-a239-1ef6a6d14de1": { + "columnOrder": [ + "6e3ad618-47d4-46d5-a588-fd1773c4f145", + "106f34bf-38dc-4085-bc42-ac7fddd25c50" + ], + "columns": { + "106f34bf-38dc-4085-bc42-ac7fddd25c50": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "6e3ad618-47d4-46d5-a588-fd1773c4f145": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "106f34bf-38dc-4085-bc42-ac7fddd25c50", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.ip" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "0434ab6d-b665-4280-9c7e-db2227f4290c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "sentinel_one.threat_event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "sentinel_one.threat_event" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_transform_source", + "index": "78dbbf0c-8fa6-45a9-97ce-f01dc71c303d", + "key": "labels.is_transform_source", + "negate": false, + "params": { + "query": "false" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_transform_source": "false" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "6e3ad618-47d4-46d5-a588-fd1773c4f145", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "106f34bf-38dc-4085-bc42-ac7fddd25c50", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "01c0b982-7c4c-43a8-a239-1ef6a6d14de1", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "0434ab6d-b665-4280-9c7e-db2227f4290c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "sentinel_one.threat_event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "sentinel_one.threat_event" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_transform_source", + "index": "78dbbf0c-8fa6-45a9-97ce-f01dc71c303d", + "key": "labels.is_transform_source", + "negate": false, + "params": { + "query": "false" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_transform_source": "false" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 22, + "i": "808c3921-df43-4a4b-824b-f7f412e2b8b6", + "w": 19, + "x": 10, + "y": 17 + }, + "panelIndex": "808c3921-df43-4a4b-824b-f7f412e2b8b6", + "title": "Top Source IPs", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs SentinelOne] Threat Events", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-10-27T18:28:47.690Z", + "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "id": "sentinel_one-413bf268-78f7-4bea-b668-55b5adacbf08", + "references": [ + { + "id": "logs-*", + "name": "1d969a62-fef3-49cf-9cb7-e85f58838945:indexpattern-datasource-layer-84b3f5e8-3f77-4321-be5a-509c706f64fc", + "type": "index-pattern" + }, + { + "id": "sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538", + "name": "5d7434d7-fc6e-4928-9a04-330d7a1517e9:link_7f353e09-4ed5-48db-b5e9-a7c061fe6f2c_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538", + "name": "5d7434d7-fc6e-4928-9a04-330d7a1517e9:link_dca4702c-fe3a-4370-bcb9-6b0b1d916bda_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538", + "name": "5d7434d7-fc6e-4928-9a04-330d7a1517e9:link_9b517a21-1545-4647-b27d-9ae352625d5a_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-acd472d9-a6b7-4a53-a58d-06c315764c8d", + "name": "5d7434d7-fc6e-4928-9a04-330d7a1517e9:link_b9d6a48b-8734-4307-a47d-879e237fee6b_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5", + "name": "5d7434d7-fc6e-4928-9a04-330d7a1517e9:link_710ca0e7-8ab2-411e-9a7e-ff317d99a750_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538", + "name": "5d7434d7-fc6e-4928-9a04-330d7a1517e9:link_81cbde88-b25e-47cb-ab85-659afe99cf83_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538", + "name": "5d7434d7-fc6e-4928-9a04-330d7a1517e9:link_4221b0f1-92f7-4984-9c87-7a48ffa93828_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-413bf268-78f7-4bea-b668-55b5adacbf08", + "name": "5d7434d7-fc6e-4928-9a04-330d7a1517e9:link_d32aebbf-b3b8-430c-b720-54ec75f85e22_dashboard", + "type": "dashboard" + }, + { + "id": "logs-*", + "name": "52e8196e-a441-49e7-901b-2c13a072cd6e:indexpattern-datasource-layer-bd39ffce-e2d8-4023-8eef-4558a4b1632f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "52e8196e-a441-49e7-901b-2c13a072cd6e:9ddd4c62-8efa-4c22-8800-c6a4b4d4153f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "52e8196e-a441-49e7-901b-2c13a072cd6e:c186ee58-4044-4c4d-bb9a-c92d89d97511", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b346c136-462f-42be-971d-c2fd569925f8:indexpattern-datasource-layer-6adecb30-ba39-4c43-aa8a-d750b53794d2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b346c136-462f-42be-971d-c2fd569925f8:ccc8b035-b93a-4ac2-9f45-a9ff469a454d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b346c136-462f-42be-971d-c2fd569925f8:56a806ff-3e27-4f78-b768-a4dd0e4c14ce", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6cc85613-d12a-4896-af43-becf646b9c9e:indexpattern-datasource-layer-bb455125-92a9-4a19-812b-4c606c76bcbd", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6cc85613-d12a-4896-af43-becf646b9c9e:16b529d5-9f9d-4333-bc1c-24b3a4758088", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6cc85613-d12a-4896-af43-becf646b9c9e:971f9173-93ed-44ba-bdfe-b83ede1616b3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b50512ff-53e3-4e0d-96f1-0698031602fd:indexpattern-datasource-layer-98d2b68c-ac37-421d-8f2f-8585794b1500", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "808c3921-df43-4a4b-824b-f7f412e2b8b6:indexpattern-datasource-layer-01c0b982-7c4c-43a8-a239-1ef6a6d14de1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "808c3921-df43-4a4b-824b-f7f412e2b8b6:0434ab6d-b665-4280-9c7e-db2227f4290c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "808c3921-df43-4a4b-824b-f7f412e2b8b6:78dbbf0c-8fa6-45a9-97ce-f01dc71c303d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_e77e3fdd-579c-407d-8947-4579dd191531:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_54be5b45-06d1-4e3b-9717-449bd247105d:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/sentinel_one/kibana/dashboard/sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538.json b/packages/sentinel_one/kibana/dashboard/sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538.json index 5fe50cec65b..203c58536f9 100644 --- a/packages/sentinel_one/kibana/dashboard/sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538.json +++ b/packages/sentinel_one/kibana/dashboard/sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538.json @@ -83,110 +83,6 @@ "useMargins": true }, "panelsJSON": [ - { - "embeddableConfig": { - "attributes": { - "layout": "vertical", - "links": [ - { - "destinationRefName": "link_0bcbb1fa-7d97-488a-9198-bc0ac712229e_dashboard", - "id": "0bcbb1fa-7d97-488a-9198-bc0ac712229e", - "label": "Activities", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 0, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_45e6c331-8ed7-433f-bf55-5b8d08b6f770_dashboard", - "id": "45e6c331-8ed7-433f-bf55-5b8d08b6f770", - "label": "Agents", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 1, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_64046556-1dbd-4e7c-b7c4-35edc515d7e3_dashboard", - "id": "64046556-1dbd-4e7c-b7c4-35edc515d7e3", - "label": "Alerts", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 2, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_4317b4ea-9795-44df-b333-8f0c584fdc0d_dashboard", - "id": "4317b4ea-9795-44df-b333-8f0c584fdc0d", - "label": "Application", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 3, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_ef8b2f3d-7f87-47c2-a262-8f82f322c2e7_dashboard", - "id": "ef8b2f3d-7f87-47c2-a262-8f82f322c2e7", - "label": "Application Risk", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 4, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_f48c0ce1-bcf1-4ca6-9fef-3d3fa7ecc91c_dashboard", - "id": "f48c0ce1-bcf1-4ca6-9fef-3d3fa7ecc91c", - "label": "Groups", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 5, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_23a7efb8-0ecb-4605-8462-3685d3f70634_dashboard", - "id": "23a7efb8-0ecb-4605-8462-3685d3f70634", - "label": "Threats", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 6, - "type": "dashboardLink" - } - ] - }, - "enhancements": {} - }, - "gridData": { - "h": 12, - "i": "ef9d506d-8b22-4d26-b3fe-a3d8e6b268f3", - "w": 10, - "x": 0, - "y": 0 - }, - "panelIndex": "ef9d506d-8b22-4d26-b3fe-a3d8e6b268f3", - "title": "Navigation", - "type": "links" - }, { "embeddableConfig": { "attributes": { @@ -820,47 +716,6 @@ "panelIndex": "26084a13-4083-4c3e-9f81-677b4ca38ca7", "type": "lens" }, - { - "embeddableConfig": { - "enhancements": { - "dynamicActions": { - "events": [] - } - }, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "id": "", - "params": { - "fontSize": 12, - "markdown": "**Overview**\n\nThe Groups Dashboard offers an overview of group-related insights within the environment. At the top, a key metric displays the total number of groups. Pie charts provide a breakdown of groups by rank and type, helping to understand their distribution and categorization. A bar chart shows groups by agent count, making it easy to identify groups with higher concentrations of agents. Finally, a table lists the top 10 group creators, offering visibility into the most active creators for better management and auditing.\n\n[**Integrations Page**](/app/integrations/detail/sentinel_one/overview)", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 31, - "i": "12e33f1a-06c0-4dde-ae49-fb2aa441c371", - "w": 10, - "x": 0, - "y": 12 - }, - "panelIndex": "12e33f1a-06c0-4dde-ae49-fb2aa441c371", - "title": "Table of Contents", - "type": "visualization" - }, { "embeddableConfig": { "attributes": { @@ -1018,6 +873,158 @@ }, "panelIndex": "4694770f-8a83-4877-992c-1a078c45e3c6", "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "layout": "vertical", + "links": [ + { + "destinationRefName": "link_0bcbb1fa-7d97-488a-9198-bc0ac712229e_dashboard", + "id": "0bcbb1fa-7d97-488a-9198-bc0ac712229e", + "label": "Activities", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 0, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_45e6c331-8ed7-433f-bf55-5b8d08b6f770_dashboard", + "id": "45e6c331-8ed7-433f-bf55-5b8d08b6f770", + "label": "Agents", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 1, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_64046556-1dbd-4e7c-b7c4-35edc515d7e3_dashboard", + "id": "64046556-1dbd-4e7c-b7c4-35edc515d7e3", + "label": "Alerts", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 2, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_4317b4ea-9795-44df-b333-8f0c584fdc0d_dashboard", + "id": "4317b4ea-9795-44df-b333-8f0c584fdc0d", + "label": "Application", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 3, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_ef8b2f3d-7f87-47c2-a262-8f82f322c2e7_dashboard", + "id": "ef8b2f3d-7f87-47c2-a262-8f82f322c2e7", + "label": "Application Risk", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 4, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_f48c0ce1-bcf1-4ca6-9fef-3d3fa7ecc91c_dashboard", + "id": "f48c0ce1-bcf1-4ca6-9fef-3d3fa7ecc91c", + "label": "Groups", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 5, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_23a7efb8-0ecb-4605-8462-3685d3f70634_dashboard", + "id": "23a7efb8-0ecb-4605-8462-3685d3f70634", + "label": "Threats", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 6, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_44b09a95-27eb-4203-a194-38a075039d29_dashboard", + "id": "44b09a95-27eb-4203-a194-38a075039d29", + "label": "Threat Events", + "order": 7, + "type": "dashboardLink" + } + ] + }, + "enhancements": {} + }, + "gridData": { + "h": 13, + "i": "ef9d506d-8b22-4d26-b3fe-a3d8e6b268f3", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "ef9d506d-8b22-4d26-b3fe-a3d8e6b268f3", + "title": "Navigation", + "type": "links" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Overview**\n\nThe Groups Dashboard offers an overview of group-related insights within the environment. At the top, a key metric displays the total number of groups. Pie charts provide a breakdown of groups by rank and type, helping to understand their distribution and categorization. A bar chart shows groups by agent count, making it easy to identify groups with higher concentrations of agents. Finally, a table lists the top 10 group creators, offering visibility into the most active creators for better management and auditing.\n\n[**Integrations Page**](/app/integrations/detail/sentinel_one/overview)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 30, + "i": "12e33f1a-06c0-4dde-ae49-fb2aa441c371", + "w": 10, + "x": 0, + "y": 13 + }, + "panelIndex": "12e33f1a-06c0-4dde-ae49-fb2aa441c371", + "title": "Table of Contents", + "type": "visualization" } ], "timeRestore": false, @@ -1025,7 +1032,7 @@ "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-10-06T10:09:51.036Z", + "created_at": "2025-10-27T19:44:46.699Z", "id": "sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538", "references": [ { @@ -1038,41 +1045,6 @@ "name": "tag-ref-security-solution-default", "type": "tag" }, - { - "id": "sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538", - "name": "ef9d506d-8b22-4d26-b3fe-a3d8e6b268f3:link_0bcbb1fa-7d97-488a-9198-bc0ac712229e_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538", - "name": "ef9d506d-8b22-4d26-b3fe-a3d8e6b268f3:link_45e6c331-8ed7-433f-bf55-5b8d08b6f770_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538", - "name": "ef9d506d-8b22-4d26-b3fe-a3d8e6b268f3:link_64046556-1dbd-4e7c-b7c4-35edc515d7e3_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-acd472d9-a6b7-4a53-a58d-06c315764c8d", - "name": "ef9d506d-8b22-4d26-b3fe-a3d8e6b268f3:link_4317b4ea-9795-44df-b333-8f0c584fdc0d_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5", - "name": "ef9d506d-8b22-4d26-b3fe-a3d8e6b268f3:link_ef8b2f3d-7f87-47c2-a262-8f82f322c2e7_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538", - "name": "ef9d506d-8b22-4d26-b3fe-a3d8e6b268f3:link_f48c0ce1-bcf1-4ca6-9fef-3d3fa7ecc91c_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538", - "name": "ef9d506d-8b22-4d26-b3fe-a3d8e6b268f3:link_23a7efb8-0ecb-4605-8462-3685d3f70634_dashboard", - "type": "dashboard" - }, { "id": "logs-*", "name": "c4c1c721-dabf-4a99-bd53-934afe7bb4d7:indexpattern-datasource-layer-1b0e558e-537e-40a9-bc0a-f8b42329c6b5", @@ -1123,6 +1095,46 @@ "name": "4694770f-8a83-4877-992c-1a078c45e3c6:52dff4e0-68f1-43c5-b4f9-c8f0d477cb3e", "type": "index-pattern" }, + { + "id": "sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538", + "name": "ef9d506d-8b22-4d26-b3fe-a3d8e6b268f3:link_0bcbb1fa-7d97-488a-9198-bc0ac712229e_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538", + "name": "ef9d506d-8b22-4d26-b3fe-a3d8e6b268f3:link_45e6c331-8ed7-433f-bf55-5b8d08b6f770_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538", + "name": "ef9d506d-8b22-4d26-b3fe-a3d8e6b268f3:link_64046556-1dbd-4e7c-b7c4-35edc515d7e3_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-acd472d9-a6b7-4a53-a58d-06c315764c8d", + "name": "ef9d506d-8b22-4d26-b3fe-a3d8e6b268f3:link_4317b4ea-9795-44df-b333-8f0c584fdc0d_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5", + "name": "ef9d506d-8b22-4d26-b3fe-a3d8e6b268f3:link_ef8b2f3d-7f87-47c2-a262-8f82f322c2e7_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538", + "name": "ef9d506d-8b22-4d26-b3fe-a3d8e6b268f3:link_f48c0ce1-bcf1-4ca6-9fef-3d3fa7ecc91c_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538", + "name": "ef9d506d-8b22-4d26-b3fe-a3d8e6b268f3:link_23a7efb8-0ecb-4605-8462-3685d3f70634_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-413bf268-78f7-4bea-b668-55b5adacbf08", + "name": "ef9d506d-8b22-4d26-b3fe-a3d8e6b268f3:link_44b09a95-27eb-4203-a194-38a075039d29_dashboard", + "type": "dashboard" + }, { "id": "logs-*", "name": "controlGroup_5dae62b6-bb2a-41ec-a2e8-71a4d0e4786e:optionsListDataView", diff --git a/packages/sentinel_one/kibana/dashboard/sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538.json b/packages/sentinel_one/kibana/dashboard/sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538.json index aade797120f..f09b9a11f5b 100644 --- a/packages/sentinel_one/kibana/dashboard/sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538.json +++ b/packages/sentinel_one/kibana/dashboard/sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538.json @@ -1479,110 +1479,6 @@ "panelIndex": "a6230b4c-2b1a-4db7-96f5-a8b767794e6a", "type": "lens" }, - { - "embeddableConfig": { - "attributes": { - "layout": "vertical", - "links": [ - { - "destinationRefName": "link_52f9fd42-bbac-4b9f-80d4-ec601095196f_dashboard", - "id": "52f9fd42-bbac-4b9f-80d4-ec601095196f", - "label": "Activities", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 0, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_eeb3cde3-9528-49b5-931f-f876186a797f_dashboard", - "id": "eeb3cde3-9528-49b5-931f-f876186a797f", - "label": "Agents", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 1, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_fd77b638-3178-4922-8a5d-3888e694f2cd_dashboard", - "id": "fd77b638-3178-4922-8a5d-3888e694f2cd", - "label": "Alerts", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 2, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_7874cd4f-76dd-4e0e-8855-b2140620ab79_dashboard", - "id": "7874cd4f-76dd-4e0e-8855-b2140620ab79", - "label": "Application", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 3, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_2a4f48d7-ea97-452f-9475-a856d2880aaf_dashboard", - "id": "2a4f48d7-ea97-452f-9475-a856d2880aaf", - "label": "Application Risk", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 4, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_8307b976-ffd0-4b58-97d9-99b0e4931f1f_dashboard", - "id": "8307b976-ffd0-4b58-97d9-99b0e4931f1f", - "label": "Groups", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 5, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_df39f05e-cae4-473a-8513-d07af4088128_dashboard", - "id": "df39f05e-cae4-473a-8513-d07af4088128", - "label": "Threats", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 6, - "type": "dashboardLink" - } - ] - }, - "enhancements": {} - }, - "gridData": { - "h": 12, - "i": "d4c39dde-4003-46a3-8eec-e8874c0b373c", - "w": 10, - "x": 0, - "y": 0 - }, - "panelIndex": "d4c39dde-4003-46a3-8eec-e8874c0b373c", - "title": "Navigation", - "type": "links" - }, { "embeddableConfig": { "attributes": { @@ -3138,6 +3034,117 @@ "panelIndex": "88da7d9d-b377-4455-a528-719f58c796f7", "type": "lens" }, + { + "embeddableConfig": { + "attributes": { + "layout": "vertical", + "links": [ + { + "destinationRefName": "link_52f9fd42-bbac-4b9f-80d4-ec601095196f_dashboard", + "id": "52f9fd42-bbac-4b9f-80d4-ec601095196f", + "label": "Activities", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 0, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_eeb3cde3-9528-49b5-931f-f876186a797f_dashboard", + "id": "eeb3cde3-9528-49b5-931f-f876186a797f", + "label": "Agents", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 1, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_fd77b638-3178-4922-8a5d-3888e694f2cd_dashboard", + "id": "fd77b638-3178-4922-8a5d-3888e694f2cd", + "label": "Alerts", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 2, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_7874cd4f-76dd-4e0e-8855-b2140620ab79_dashboard", + "id": "7874cd4f-76dd-4e0e-8855-b2140620ab79", + "label": "Application", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 3, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_2a4f48d7-ea97-452f-9475-a856d2880aaf_dashboard", + "id": "2a4f48d7-ea97-452f-9475-a856d2880aaf", + "label": "Application Risk", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 4, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_8307b976-ffd0-4b58-97d9-99b0e4931f1f_dashboard", + "id": "8307b976-ffd0-4b58-97d9-99b0e4931f1f", + "label": "Groups", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 5, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_df39f05e-cae4-473a-8513-d07af4088128_dashboard", + "id": "df39f05e-cae4-473a-8513-d07af4088128", + "label": "Threats", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 6, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_10bff287-8eec-4a50-8b0e-fa897e4658a5_dashboard", + "id": "10bff287-8eec-4a50-8b0e-fa897e4658a5", + "label": "Threat Events", + "order": 7, + "type": "dashboardLink" + } + ] + }, + "enhancements": {} + }, + "gridData": { + "h": 13, + "i": "d4c39dde-4003-46a3-8eec-e8874c0b373c", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "d4c39dde-4003-46a3-8eec-e8874c0b373c", + "title": "Navigation", + "type": "links" + }, { "embeddableConfig": { "enhancements": { @@ -3169,11 +3176,11 @@ } }, "gridData": { - "h": 49, + "h": 48, "i": "117ca9ec-9cd9-46c3-bb02-bbde555ea01e", "w": 10, "x": 0, - "y": 12 + "y": 13 }, "panelIndex": "117ca9ec-9cd9-46c3-bb02-bbde555ea01e", "title": "Table of Contents", @@ -3185,7 +3192,7 @@ "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-10-06T10:09:47.006Z", + "created_at": "2025-10-27T19:44:42.642Z", "id": "sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538", "references": [ { @@ -3283,41 +3290,6 @@ "name": "a6230b4c-2b1a-4db7-96f5-a8b767794e6a:210b916d-f74f-442a-b396-9625ba85ced4", "type": "index-pattern" }, - { - "id": "sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538", - "name": "d4c39dde-4003-46a3-8eec-e8874c0b373c:link_52f9fd42-bbac-4b9f-80d4-ec601095196f_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538", - "name": "d4c39dde-4003-46a3-8eec-e8874c0b373c:link_eeb3cde3-9528-49b5-931f-f876186a797f_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538", - "name": "d4c39dde-4003-46a3-8eec-e8874c0b373c:link_fd77b638-3178-4922-8a5d-3888e694f2cd_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-acd472d9-a6b7-4a53-a58d-06c315764c8d", - "name": "d4c39dde-4003-46a3-8eec-e8874c0b373c:link_7874cd4f-76dd-4e0e-8855-b2140620ab79_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5", - "name": "d4c39dde-4003-46a3-8eec-e8874c0b373c:link_2a4f48d7-ea97-452f-9475-a856d2880aaf_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538", - "name": "d4c39dde-4003-46a3-8eec-e8874c0b373c:link_8307b976-ffd0-4b58-97d9-99b0e4931f1f_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538", - "name": "d4c39dde-4003-46a3-8eec-e8874c0b373c:link_df39f05e-cae4-473a-8513-d07af4088128_dashboard", - "type": "dashboard" - }, { "id": "logs-*", "name": "a1308966-3dec-431c-82e3-29890ad87785:indexpattern-datasource-layer-e4082dc4-e9cc-4589-aed3-bf66cdac7d34", @@ -3423,6 +3395,46 @@ "name": "88da7d9d-b377-4455-a528-719f58c796f7:759d39de-195e-4c49-b2ab-6c4020f5c8df", "type": "index-pattern" }, + { + "id": "sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538", + "name": "d4c39dde-4003-46a3-8eec-e8874c0b373c:link_52f9fd42-bbac-4b9f-80d4-ec601095196f_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538", + "name": "d4c39dde-4003-46a3-8eec-e8874c0b373c:link_eeb3cde3-9528-49b5-931f-f876186a797f_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538", + "name": "d4c39dde-4003-46a3-8eec-e8874c0b373c:link_fd77b638-3178-4922-8a5d-3888e694f2cd_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-acd472d9-a6b7-4a53-a58d-06c315764c8d", + "name": "d4c39dde-4003-46a3-8eec-e8874c0b373c:link_7874cd4f-76dd-4e0e-8855-b2140620ab79_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5", + "name": "d4c39dde-4003-46a3-8eec-e8874c0b373c:link_2a4f48d7-ea97-452f-9475-a856d2880aaf_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538", + "name": "d4c39dde-4003-46a3-8eec-e8874c0b373c:link_8307b976-ffd0-4b58-97d9-99b0e4931f1f_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538", + "name": "d4c39dde-4003-46a3-8eec-e8874c0b373c:link_df39f05e-cae4-473a-8513-d07af4088128_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-413bf268-78f7-4bea-b668-55b5adacbf08", + "name": "d4c39dde-4003-46a3-8eec-e8874c0b373c:link_10bff287-8eec-4a50-8b0e-fa897e4658a5_dashboard", + "type": "dashboard" + }, { "id": "logs-*", "name": "controlGroup_c1048b25-930c-47d0-8e45-eeebfee87fba:optionsListDataView", diff --git a/packages/sentinel_one/kibana/dashboard/sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538.json b/packages/sentinel_one/kibana/dashboard/sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538.json index f386d94a9a0..6ed22e0f948 100644 --- a/packages/sentinel_one/kibana/dashboard/sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538.json +++ b/packages/sentinel_one/kibana/dashboard/sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538.json @@ -381,110 +381,6 @@ "panelIndex": "822b1071-df2f-43bd-84a8-da1bcdd97528", "type": "lens" }, - { - "embeddableConfig": { - "attributes": { - "layout": "vertical", - "links": [ - { - "destinationRefName": "link_7c6029cf-8f42-4127-8a61-7ef0fc6aa58b_dashboard", - "id": "7c6029cf-8f42-4127-8a61-7ef0fc6aa58b", - "label": "Activities", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 0, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_8ce64390-457f-468d-b124-5680a5a21b26_dashboard", - "id": "8ce64390-457f-468d-b124-5680a5a21b26", - "label": "Agents", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 1, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_d8da014b-1528-4750-b0ee-847e4da3ad0e_dashboard", - "id": "d8da014b-1528-4750-b0ee-847e4da3ad0e", - "label": "Alerts", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 2, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_b9ca2221-4f96-4709-9bd8-8697bca76c4e_dashboard", - "id": "b9ca2221-4f96-4709-9bd8-8697bca76c4e", - "label": "Application", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 3, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_ab017407-9d33-4877-9516-510ab696ea7b_dashboard", - "id": "ab017407-9d33-4877-9516-510ab696ea7b", - "label": "Application Risk", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 4, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_b619f0bd-8ea8-45a0-a3c4-a6b5efdb6224_dashboard", - "id": "b619f0bd-8ea8-45a0-a3c4-a6b5efdb6224", - "label": "Groups", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 5, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_1e414e69-58cd-49ee-866a-fe7a134e8802_dashboard", - "id": "1e414e69-58cd-49ee-866a-fe7a134e8802", - "label": "Threats", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 6, - "type": "dashboardLink" - } - ] - }, - "enhancements": {} - }, - "gridData": { - "h": 12, - "i": "f77c1173-e086-4886-820c-ecdabfba0a72", - "w": 10, - "x": 0, - "y": 0 - }, - "panelIndex": "f77c1173-e086-4886-820c-ecdabfba0a72", - "title": "Navigation", - "type": "links" - }, { "embeddableConfig": { "attributes": { @@ -1330,6 +1226,117 @@ "title": "Top 10 Primary Description by Computer Name", "type": "lens" }, + { + "embeddableConfig": { + "attributes": { + "layout": "vertical", + "links": [ + { + "destinationRefName": "link_7c6029cf-8f42-4127-8a61-7ef0fc6aa58b_dashboard", + "id": "7c6029cf-8f42-4127-8a61-7ef0fc6aa58b", + "label": "Activities", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 0, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_8ce64390-457f-468d-b124-5680a5a21b26_dashboard", + "id": "8ce64390-457f-468d-b124-5680a5a21b26", + "label": "Agents", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 1, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_d8da014b-1528-4750-b0ee-847e4da3ad0e_dashboard", + "id": "d8da014b-1528-4750-b0ee-847e4da3ad0e", + "label": "Alerts", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 2, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_b9ca2221-4f96-4709-9bd8-8697bca76c4e_dashboard", + "id": "b9ca2221-4f96-4709-9bd8-8697bca76c4e", + "label": "Application", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 3, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_ab017407-9d33-4877-9516-510ab696ea7b_dashboard", + "id": "ab017407-9d33-4877-9516-510ab696ea7b", + "label": "Application Risk", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 4, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_b619f0bd-8ea8-45a0-a3c4-a6b5efdb6224_dashboard", + "id": "b619f0bd-8ea8-45a0-a3c4-a6b5efdb6224", + "label": "Groups", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 5, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_1e414e69-58cd-49ee-866a-fe7a134e8802_dashboard", + "id": "1e414e69-58cd-49ee-866a-fe7a134e8802", + "label": "Threats", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 6, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_f066dfd9-2919-46a7-8e42-473b792c3f47_dashboard", + "id": "f066dfd9-2919-46a7-8e42-473b792c3f47", + "label": "Threat Events", + "order": 7, + "type": "dashboardLink" + } + ] + }, + "enhancements": {} + }, + "gridData": { + "h": 13, + "i": "f77c1173-e086-4886-820c-ecdabfba0a72", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "f77c1173-e086-4886-820c-ecdabfba0a72", + "title": "Navigation", + "type": "links" + }, { "embeddableConfig": { "enhancements": { @@ -1361,11 +1368,11 @@ } }, "gridData": { - "h": 32, + "h": 31, "i": "074b445d-d7a2-4617-a654-5c34a22101c8", "w": 10, "x": 0, - "y": 12 + "y": 13 }, "panelIndex": "074b445d-d7a2-4617-a654-5c34a22101c8", "title": "Table of Contents", @@ -1377,7 +1384,7 @@ "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-10-06T10:09:46.298Z", + "created_at": "2025-10-27T19:44:42.345Z", "id": "sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538", "references": [ { @@ -1410,41 +1417,6 @@ "name": "822b1071-df2f-43bd-84a8-da1bcdd97528:cb6d2a1b-ab3d-4ed8-8124-cb224449636d", "type": "index-pattern" }, - { - "id": "sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538", - "name": "f77c1173-e086-4886-820c-ecdabfba0a72:link_7c6029cf-8f42-4127-8a61-7ef0fc6aa58b_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538", - "name": "f77c1173-e086-4886-820c-ecdabfba0a72:link_8ce64390-457f-468d-b124-5680a5a21b26_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538", - "name": "f77c1173-e086-4886-820c-ecdabfba0a72:link_d8da014b-1528-4750-b0ee-847e4da3ad0e_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-acd472d9-a6b7-4a53-a58d-06c315764c8d", - "name": "f77c1173-e086-4886-820c-ecdabfba0a72:link_b9ca2221-4f96-4709-9bd8-8697bca76c4e_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5", - "name": "f77c1173-e086-4886-820c-ecdabfba0a72:link_ab017407-9d33-4877-9516-510ab696ea7b_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538", - "name": "f77c1173-e086-4886-820c-ecdabfba0a72:link_b619f0bd-8ea8-45a0-a3c4-a6b5efdb6224_dashboard", - "type": "dashboard" - }, - { - "id": "sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538", - "name": "f77c1173-e086-4886-820c-ecdabfba0a72:link_1e414e69-58cd-49ee-866a-fe7a134e8802_dashboard", - "type": "dashboard" - }, { "id": "logs-*", "name": "6b1d0060-0c72-441e-9901-855d5ee70a67:indexpattern-datasource-layer-3aa4f16e-85bd-466a-b665-445b6d5de2cd", @@ -1500,6 +1472,46 @@ "name": "6776b675-6e78-4293-9419-abb2052779a9:d1a621a7-c64f-469d-9e3e-42f36a5f5b9b", "type": "index-pattern" }, + { + "id": "sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538", + "name": "f77c1173-e086-4886-820c-ecdabfba0a72:link_7c6029cf-8f42-4127-8a61-7ef0fc6aa58b_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538", + "name": "f77c1173-e086-4886-820c-ecdabfba0a72:link_8ce64390-457f-468d-b124-5680a5a21b26_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538", + "name": "f77c1173-e086-4886-820c-ecdabfba0a72:link_d8da014b-1528-4750-b0ee-847e4da3ad0e_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-acd472d9-a6b7-4a53-a58d-06c315764c8d", + "name": "f77c1173-e086-4886-820c-ecdabfba0a72:link_b9ca2221-4f96-4709-9bd8-8697bca76c4e_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5", + "name": "f77c1173-e086-4886-820c-ecdabfba0a72:link_ab017407-9d33-4877-9516-510ab696ea7b_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538", + "name": "f77c1173-e086-4886-820c-ecdabfba0a72:link_b619f0bd-8ea8-45a0-a3c4-a6b5efdb6224_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538", + "name": "f77c1173-e086-4886-820c-ecdabfba0a72:link_1e414e69-58cd-49ee-866a-fe7a134e8802_dashboard", + "type": "dashboard" + }, + { + "id": "sentinel_one-413bf268-78f7-4bea-b668-55b5adacbf08", + "name": "f77c1173-e086-4886-820c-ecdabfba0a72:link_f066dfd9-2919-46a7-8e42-473b792c3f47_dashboard", + "type": "dashboard" + }, { "id": "logs-*", "name": "controlGroup_693cf6a7-fb3a-438d-b23c-58a15baf8392:optionsListDataView", diff --git a/packages/sentinel_one/kibana/dashboard/sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5.json b/packages/sentinel_one/kibana/dashboard/sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5.json index 576a2f6931b..c5942bcb078 100644 --- a/packages/sentinel_one/kibana/dashboard/sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5.json +++ b/packages/sentinel_one/kibana/dashboard/sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5.json @@ -609,151 +609,6 @@ "title": "Application Vulnerability by Severity", "type": "lens" }, - { - "embeddableConfig": { - "attributes": { - "layout": "vertical", - "links": [ - { - "destinationRefName": "link_efea38fe-a94d-46dc-b168-28394982113c_dashboard", - "id": "efea38fe-a94d-46dc-b168-28394982113c", - "label": "Activities", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 0, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_7cce4ee8-b858-43ad-bd67-f7b8c86a606e_dashboard", - "id": "7cce4ee8-b858-43ad-bd67-f7b8c86a606e", - "label": "Agents", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 1, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_5f8c6014-3ecd-41ae-aef1-e1abbef83140_dashboard", - "id": "5f8c6014-3ecd-41ae-aef1-e1abbef83140", - "label": "Alerts", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 2, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_fdab263c-7cde-4859-b9de-725d6e71eb0c_dashboard", - "id": "fdab263c-7cde-4859-b9de-725d6e71eb0c", - "label": "Application", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 3, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_3ec3f897-ecd7-41f3-9bbc-b154dc1bbb23_dashboard", - "id": "3ec3f897-ecd7-41f3-9bbc-b154dc1bbb23", - "label": "Application Risk", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 4, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_7d0782b6-e727-4606-9e1c-a74efecf4c65_dashboard", - "id": "7d0782b6-e727-4606-9e1c-a74efecf4c65", - "label": "Groups", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 5, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_867d4423-712f-43dc-9ff0-e9180b57c533_dashboard", - "id": "867d4423-712f-43dc-9ff0-e9180b57c533", - "label": "Threats", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 6, - "type": "dashboardLink" - } - ] - }, - "enhancements": {} - }, - "gridData": { - "h": 11, - "i": "0406f25f-089d-4874-9c95-b9bb8206f23a", - "w": 10, - "x": 0, - "y": 0 - }, - "panelIndex": "0406f25f-089d-4874-9c95-b9bb8206f23a", - "title": "Navigation", - "type": "links" - }, - { - "embeddableConfig": { - "enhancements": { - "dynamicActions": { - "events": [] - } - }, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "id": "", - "params": { - "fontSize": 12, - "markdown": "**Overview**\n\nThis dashboard provides a clear overview of application risk data from the SentinelOne integration. It includes total vulnerability metrics, highlights the number of high and critical vulnerabilities, and visualizes application vulnerabilities by severity through a pie chart. A bar chart shows the distribution of applications based on their vulnerability count, while a table lists the top vulnerabilities for deeper insight.\n\n[**Integrations Page**](/app/integrations/detail/sentinel_one/overview)", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 33, - "i": "1bc96a69-6907-4a25-9000-f1d476808080", - "w": 10, - "x": 0, - "y": 11 - }, - "panelIndex": "1bc96a69-6907-4a25-9000-f1d476808080", - "title": "Table of Content", - "type": "visualization" - }, { "embeddableConfig": { "attributes": { @@ -1134,6 +989,158 @@ "panelIndex": "a317ce8c-e92a-4b6e-9887-0bb678a25cf8", "title": "Top Vulnerability", "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "layout": "vertical", + "links": [ + { + "destinationRefName": "link_efea38fe-a94d-46dc-b168-28394982113c_dashboard", + "id": "efea38fe-a94d-46dc-b168-28394982113c", + "label": "Activities", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 0, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_7cce4ee8-b858-43ad-bd67-f7b8c86a606e_dashboard", + "id": "7cce4ee8-b858-43ad-bd67-f7b8c86a606e", + "label": "Agents", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 1, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_5f8c6014-3ecd-41ae-aef1-e1abbef83140_dashboard", + "id": "5f8c6014-3ecd-41ae-aef1-e1abbef83140", + "label": "Alerts", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 2, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_fdab263c-7cde-4859-b9de-725d6e71eb0c_dashboard", + "id": "fdab263c-7cde-4859-b9de-725d6e71eb0c", + "label": "Application", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 3, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_3ec3f897-ecd7-41f3-9bbc-b154dc1bbb23_dashboard", + "id": "3ec3f897-ecd7-41f3-9bbc-b154dc1bbb23", + "label": "Application Risk", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 4, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_7d0782b6-e727-4606-9e1c-a74efecf4c65_dashboard", + "id": "7d0782b6-e727-4606-9e1c-a74efecf4c65", + "label": "Groups", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 5, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_867d4423-712f-43dc-9ff0-e9180b57c533_dashboard", + "id": "867d4423-712f-43dc-9ff0-e9180b57c533", + "label": "Threats", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 6, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_b02f8849-3fc2-4530-9ee3-d47c16963f63_dashboard", + "id": "b02f8849-3fc2-4530-9ee3-d47c16963f63", + "label": "Threat Events", + "order": 7, + "type": "dashboardLink" + } + ] + }, + "enhancements": {} + }, + "gridData": { + "h": 13, + "i": "0406f25f-089d-4874-9c95-b9bb8206f23a", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "0406f25f-089d-4874-9c95-b9bb8206f23a", + "title": "Navigation", + "type": "links" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Overview**\n\nThis dashboard provides a clear overview of application risk data from the SentinelOne integration. It includes total vulnerability metrics, highlights the number of high and critical vulnerabilities, and visualizes application vulnerabilities by severity through a pie chart. A bar chart shows the distribution of applications based on their vulnerability count, while a table lists the top vulnerabilities for deeper insight.\n\n[**Integrations Page**](/app/integrations/detail/sentinel_one/overview)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 31, + "i": "1bc96a69-6907-4a25-9000-f1d476808080", + "w": 10, + "x": 0, + "y": 13 + }, + "panelIndex": "1bc96a69-6907-4a25-9000-f1d476808080", + "title": "Table of Content", + "type": "visualization" } ], "timeRestore": false, @@ -1141,7 +1148,7 @@ "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-10-06T10:09:50.025Z", + "created_at": "2025-10-27T19:44:45.662Z", "id": "sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5", "references": [ { @@ -1189,6 +1196,26 @@ "name": "b301c7d1-65fb-4e9c-bd88-149976cbfaa6:616b71d6-348f-4e22-969f-04b8d2a29c90", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "a02957bb-1603-4f3e-8bb9-35244d6690a7:indexpattern-datasource-layer-d6a2a1d4-7970-4e71-87ff-b30c10342bad", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a02957bb-1603-4f3e-8bb9-35244d6690a7:8787a6ed-278b-4eea-9967-e12a3dbeb417", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a317ce8c-e92a-4b6e-9887-0bb678a25cf8:indexpattern-datasource-layer-e18d30d0-f39a-4d0f-8044-0fcbd1862198", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a317ce8c-e92a-4b6e-9887-0bb678a25cf8:ae1f4334-1303-4cbc-9644-28c064db2a6a", + "type": "index-pattern" + }, { "id": "sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538", "name": "0406f25f-089d-4874-9c95-b9bb8206f23a:link_efea38fe-a94d-46dc-b168-28394982113c_dashboard", @@ -1225,24 +1252,9 @@ "type": "dashboard" }, { - "id": "logs-*", - "name": "a02957bb-1603-4f3e-8bb9-35244d6690a7:indexpattern-datasource-layer-d6a2a1d4-7970-4e71-87ff-b30c10342bad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a02957bb-1603-4f3e-8bb9-35244d6690a7:8787a6ed-278b-4eea-9967-e12a3dbeb417", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a317ce8c-e92a-4b6e-9887-0bb678a25cf8:indexpattern-datasource-layer-e18d30d0-f39a-4d0f-8044-0fcbd1862198", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a317ce8c-e92a-4b6e-9887-0bb678a25cf8:ae1f4334-1303-4cbc-9644-28c064db2a6a", - "type": "index-pattern" + "id": "sentinel_one-413bf268-78f7-4bea-b668-55b5adacbf08", + "name": "0406f25f-089d-4874-9c95-b9bb8206f23a:link_b02f8849-3fc2-4530-9ee3-d47c16963f63_dashboard", + "type": "dashboard" }, { "id": "logs-*", diff --git a/packages/sentinel_one/kibana/dashboard/sentinel_one-acd472d9-a6b7-4a53-a58d-06c315764c8d.json b/packages/sentinel_one/kibana/dashboard/sentinel_one-acd472d9-a6b7-4a53-a58d-06c315764c8d.json index db6e827fbbe..3f64aa05504 100644 --- a/packages/sentinel_one/kibana/dashboard/sentinel_one-acd472d9-a6b7-4a53-a58d-06c315764c8d.json +++ b/packages/sentinel_one/kibana/dashboard/sentinel_one-acd472d9-a6b7-4a53-a58d-06c315764c8d.json @@ -306,7 +306,7 @@ "i": "11ffffb5-230c-4b9a-b2f5-ab8919b22822", "w": 24, "x": 0, - "y": 34 + "y": 35 }, "panelIndex": "11ffffb5-230c-4b9a-b2f5-ab8919b22822", "title": "Applications by Host OS", @@ -557,116 +557,12 @@ "i": "6485ee8c-c0a6-4046-8510-5b308823b33b", "w": 24, "x": 24, - "y": 34 + "y": 35 }, "panelIndex": "6485ee8c-c0a6-4046-8510-5b308823b33b", "title": "Applications by Host Name", "type": "lens" }, - { - "embeddableConfig": { - "attributes": { - "layout": "vertical", - "links": [ - { - "destinationRefName": "link_81cc8355-af43-42be-a636-6650086f4e79_dashboard", - "id": "81cc8355-af43-42be-a636-6650086f4e79", - "label": "Activities", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 0, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_53c86433-0b66-4b46-88a3-a336138209de_dashboard", - "id": "53c86433-0b66-4b46-88a3-a336138209de", - "label": "Agents", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 1, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_b0539fc7-e321-4ace-b24e-9750a2644290_dashboard", - "id": "b0539fc7-e321-4ace-b24e-9750a2644290", - "label": "Alerts", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 2, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_e7d6602e-2e3f-40a1-b0ca-605d0183e3bc_dashboard", - "id": "e7d6602e-2e3f-40a1-b0ca-605d0183e3bc", - "label": "Application", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 3, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_7929e211-dc8d-4d6e-9cf2-69abc0906a72_dashboard", - "id": "7929e211-dc8d-4d6e-9cf2-69abc0906a72", - "label": "Application Risk", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 4, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_a7fe8f54-ed51-49bb-a051-ba9f2ec5b51b_dashboard", - "id": "a7fe8f54-ed51-49bb-a051-ba9f2ec5b51b", - "label": "Groups", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 5, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_3d77f510-2b08-4ec5-8ed1-121b05e9f580_dashboard", - "id": "3d77f510-2b08-4ec5-8ed1-121b05e9f580", - "label": "Threats", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 6, - "type": "dashboardLink" - } - ] - }, - "enhancements": {} - }, - "gridData": { - "h": 12, - "i": "20dce263-4407-4352-a6da-13f0145dfeac", - "w": 10, - "x": 0, - "y": 0 - }, - "panelIndex": "20dce263-4407-4352-a6da-13f0145dfeac", - "title": "Navigation", - "type": "links" - }, { "embeddableConfig": { "enhancements": { @@ -702,7 +598,7 @@ "i": "85d82c57-dd36-4041-a223-73c2f4442539", "w": 10, "x": 0, - "y": 12 + "y": 13 }, "panelIndex": "85d82c57-dd36-4041-a223-73c2f4442539", "title": "Table of Contents", @@ -948,6 +844,117 @@ "title": "Applications by Installation Time", "type": "lens" }, + { + "embeddableConfig": { + "attributes": { + "layout": "vertical", + "links": [ + { + "destinationRefName": "link_81cc8355-af43-42be-a636-6650086f4e79_dashboard", + "id": "81cc8355-af43-42be-a636-6650086f4e79", + "label": "Activities", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 0, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_53c86433-0b66-4b46-88a3-a336138209de_dashboard", + "id": "53c86433-0b66-4b46-88a3-a336138209de", + "label": "Agents", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 1, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_b0539fc7-e321-4ace-b24e-9750a2644290_dashboard", + "id": "b0539fc7-e321-4ace-b24e-9750a2644290", + "label": "Alerts", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 2, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_e7d6602e-2e3f-40a1-b0ca-605d0183e3bc_dashboard", + "id": "e7d6602e-2e3f-40a1-b0ca-605d0183e3bc", + "label": "Application", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 3, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_7929e211-dc8d-4d6e-9cf2-69abc0906a72_dashboard", + "id": "7929e211-dc8d-4d6e-9cf2-69abc0906a72", + "label": "Application Risk", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 4, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_a7fe8f54-ed51-49bb-a051-ba9f2ec5b51b_dashboard", + "id": "a7fe8f54-ed51-49bb-a051-ba9f2ec5b51b", + "label": "Groups", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 5, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_3d77f510-2b08-4ec5-8ed1-121b05e9f580_dashboard", + "id": "3d77f510-2b08-4ec5-8ed1-121b05e9f580", + "label": "Threats", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 6, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_7d5c2542-6482-467c-a9f1-cbe134232164_dashboard", + "id": "7d5c2542-6482-467c-a9f1-cbe134232164", + "label": "Threat Events", + "order": 7, + "type": "dashboardLink" + } + ] + }, + "enhancements": {} + }, + "gridData": { + "h": 13, + "i": "20dce263-4407-4352-a6da-13f0145dfeac", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "20dce263-4407-4352-a6da-13f0145dfeac", + "title": "Navigation", + "type": "links" + }, { "embeddableConfig": { "attributes": { @@ -1176,7 +1183,7 @@ "syncTooltips": false }, "gridData": { - "h": 18, + "h": 19, "i": "7fd6d3f8-56ee-4f98-a5ed-93f0d9af50a7", "w": 38, "x": 10, @@ -1192,7 +1199,7 @@ "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-10-06T10:09:49.017Z", + "created_at": "2025-10-27T19:44:44.653Z", "id": "sentinel_one-acd472d9-a6b7-4a53-a58d-06c315764c8d", "references": [ { @@ -1235,6 +1242,21 @@ "name": "6485ee8c-c0a6-4046-8510-5b308823b33b:a13846a5-ee17-4ade-969d-b887080d8326", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "5dd87d43-fe2a-4e27-8f82-ce29182aca99:indexpattern-datasource-layer-80e9df50-99dc-4baa-9748-cd6f34848b25", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5dd87d43-fe2a-4e27-8f82-ce29182aca99:a5fdd8ff-efa9-48f7-8eb4-d8d43a9581f3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5dd87d43-fe2a-4e27-8f82-ce29182aca99:fa090d58-647b-4b2c-afaf-19828e8d8b2b", + "type": "index-pattern" + }, { "id": "sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538", "name": "20dce263-4407-4352-a6da-13f0145dfeac:link_81cc8355-af43-42be-a636-6650086f4e79_dashboard", @@ -1271,19 +1293,9 @@ "type": "dashboard" }, { - "id": "logs-*", - "name": "5dd87d43-fe2a-4e27-8f82-ce29182aca99:indexpattern-datasource-layer-80e9df50-99dc-4baa-9748-cd6f34848b25", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5dd87d43-fe2a-4e27-8f82-ce29182aca99:a5fdd8ff-efa9-48f7-8eb4-d8d43a9581f3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5dd87d43-fe2a-4e27-8f82-ce29182aca99:fa090d58-647b-4b2c-afaf-19828e8d8b2b", - "type": "index-pattern" + "id": "sentinel_one-413bf268-78f7-4bea-b668-55b5adacbf08", + "name": "20dce263-4407-4352-a6da-13f0145dfeac:link_7d5c2542-6482-467c-a9f1-cbe134232164_dashboard", + "type": "dashboard" }, { "id": "logs-*", diff --git a/packages/sentinel_one/kibana/dashboard/sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538.json b/packages/sentinel_one/kibana/dashboard/sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538.json index edae1b6b992..9a15082b0ec 100644 --- a/packages/sentinel_one/kibana/dashboard/sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538.json +++ b/packages/sentinel_one/kibana/dashboard/sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538.json @@ -1070,151 +1070,6 @@ "title": "Alert Essential Details", "type": "search" }, - { - "embeddableConfig": { - "attributes": { - "layout": "vertical", - "links": [ - { - "destinationRefName": "link_54792b04-4904-4ce8-a469-58881d4b6b32_dashboard", - "id": "54792b04-4904-4ce8-a469-58881d4b6b32", - "label": "Activities", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 0, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_c21b4ea4-4679-49c9-ab3d-593cbe9372c9_dashboard", - "id": "c21b4ea4-4679-49c9-ab3d-593cbe9372c9", - "label": "Agents", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 1, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_aecf833a-b0ec-4363-87c8-7e95adc973a7_dashboard", - "id": "aecf833a-b0ec-4363-87c8-7e95adc973a7", - "label": "Alerts", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 2, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_44d2eef5-09db-4163-b9f1-810d1039996f_dashboard", - "id": "44d2eef5-09db-4163-b9f1-810d1039996f", - "label": "Application", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 3, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_af8841b0-1f67-47e8-8a2a-f842b82e386f_dashboard", - "id": "af8841b0-1f67-47e8-8a2a-f842b82e386f", - "label": "Application Risk", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 4, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_5138d751-e31f-44ae-ad0d-fe7b46f339ad_dashboard", - "id": "5138d751-e31f-44ae-ad0d-fe7b46f339ad", - "label": "Groups", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 5, - "type": "dashboardLink" - }, - { - "destinationRefName": "link_25247eb9-2bca-4653-8bfb-ca9cb5853024_dashboard", - "id": "25247eb9-2bca-4653-8bfb-ca9cb5853024", - "label": "Threats", - "options": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": true - }, - "order": 6, - "type": "dashboardLink" - } - ] - }, - "enhancements": {} - }, - "gridData": { - "h": 12, - "i": "256b1f19-8d6b-4ec3-bd59-f258e29e2d06", - "w": 10, - "x": 0, - "y": 0 - }, - "panelIndex": "256b1f19-8d6b-4ec3-bd59-f258e29e2d06", - "title": "Navigation", - "type": "links" - }, - { - "embeddableConfig": { - "enhancements": { - "dynamicActions": { - "events": [] - } - }, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "id": "", - "params": { - "fontSize": 12, - "markdown": "**Overview**\n\nThe Alert Dashboard provides a comprehensive view of all security alerts in the environment. At the top, a key metric displays the total number of alerts for quick monitoring. A bar chart highlights alerts by rule severity, making it easy to prioritize critical issues. Pie charts break down alerts by OS family, agent version, scope level, incident status, treated-as-threat status, and event type, giving clear visibility into alert distribution and trends. A table lists the top 10 rule names, helping to identify the most frequently triggered rules. Additionally, a saved search of recent alerts provides real-time visibility into the latest events, enabling quick investigation and response.\n\n[**Integrations Page**](/app/integrations/detail/sentinel_one/overview)", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 32, - "i": "7303139b-f06e-4df1-afef-23d898076297", - "w": 10, - "x": 0, - "y": 12 - }, - "panelIndex": "7303139b-f06e-4df1-afef-23d898076297", - "title": "Table of Contents", - "type": "visualization" - }, { "embeddableConfig": { "attributes": { @@ -1670,6 +1525,158 @@ }, "panelIndex": "c328a3b4-108a-4a1f-a545-5e6a3acc40b0", "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "layout": "vertical", + "links": [ + { + "destinationRefName": "link_54792b04-4904-4ce8-a469-58881d4b6b32_dashboard", + "id": "54792b04-4904-4ce8-a469-58881d4b6b32", + "label": "Activities", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 0, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_c21b4ea4-4679-49c9-ab3d-593cbe9372c9_dashboard", + "id": "c21b4ea4-4679-49c9-ab3d-593cbe9372c9", + "label": "Agents", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 1, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_aecf833a-b0ec-4363-87c8-7e95adc973a7_dashboard", + "id": "aecf833a-b0ec-4363-87c8-7e95adc973a7", + "label": "Alerts", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 2, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_44d2eef5-09db-4163-b9f1-810d1039996f_dashboard", + "id": "44d2eef5-09db-4163-b9f1-810d1039996f", + "label": "Application", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 3, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_af8841b0-1f67-47e8-8a2a-f842b82e386f_dashboard", + "id": "af8841b0-1f67-47e8-8a2a-f842b82e386f", + "label": "Application Risk", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 4, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_5138d751-e31f-44ae-ad0d-fe7b46f339ad_dashboard", + "id": "5138d751-e31f-44ae-ad0d-fe7b46f339ad", + "label": "Groups", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 5, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_25247eb9-2bca-4653-8bfb-ca9cb5853024_dashboard", + "id": "25247eb9-2bca-4653-8bfb-ca9cb5853024", + "label": "Threats", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "order": 6, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_802e09a2-2670-4bd9-ac16-86555d934eca_dashboard", + "id": "802e09a2-2670-4bd9-ac16-86555d934eca", + "label": "Threat Events", + "order": 7, + "type": "dashboardLink" + } + ] + }, + "enhancements": {} + }, + "gridData": { + "h": 13, + "i": "256b1f19-8d6b-4ec3-bd59-f258e29e2d06", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "256b1f19-8d6b-4ec3-bd59-f258e29e2d06", + "title": "Navigation", + "type": "links" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Overview**\n\nThe Alert Dashboard provides a comprehensive view of all security alerts in the environment. At the top, a key metric displays the total number of alerts for quick monitoring. A bar chart highlights alerts by rule severity, making it easy to prioritize critical issues. Pie charts break down alerts by OS family, agent version, scope level, incident status, treated-as-threat status, and event type, giving clear visibility into alert distribution and trends. A table lists the top 10 rule names, helping to identify the most frequently triggered rules. Additionally, a saved search of recent alerts provides real-time visibility into the latest events, enabling quick investigation and response.\n\n[**Integrations Page**](/app/integrations/detail/sentinel_one/overview)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 31, + "i": "7303139b-f06e-4df1-afef-23d898076297", + "w": 10, + "x": 0, + "y": 13 + }, + "panelIndex": "7303139b-f06e-4df1-afef-23d898076297", + "title": "Table of Contents", + "type": "visualization" } ], "timeRestore": false, @@ -1677,7 +1684,7 @@ "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-10-06T10:09:48.009Z", + "created_at": "2025-10-27T19:44:43.645Z", "id": "sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538", "references": [ { @@ -1755,6 +1762,36 @@ "name": "24c1e7fd-242a-49b1-bff0-521218255ed7:61bd6662-6ca8-409f-a745-75215e509c47", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "b1454cbc-86ff-4612-9129-bc0b2b710079:indexpattern-datasource-layer-a70c9f24-f23c-453b-8c96-f1e710d919fc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b1454cbc-86ff-4612-9129-bc0b2b710079:26650be8-4563-4450-bfd9-ce143b5fce37", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "02d8b05a-a909-43e8-bab4-41c424e0e889:indexpattern-datasource-layer-b50e4935-fe9a-460a-ab6d-43dcb1da50cb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "02d8b05a-a909-43e8-bab4-41c424e0e889:2c0fdd0a-74c4-491e-ac42-51fbcd8f7cf9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c328a3b4-108a-4a1f-a545-5e6a3acc40b0:indexpattern-datasource-layer-12bb8402-74e9-4f83-96db-18e874c28661", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c328a3b4-108a-4a1f-a545-5e6a3acc40b0:ed64974b-8c3c-416c-96b6-38637655081d", + "type": "index-pattern" + }, { "id": "sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538", "name": "256b1f19-8d6b-4ec3-bd59-f258e29e2d06:link_54792b04-4904-4ce8-a469-58881d4b6b32_dashboard", @@ -1791,34 +1828,9 @@ "type": "dashboard" }, { - "id": "logs-*", - "name": "b1454cbc-86ff-4612-9129-bc0b2b710079:indexpattern-datasource-layer-a70c9f24-f23c-453b-8c96-f1e710d919fc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b1454cbc-86ff-4612-9129-bc0b2b710079:26650be8-4563-4450-bfd9-ce143b5fce37", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02d8b05a-a909-43e8-bab4-41c424e0e889:indexpattern-datasource-layer-b50e4935-fe9a-460a-ab6d-43dcb1da50cb", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02d8b05a-a909-43e8-bab4-41c424e0e889:2c0fdd0a-74c4-491e-ac42-51fbcd8f7cf9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c328a3b4-108a-4a1f-a545-5e6a3acc40b0:indexpattern-datasource-layer-12bb8402-74e9-4f83-96db-18e874c28661", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c328a3b4-108a-4a1f-a545-5e6a3acc40b0:ed64974b-8c3c-416c-96b6-38637655081d", - "type": "index-pattern" + "id": "sentinel_one-413bf268-78f7-4bea-b668-55b5adacbf08", + "name": "256b1f19-8d6b-4ec3-bd59-f258e29e2d06:link_802e09a2-2670-4bd9-ac16-86555d934eca_dashboard", + "type": "dashboard" }, { "id": "logs-*", diff --git a/packages/sentinel_one/kibana/search/sentinel_one-35fe472a-8994-4b8d-a6bc-df41aa12ca46.json b/packages/sentinel_one/kibana/search/sentinel_one-35fe472a-8994-4b8d-a6bc-df41aa12ca46.json index 2f796712600..5de5f1967e4 100644 --- a/packages/sentinel_one/kibana/search/sentinel_one-35fe472a-8994-4b8d-a6bc-df41aa12ca46.json +++ b/packages/sentinel_one/kibana/search/sentinel_one-35fe472a-8994-4b8d-a6bc-df41aa12ca46.json @@ -57,7 +57,7 @@ "title": "Alert Essential Details" }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-10-06T10:08:10.039Z", + "created_at": "2025-10-27T18:18:53.615Z", "id": "sentinel_one-35fe472a-8994-4b8d-a6bc-df41aa12ca46", "references": [ { diff --git a/packages/sentinel_one/kibana/tag/sentinel_one-security-solution-default.json b/packages/sentinel_one/kibana/tag/sentinel_one-security-solution-default.json index 366b86f5b85..9a5192fd87a 100644 --- a/packages/sentinel_one/kibana/tag/sentinel_one-security-solution-default.json +++ b/packages/sentinel_one/kibana/tag/sentinel_one-security-solution-default.json @@ -1,11 +1,11 @@ { "attributes": { - "color": "#54B399", + "color": "#F04E98", "description": "Tag defined in package-spec", "name": "Security Solution" }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-09-22T10:56:25.007Z", + "created_at": "2025-10-22T19:09:12.504Z", "id": "sentinel_one-security-solution-default", "references": [], "type": "tag", diff --git a/packages/sentinel_one/manifest.yml b/packages/sentinel_one/manifest.yml index 73625f61906..09cd5df731a 100644 --- a/packages/sentinel_one/manifest.yml +++ b/packages/sentinel_one/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.4.0" name: sentinel_one title: SentinelOne -version: "1.42.0" +version: "1.43.0" description: Collect logs from SentinelOne with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - edr_xdr conditions: kibana: - version: ^8.18.7 || ^8.19.4 || ^9.0.7 || ^9.1.4 + version: ^8.19.7 || ^9.1.7 || ^9.2.1 || ^9.3.0 screenshots: - src: /img/sentinel-one-activities-dashboard.png title: SentinelOne Activity Dashboard @@ -39,6 +39,10 @@ screenshots: title: SentinelOne Threat Dashboard size: 600x600 type: image/png + - src: /img/sentinel-one-threat-event-dashboard.png + title: SentinelOne Threat Event Dashboard + size: 600x600 + type: image/png icons: - src: /img/sentinel-one-logo.svg title: SentinelOne Logo @@ -58,8 +62,8 @@ policy_templates: team: security-service-integrations inputs: - type: cel - title: Collect SentinelOne application and application risk events via API - description: Collecting SentinelOne application and application risk events via API. + title: Collect SentinelOne application, application risk, and threat_event events via API + description: Collecting SentinelOne application, application risk, and threat_event events via API. vars: - name: url type: url diff --git a/packages/sentinel_one/validation.yml b/packages/sentinel_one/validation.yml index 0d5da503363..9dcaa3b03ff 100644 --- a/packages/sentinel_one/validation.yml +++ b/packages/sentinel_one/validation.yml @@ -1,4 +1,5 @@ errors: exclude_checks: + - SVR00002 # Mandatory filters in dashboards. - SVR00004 # References in dashboards. - SVR00005 # Kibana version for saved tags.