sentinel_one: fix sample event

elastic · Jun 12, 2024 · e6a37ce · e6a37ce
1 parent f79920f
commit e6a37ce
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 26 deletions.
diff --git a/packages/sentinel_one/_dev/deploy/docker/files/config.yml b/packages/sentinel_one/_dev/deploy/docker/files/config.yml
@@ -28,4 +28,4 @@ rules:
     responses:
       - status_code: 200
         body: |
-          {"data":[{"agentDetectionInfo":{"accountId":"1234567890123456789","accountName":"Default","agentDetectionState":null,"agentDomain":"WORKGROUP","agentIpV4":"10.0.0.1","agentIpV6":"2a02:cf40::","agentLastLoggedInUpn":null,"agentLastLoggedInUserMail":null,"agentLastLoggedInUserName":"","agentMitigationMode":"protect","agentOsName":"linux","agentOsRevision":"1234","agentRegisteredAt":"2022-04-06T08:26:45.515278Z","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x","cloudProviders":{},"externalIp":"81.2.69.143","groupId":"1234567890123456789","groupName":"Default Group","siteId":"1234567890123456789","siteName":"Default site"},"agentRealtimeInfo":{"accountId":"1234567890123456789","accountName":"Default","activeThreats":7,"agentComputerName":"test-LINUX","agentDecommissionedAt":null,"agentDomain":"WORKGROUP","agentId":"1234567890123456789","agentInfected":true,"agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"server","agentMitigationMode":"detect","agentNetworkStatus":"connected","agentOsName":"linux","agentOsRevision":"1234","agentOsType":"linux","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x.1234","groupId":"1234567890123456789","groupName":"Default Group","networkInterfaces":[{"id":"1234567890123456789","inet":["10.0.0.1"],"inet6":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"],"name":"Ethernet","physical":"X2:0X:0X:X6:00:XX"}],"operationalState":"na","rebootRequired":false,"scanAbortedAt":null,"scanFinishedAt":"2022-04-06T09:18:21.090855Z","scanStartedAt":"2022-04-06T08:26:52.838047Z","scanStatus":"finished","siteId":"1234567890123456789","siteName":"Default site","storageName":null,"storageType":null,"userActionsNeeded":[]},"containerInfo":{"id":null,"image":null,"labels":null,"name":null},"id":"1234567890123456789","indicators":[],"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"namespace":null,"namespaceLabels":null,"node":null,"pod":null,"podLabels":null},"mitigationStatus":[{"action":"unquarantine","actionsCounters":{"failed":0,"notFound":0,"pendingReboot":0,"success":1,"total":1},"agentSupportsReport":true,"groupNotFound":false,"lastUpdate":"2022-04-06T08:54:17.198002Z","latestReport":"/threats/mitigation-report","mitigationEndedAt":"2022-04-06T08:54:17.101000Z","mitigationStartedAt":"2022-04-06T08:54:17.101000Z","status":"success"},{"action":"kill","actionsCounters":null,"agentSupportsReport":true,"groupNotFound":false,"lastUpdate":"2022-04-06T08:45:55.303355Z","latestReport":null,"mitigationEndedAt":"2022-04-06T08:45:55.297364Z","mitigationStartedAt":"2022-04-06T08:45:55.297363Z","status":"success"}],"threatInfo":{"analystVerdict":"undefined","analystVerdictDescription":"Undefined","automaticallyResolved":false,"browserType":null,"certificateId":"","classification":"Trojan","classificationSource":"Cloud","cloudFilesHashVerdict":"black","collectionId":"1234567890123456789","confidenceLevel":"malicious","createdAt":"2022-04-06T08:45:54.519988Z","detectionEngines":[{"key":"sentinelone_cloud","title":"SentinelOne Cloud"}],"detectionType":"static","engines":["SentinelOne Cloud"],"externalTicketExists":false,"externalTicketId":null,"failedActions":false,"fileExtension":"EXE","fileExtensionType":"Executable","filePath":"default.exe","fileSize":1234,"fileVerificationType":"NotSigned","identifiedAt":"2022-04-06T08:45:53.968000Z","incidentStatus":"unresolved","incidentStatusDescription":"Unresolved","initiatedBy":"agent_policy","initiatedByDescription":"Agent Policy","initiatingUserId":null,"initiatingUsername":null,"isFileless":false,"isValidCertificate":false,"maliciousProcessArguments":null,"md5":null,"mitigatedPreemptively":false,"mitigationStatus":"not_mitigated","mitigationStatusDescription":"Not mitigated","originatorProcess":"default.exe","pendingActions":false,"processUser":"test user","publisherName":"","reachedEventsLimit":false,"rebootRequired":false,"sha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","sha256":null,"storyline":"D0XXXXXXXXXXAF4D","threatId":"1234567890123456789","threatName":"default.exe","updatedAt":"2022-04-06T08:54:17.194122Z"},"whiteningOptions":["hash"]},{"agentDetectionInfo":{"accountId":"1234567890123456789","accountName":"Default","agentDetectionState":null,"agentDomain":"WORKGROUP","agentIpV4":"10.0.0.1","agentIpV6":"2a02:cf40::","agentLastLoggedInUpn":null,"agentLastLoggedInUserMail":null,"agentLastLoggedInUserName":"","agentMitigationMode":"detect","agentOsName":"linux","agentOsRevision":"1234","agentRegisteredAt":"2022-04-06T08:26:45.515278Z","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x","cloudProviders":{},"externalIp":"81.2.69.143","groupId":"1234567890123456789","groupName":"Default Group","siteId":"1234567890123456789","siteName":"Default site"},"agentRealtimeInfo":{"accountId":"1234567890123456789","accountName":"Default","activeThreats":7,"agentComputerName":"test-LINUX","agentDecommissionedAt":null,"agentDomain":"WORKGROUP","agentId":"1234567890123456789","agentInfected":true,"agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"server","agentMitigationMode":"detect","agentNetworkStatus":"connected","agentOsName":"linux","agentOsRevision":"1234","agentOsType":"linux","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x.1234","groupId":"1234567890123456789","groupName":"Default Group","networkInterfaces":[{"id":"1234567890123456789","inet":["10.0.0.1"],"inet6":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"],"name":"Ethernet","physical":"X2:0X:0X:X6:00:XX"}],"operationalState":"na","rebootRequired":false,"scanAbortedAt":null,"scanFinishedAt":"2022-04-06T09:18:21.090855Z","scanStartedAt":"2022-04-06T08:26:52.838047Z","scanStatus":"finished","siteId":"1234567890123456789","siteName":"Default site","storageName":null,"storageType":null,"userActionsNeeded":[]},"containerInfo":{"id":null,"image":null,"labels":null,"name":null},"id":"1234567890123456789","indicators":[{"category":"General","description":"Detected by the Static Engine","ids":[43],"tactics":[]},{"category":"Exploitation","description":"Document behaves abnormally","ids":[62],"tactics":[{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"}]},{"name":"Initial Access","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"}]}]},{"category":"Evasion","description":"Indirect command was executed","ids":[427],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"}]}]},{"category":"Evasion","description":"Office program ran macro","ids":[434],"tactics":[{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]},{"name":"Initial Access","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]},{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]},{"category":"Evasion","description":"Process wrote to a hidden file section","ids":[169],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]},{"category":"Evasion","description":"Suspicious registry key was created","ids":[171],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]}],"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"namespace":null,"namespaceLabels":null,"node":null,"pod":null,"podLabels":null},"mitigationStatus":[],"threatInfo":{"analystVerdict":"undefined","analystVerdictDescription":"Undefined","automaticallyResolved":false,"browserType":null,"certificateId":"","classification":"Malware","classificationSource":"Static","cloudFilesHashVerdict":"black","collectionId":"1234567890123456789","confidenceLevel":"malicious","createdAt":"2022-04-06T08:57:34.744922Z","detectionEngines":[{"key":"pre_execution","title":"On-Write Static AI"},{"key":"data_files","title":"Documents, Scripts"}],"detectionType":"dynamic","engines":["Documents, Scripts","On-Write ABC"],"externalTicketExists":false,"externalTicketId":null,"failedActions":false,"fileExtension":"TXT","fileExtensionType":"Document","filePath":"test/path/user","fileSize":238592,"fileVerificationType":"NotSigned","identifiedAt":"2022-04-06T08:57:34.444000Z","incidentStatus":"unresolved","incidentStatusDescription":"Unresolved","initiatedBy":"agent_policy","initiatedByDescription":"Agent Policy","initiatingUserId":null,"initiatingUsername":null,"isFileless":false,"isValidCertificate":false,"maliciousProcessArguments":"test/path/user","md5":null,"mitigatedPreemptively":false,"mitigationStatus":"not_mitigated","mitigationStatusDescription":"Not mitigated","originatorProcess":"default.EXE","pendingActions":false,"processUser":"test_user","publisherName":"","reachedEventsLimit":false,"rebootRequired":false,"sha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","sha256":null,"storyline":"7XXXXXXXXXDD5A41","threatId":"123456789","threatName":"Threats","updatedAt":"2022-04-06T08:57:37.672873Z"},"whiteningOptions":["hash","path","file_type"]}],"pagination":{"nextCursor":null,"totalItems":2}}
+          {"data":[{"agentDetectionInfo":{"accountId":"1234567890123456789","accountName":"Default","agentDetectionState":null,"agentDomain":"WORKGROUP","agentIpV4":"10.0.0.1","agentIpV6":"2a02:cf40::","agentLastLoggedInUpn":null,"agentLastLoggedInUserMail":null,"agentLastLoggedInUserName":"","agentMitigationMode":"protect","agentOsName":"linux","agentOsRevision":"1234","agentRegisteredAt":"2022-04-06T08:26:45.515278Z","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x","cloudProviders":{},"externalIp":"81.2.69.143","groupId":"1234567890123456789","groupName":"Default Group","siteId":"1234567890123456789","siteName":"Default site"},"agentRealtimeInfo":{"accountId":"1234567890123456789","accountName":"Default","activeThreats":7,"agentComputerName":"test-LINUX","agentDecommissionedAt":null,"agentDomain":"WORKGROUP","agentId":"1234567890123456789","agentInfected":true,"agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"server","agentMitigationMode":"detect","agentNetworkStatus":"connected","agentOsName":"linux","agentOsRevision":"1234","agentOsType":"linux","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x.1234","groupId":"1234567890123456789","groupName":"Default Group","networkInterfaces":[{"id":"1234567890123456789","inet":["10.0.0.1"],"inet6":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"],"name":"Ethernet","physical":"a2:0b:0c:d6:00:ef"}],"operationalState":"na","rebootRequired":false,"scanAbortedAt":null,"scanFinishedAt":"2022-04-06T09:18:21.090855Z","scanStartedAt":"2022-04-06T08:26:52.838047Z","scanStatus":"finished","siteId":"1234567890123456789","siteName":"Default site","storageName":null,"storageType":null,"userActionsNeeded":[]},"containerInfo":{"id":null,"image":null,"labels":null,"name":null},"id":"1234567890123456789","indicators":[],"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"namespace":null,"namespaceLabels":null,"node":null,"pod":null,"podLabels":null},"mitigationStatus":[{"action":"unquarantine","actionsCounters":{"failed":0,"notFound":0,"pendingReboot":0,"success":1,"total":1},"agentSupportsReport":true,"groupNotFound":false,"lastUpdate":"2022-04-06T08:54:17.198002Z","latestReport":"/threats/mitigation-report","mitigationEndedAt":"2022-04-06T08:54:17.101000Z","mitigationStartedAt":"2022-04-06T08:54:17.101000Z","status":"success"},{"action":"kill","actionsCounters":null,"agentSupportsReport":true,"groupNotFound":false,"lastUpdate":"2022-04-06T08:45:55.303355Z","latestReport":null,"mitigationEndedAt":"2022-04-06T08:45:55.297364Z","mitigationStartedAt":"2022-04-06T08:45:55.297363Z","status":"success"}],"threatInfo":{"analystVerdict":"undefined","analystVerdictDescription":"Undefined","automaticallyResolved":false,"browserType":null,"certificateId":"","classification":"Trojan","classificationSource":"Cloud","cloudFilesHashVerdict":"black","collectionId":"1234567890123456789","confidenceLevel":"malicious","createdAt":"2022-04-06T08:45:54.519988Z","detectionEngines":[{"key":"sentinelone_cloud","title":"SentinelOne Cloud"}],"detectionType":"static","engines":["SentinelOne Cloud"],"externalTicketExists":false,"externalTicketId":null,"failedActions":false,"fileExtension":"EXE","fileExtensionType":"Executable","filePath":"default.exe","fileSize":1234,"fileVerificationType":"NotSigned","identifiedAt":"2022-04-06T08:45:53.968000Z","incidentStatus":"unresolved","incidentStatusDescription":"Unresolved","initiatedBy":"agent_policy","initiatedByDescription":"Agent Policy","initiatingUserId":null,"initiatingUsername":null,"isFileless":false,"isValidCertificate":false,"maliciousProcessArguments":null,"md5":null,"mitigatedPreemptively":false,"mitigationStatus":"not_mitigated","mitigationStatusDescription":"Not mitigated","originatorProcess":"default.exe","pendingActions":false,"processUser":"test user","publisherName":"","reachedEventsLimit":false,"rebootRequired":false,"sha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","sha256":null,"storyline":"D0XXXXXXXXXXAF4D","threatId":"1234567890123456789","threatName":"default.exe","updatedAt":"2022-04-06T08:54:17.194122Z"},"whiteningOptions":["hash"]},{"agentDetectionInfo":{"accountId":"1234567890123456789","accountName":"Default","agentDetectionState":null,"agentDomain":"WORKGROUP","agentIpV4":"10.0.0.1","agentIpV6":"2a02:cf40::","agentLastLoggedInUpn":null,"agentLastLoggedInUserMail":null,"agentLastLoggedInUserName":"","agentMitigationMode":"detect","agentOsName":"linux","agentOsRevision":"1234","agentRegisteredAt":"2022-04-06T08:26:45.515278Z","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x","cloudProviders":{},"externalIp":"81.2.69.143","groupId":"1234567890123456789","groupName":"Default Group","siteId":"1234567890123456789","siteName":"Default site"},"agentRealtimeInfo":{"accountId":"1234567890123456789","accountName":"Default","activeThreats":7,"agentComputerName":"test-LINUX","agentDecommissionedAt":null,"agentDomain":"WORKGROUP","agentId":"1234567890123456789","agentInfected":true,"agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"server","agentMitigationMode":"detect","agentNetworkStatus":"connected","agentOsName":"linux","agentOsRevision":"1234","agentOsType":"linux","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x.1234","groupId":"1234567890123456789","groupName":"Default Group","networkInterfaces":[{"id":"1234567890123456789","inet":["10.0.0.1"],"inet6":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"],"name":"Ethernet","physical":"X2:0X:0X:X6:00:XX"}],"operationalState":"na","rebootRequired":false,"scanAbortedAt":null,"scanFinishedAt":"2022-04-06T09:18:21.090855Z","scanStartedAt":"2022-04-06T08:26:52.838047Z","scanStatus":"finished","siteId":"1234567890123456789","siteName":"Default site","storageName":null,"storageType":null,"userActionsNeeded":[]},"containerInfo":{"id":null,"image":null,"labels":null,"name":null},"id":"1234567890123456789","indicators":[{"category":"General","description":"Detected by the Static Engine","ids":[43],"tactics":[]},{"category":"Exploitation","description":"Document behaves abnormally","ids":[62],"tactics":[{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"}]},{"name":"Initial Access","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"}]}]},{"category":"Evasion","description":"Indirect command was executed","ids":[427],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"}]}]},{"category":"Evasion","description":"Office program ran macro","ids":[434],"tactics":[{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]},{"name":"Initial Access","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]},{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]},{"category":"Evasion","description":"Process wrote to a hidden file section","ids":[169],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]},{"category":"Evasion","description":"Suspicious registry key was created","ids":[171],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]}],"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"namespace":null,"namespaceLabels":null,"node":null,"pod":null,"podLabels":null},"mitigationStatus":[],"threatInfo":{"analystVerdict":"undefined","analystVerdictDescription":"Undefined","automaticallyResolved":false,"browserType":null,"certificateId":"","classification":"Malware","classificationSource":"Static","cloudFilesHashVerdict":"black","collectionId":"1234567890123456789","confidenceLevel":"malicious","createdAt":"2022-04-06T08:57:34.744922Z","detectionEngines":[{"key":"pre_execution","title":"On-Write Static AI"},{"key":"data_files","title":"Documents, Scripts"}],"detectionType":"dynamic","engines":["Documents, Scripts","On-Write ABC"],"externalTicketExists":false,"externalTicketId":null,"failedActions":false,"fileExtension":"TXT","fileExtensionType":"Document","filePath":"test/path/user","fileSize":238592,"fileVerificationType":"NotSigned","identifiedAt":"2022-04-06T08:57:34.444000Z","incidentStatus":"unresolved","incidentStatusDescription":"Unresolved","initiatedBy":"agent_policy","initiatedByDescription":"Agent Policy","initiatingUserId":null,"initiatingUsername":null,"isFileless":false,"isValidCertificate":false,"maliciousProcessArguments":"test/path/user","md5":null,"mitigatedPreemptively":false,"mitigationStatus":"not_mitigated","mitigationStatusDescription":"Not mitigated","originatorProcess":"default.EXE","pendingActions":false,"processUser":"test_user","publisherName":"","reachedEventsLimit":false,"rebootRequired":false,"sha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","sha256":null,"storyline":"7XXXXXXXXXDD5A41","threatId":"123456789","threatName":"Threats","updatedAt":"2022-04-06T08:57:37.672873Z"},"whiteningOptions":["hash","path","file_type"]}],"pagination":{"nextCursor":null,"totalItems":2}}
diff --git a/packages/sentinel_one/changelog.yml b/packages/sentinel_one/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.23.1"
+  changes:
+    - description: Fix sample event.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/10134
 - version: "1.23.0"
   changes:
     - description: Make `host.ip` field conform to ECS field definition.