Keep original sentinel_one.alert.info.event_type

andrewkroh · andrewkroh · commit 196fbb5f85a0 · 2022-05-25T18:26:06.000-04:00
Don't set event.type with the raw evenType value because it won't conform to ECS's
allowed values. After we have real alert samples then this value can be used to inform
the event.category and event.type values.
diff --git a/packages/sentinel_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json b/packages/sentinel_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json
@@ -34,7 +34,9 @@
                 "id": "123456789123456789",
                 "kind": "event",
                 "original": "{\"targetProcessInfo\":{\"tgtFileCreatedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileIsSigned\":\"string\",\"tgtFileOldPath\":\"string\",\"tgtProcImagePath\":\"string\",\"tgtProcSignedStatus\":\"string\",\"tgtFileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"tgtProcStorylineId\":\"string\",\"tgtProcPid\":\"12345\",\"tgtProcCmdLine\":\"string\",\"tgtProcName\":\"string\",\"tgtFileModifiedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileId\":\"string\",\"tgtProcIntegrityLevel\":\"unknown\",\"tgtFileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"tgtProcUid\":\"string\",\"tgtProcessStartTime\":\"2018-02-27T04:49:26.257525Z\",\"tgtFilePath\":\"string\"},\"alertInfo\":{\"createdAt\":\"2018-02-27T04:49:26.257525Z\",\"srcIp\":\"0.0.0.0\",\"incidentStatus\":\"string\",\"registryOldValue\":\"string\",\"alertId\":\"123456789123456789\",\"dstPort\":\"1234\",\"indicatorName\":\"string\",\"registryPath\":\"string\",\"loginType\":\"string\",\"dstIp\":\"0.0.0.0\",\"updatedAt\":\"2018-02-27T04:49:26.257525Z\",\"indicatorDescription\":\"string\",\"loginsUserName\":\"string\",\"loginIsSuccessful\":\"string\",\"indicatorCategory\":\"string\",\"modulePath\":\"string\",\"loginAccountSid\":\"string\",\"dnsResponse\":\"string\",\"netEventDirection\":\"string\",\"registryValue\":\"string\",\"srcMachineIp\":\"0.0.0.0\",\"registryOldValueType\":\"string\",\"eventType\":\"string\",\"analystVerdict\":\"string\",\"dvEventId\":\"string\",\"dnsRequest\":\"string\",\"loginIsAdministratorEquivalent\":\"string\",\"loginAccountDomain\":\"string\",\"tiIndicatorType\":\"string\",\"moduleSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"source\":\"string\",\"srcPort\":\"string\",\"tiIndicatorValue\":\"string\",\"tiIndicatorSource\":\"string\",\"reportedAt\":\"2018-02-27T04:49:26.257525Z\",\"registryKeyPath\":\"string\",\"tiIndicatorComparisonMethod\":\"string\",\"hitType\":\"Events\"},\"sourceProcessInfo\":{\"integrityLevel\":\"unknown\",\"pid\":\"12345\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"uniqueId\":\"string\",\"user\":\"string\",\"commandline\":\"string\",\"name\":\"string\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"subsystem\":\"unknown\"},\"ruleInfo\":{\"severity\":\"Low\",\"treatAsThreat\":\"UNDEFINED\",\"id\":\"string\",\"scopeLevel\":\"string\",\"name\":\"string\",\"description\":\"string\"},\"sourceParentProcessInfo\":{\"integrityLevel\":\"unknown\",\"pid\":\"12345\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"uniqueId\":\"string\",\"user\":\"string\",\"commandline\":\"string\",\"name\":\"string\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"subsystem\":\"unknown\"},\"agentDetectionInfo\":{\"osFamily\":\"string\",\"uuid\":\"string\",\"osName\":\"string\",\"version\":\"3.x.x.x\",\"siteId\":\"123456789123456789\",\"name\":\"string\",\"machineType\":\"string\",\"osRevision\":\"string\"},\"kubernetesInfo\":{\"controllerName\":\"string\",\"node\":\"string\",\"namespace\":\"string\",\"namespaceLabels\":\"string\",\"pod\":\"string\",\"controllerLabels\":\"string\",\"controllerKind\":\"string\",\"cluster\":\"string\",\"podLabels\":\"string\"},\"containerInfo\":{\"id\":\"string\",\"name\":\"string\",\"image\":\"string\",\"labels\":\"string\"}}",
-                "type": "string"
+                "type": [
+                    "info"
+                ]
             },
             "file": {
                 "created": "2018-02-27T04:49:26.257Z",
@@ -145,6 +147,7 @@
                         "dns": {
                             "response": "string"
                         },
+                        "event_type": "string",
                         "hit": {
                             "type": "Events"
                         },
diff --git a/packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
@@ -10,6 +10,9 @@ processors:
   - set:
       field: event.category
       value: [malware]
+  - set:
+      field: event.type
+      value: [info]
   - rename:
       field: message
       target_field: event.original
@@ -186,7 +189,7 @@ processors:
       ignore_missing: true
   - rename:
       field: json.alertInfo.eventType 
-      target_field: event.type
+      target_field: sentinel_one.alert.info.event_type
       ignore_missing: true
   - rename:
       field: json.alertInfo.analystVerdict 
diff --git a/packages/sentinel_one/data_stream/alert/fields/fields.yml b/packages/sentinel_one/data_stream/alert/fields/fields.yml
@@ -34,6 +34,9 @@
             - name: response
               type: keyword
               description: IP address, DNS, type, etc. in response.
+        - name: event_type
+          type: keyword
+          description: Event type.
         - name: hit
           type: group
           fields:
diff --git a/packages/sentinel_one/data_stream/alert/sample_event.json b/packages/sentinel_one/data_stream/alert/sample_event.json
@@ -53,7 +53,9 @@
         "ingested": "2022-05-09T12:54:52Z",
         "kind": "event",
         "original": "{\"agentDetectionInfo\":{\"machineType\":\"string\",\"name\":\"string\",\"osFamily\":\"string\",\"osName\":\"string\",\"osRevision\":\"string\",\"siteId\":\"123456789123456789\",\"uuid\":\"string\",\"version\":\"3.x.x.x\"},\"alertInfo\":{\"alertId\":\"123456789123456789\",\"analystVerdict\":\"string\",\"createdAt\":\"2018-02-27T04:49:26.257525Z\",\"dnsRequest\":\"string\",\"dnsResponse\":\"string\",\"dstIp\":\"0.0.0.0\",\"dstPort\":\"1234\",\"dvEventId\":\"string\",\"eventType\":\"string\",\"hitType\":\"Events\",\"incidentStatus\":\"string\",\"indicatorCategory\":\"string\",\"indicatorDescription\":\"string\",\"indicatorName\":\"string\",\"loginAccountDomain\":\"string\",\"loginAccountSid\":\"string\",\"loginIsAdministratorEquivalent\":\"string\",\"loginIsSuccessful\":\"string\",\"loginType\":\"string\",\"loginsUserName\":\"string\",\"modulePath\":\"string\",\"moduleSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"netEventDirection\":\"string\",\"registryKeyPath\":\"string\",\"registryOldValue\":\"string\",\"registryOldValueType\":\"string\",\"registryPath\":\"string\",\"registryValue\":\"string\",\"reportedAt\":\"2018-02-27T04:49:26.257525Z\",\"source\":\"string\",\"srcIp\":\"0.0.0.0\",\"srcMachineIp\":\"0.0.0.0\",\"srcPort\":\"string\",\"tiIndicatorComparisonMethod\":\"string\",\"tiIndicatorSource\":\"string\",\"tiIndicatorType\":\"string\",\"tiIndicatorValue\":\"string\",\"updatedAt\":\"2018-02-27T04:49:26.257525Z\"},\"containerInfo\":{\"id\":\"string\",\"image\":\"string\",\"labels\":\"string\",\"name\":\"string\"},\"kubernetesInfo\":{\"cluster\":\"string\",\"controllerKind\":\"string\",\"controllerLabels\":\"string\",\"controllerName\":\"string\",\"namespace\":\"string\",\"namespaceLabels\":\"string\",\"node\":\"string\",\"pod\":\"string\",\"podLabels\":\"string\"},\"ruleInfo\":{\"description\":\"string\",\"id\":\"string\",\"name\":\"string\",\"scopeLevel\":\"string\",\"severity\":\"Low\",\"treatAsThreat\":\"UNDEFINED\"},\"sourceParentProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"sourceProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"targetProcessInfo\":{\"tgtFileCreatedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"tgtFileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"tgtFileId\":\"string\",\"tgtFileIsSigned\":\"string\",\"tgtFileModifiedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileOldPath\":\"string\",\"tgtFilePath\":\"string\",\"tgtProcCmdLine\":\"string\",\"tgtProcImagePath\":\"string\",\"tgtProcIntegrityLevel\":\"unknown\",\"tgtProcName\":\"string\",\"tgtProcPid\":\"12345\",\"tgtProcSignedStatus\":\"string\",\"tgtProcStorylineId\":\"string\",\"tgtProcUid\":\"string\",\"tgtProcessStartTime\":\"2018-02-27T04:49:26.257525Z\"}}",
-        "type": "string"
+        "type": [
+            "info"
+        ]
     },
     "file": {
         "created": "2018-02-27T04:49:26.257Z",
@@ -167,6 +169,7 @@
                 "dns": {
                     "response": "string"
                 },
+                "event_type": "string",
                 "hit": {
                     "type": "Events"
                 },
diff --git a/packages/sentinel_one/docs/README.md b/packages/sentinel_one/docs/README.md
@@ -647,7 +647,9 @@ An example event for `alert` looks as following:
         "ingested": "2022-05-09T12:54:52Z",
         "kind": "event",
         "original": "{\"agentDetectionInfo\":{\"machineType\":\"string\",\"name\":\"string\",\"osFamily\":\"string\",\"osName\":\"string\",\"osRevision\":\"string\",\"siteId\":\"123456789123456789\",\"uuid\":\"string\",\"version\":\"3.x.x.x\"},\"alertInfo\":{\"alertId\":\"123456789123456789\",\"analystVerdict\":\"string\",\"createdAt\":\"2018-02-27T04:49:26.257525Z\",\"dnsRequest\":\"string\",\"dnsResponse\":\"string\",\"dstIp\":\"0.0.0.0\",\"dstPort\":\"1234\",\"dvEventId\":\"string\",\"eventType\":\"string\",\"hitType\":\"Events\",\"incidentStatus\":\"string\",\"indicatorCategory\":\"string\",\"indicatorDescription\":\"string\",\"indicatorName\":\"string\",\"loginAccountDomain\":\"string\",\"loginAccountSid\":\"string\",\"loginIsAdministratorEquivalent\":\"string\",\"loginIsSuccessful\":\"string\",\"loginType\":\"string\",\"loginsUserName\":\"string\",\"modulePath\":\"string\",\"moduleSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"netEventDirection\":\"string\",\"registryKeyPath\":\"string\",\"registryOldValue\":\"string\",\"registryOldValueType\":\"string\",\"registryPath\":\"string\",\"registryValue\":\"string\",\"reportedAt\":\"2018-02-27T04:49:26.257525Z\",\"source\":\"string\",\"srcIp\":\"0.0.0.0\",\"srcMachineIp\":\"0.0.0.0\",\"srcPort\":\"string\",\"tiIndicatorComparisonMethod\":\"string\",\"tiIndicatorSource\":\"string\",\"tiIndicatorType\":\"string\",\"tiIndicatorValue\":\"string\",\"updatedAt\":\"2018-02-27T04:49:26.257525Z\"},\"containerInfo\":{\"id\":\"string\",\"image\":\"string\",\"labels\":\"string\",\"name\":\"string\"},\"kubernetesInfo\":{\"cluster\":\"string\",\"controllerKind\":\"string\",\"controllerLabels\":\"string\",\"controllerName\":\"string\",\"namespace\":\"string\",\"namespaceLabels\":\"string\",\"node\":\"string\",\"pod\":\"string\",\"podLabels\":\"string\"},\"ruleInfo\":{\"description\":\"string\",\"id\":\"string\",\"name\":\"string\",\"scopeLevel\":\"string\",\"severity\":\"Low\",\"treatAsThreat\":\"UNDEFINED\"},\"sourceParentProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"sourceProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"targetProcessInfo\":{\"tgtFileCreatedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"tgtFileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"tgtFileId\":\"string\",\"tgtFileIsSigned\":\"string\",\"tgtFileModifiedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileOldPath\":\"string\",\"tgtFilePath\":\"string\",\"tgtProcCmdLine\":\"string\",\"tgtProcImagePath\":\"string\",\"tgtProcIntegrityLevel\":\"unknown\",\"tgtProcName\":\"string\",\"tgtProcPid\":\"12345\",\"tgtProcSignedStatus\":\"string\",\"tgtProcStorylineId\":\"string\",\"tgtProcUid\":\"string\",\"tgtProcessStartTime\":\"2018-02-27T04:49:26.257525Z\"}}",
-        "type": "string"
+        "type": [
+            "info"
+        ]
     },
     "file": {
         "created": "2018-02-27T04:49:26.257Z",
@@ -761,6 +763,7 @@ An example event for `alert` looks as following:
                 "dns": {
                     "response": "string"
                 },
+                "event_type": "string",
                 "hit": {
                     "type": "Events"
                 },
@@ -974,6 +977,7 @@ An example event for `alert` looks as following:
 | sentinel_one.alert.container.info.labels | Container info labels. | keyword |
 | sentinel_one.alert.dv_event.id | DV event id. | keyword |
 | sentinel_one.alert.info.dns.response | IP address, DNS, type, etc. in response. | keyword |
+| sentinel_one.alert.info.event_type | Event type. | keyword |
 | sentinel_one.alert.info.hit.type | Type of hit reported from agent. | keyword |
 | sentinel_one.alert.info.indicator.category | Indicator categories for this process. | keyword |
 | sentinel_one.alert.info.indicator.description | Indicator_description. | keyword |
