SentinelOne

[jamiehynds]

Description

Sentinel One is an endpoint security solution based on the idea of of working automatically not just to detect endpoints and their vulnerabilities, but to apply behavioral models, and various modes of protection, detection and response in one solution. Their solutions (including XDR, IoT and Cloud Workload Protection) reside within the Singularity Platform.

Architecture

Syslog (CEF or RFC5424) is supported.

Integration release checklist

This checklist is intended for integrations maintainers to ensure consistency
when creating or updating a Package, Module or Dataset for an Integration.

All changes

• Change follows the contributing guidelines
• Supported versions of the monitoring target are documented
• Supported operating systems are documented (if applicable)
• Integration or System tests exist
• Documentation exists
• Fields follow ECS and naming conventions
• At least a manual test with ES / Kibana / Agent has been performed.
• Required Kibana version set to:

New Package

• Screenshot of the "Add Integration" page on Fleet added

Dashboards changes

• Dashboards exists
• Screenshots added or updated
• Datastream filters added to visualizations

Log dataset changes

• Pipeline tests exist (if applicable)
• Generated output for at least 1 log file exists
• Sample event (sample_event.json) exists

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[austinsonger]

@jamiehynds this would be nice, MSSP deploys SentinelOne to all clients. This would help convince my MSSP to switch the rest of our clients to Elastic Security and because we are not big enough to qualify for Elastic Enterprise and Endpoint Security, are options are limited.

[austinsonger]

I downloaded their API in from their management portal. I can also send by other means if you desire.

• https://drive.protonmail.com/urls/22YSAV2JA0#DBkeLaAGDouz

[jamiehynds]

Thanks @austinsonger - super helpful. An S1 integration is certainly a priority for us and will keep you posted once we begin development.

[jamiehynds]

Hey @austinsonger - we're about to start developed of the S1 integration but lacking event samples. Would you be able to provide a sample data set of S1 alerts/events from the API in JSON format?

[austinsonger]

@jamiehynds does this help? FYI: I did some redactions.

{
  "agentDetectionInfo": {
    "accountId": "1036158366103414790",
    "accountName": "<Placeholder>",
    "agentDomain": "<Placeholder>",
    "agentIpV4": "10.31.101.216",
    "agentIpV6": "fe80::c48c:608f:32f5:a784",
    "agentLastLoggedInUserName": "",
    "agentMitigationMode": "protect",
    "agentOsName": "Windows Server 2012 R2 Datacenter",
    "agentOsRevision": "9600",
    "agentRegisteredAt": "2021-08-17T04:54:16.469714Z",
    "agentUuid": "7902f3f9562348c0ac8912c2d690d479",
    "agentVersion": "4.6.13.298",
    "externalIp": "<Placeholder>",
    "groupId": "1038391807164313750",
    "groupName": "<Placeholder>",
    "siteId": "1038387378499381063",
    "siteName": "UDG"
  },
  "agentRealtimeInfo": {
    "accountId": "1036158366103414790",
    "accountName": "<Placeholder>",
    "activeThreats": 0,
    "agentComputerName": "HCX-GX04",
    "agentDecommissionedAt": null,
    "agentDomain": "<Placeholder>",
    "agentId": "1224294323241529157",
    "agentInfected": false,
    "agentIsActive": true,
    "agentIsDecommissioned": false,
    "agentMachineType": "server",
    "agentMitigationMode": "protect",
    "agentNetworkStatus": "connected",
    "agentOsName": "Windows Server 2012 R2 Datacenter",
    "agentOsRevision": "9600",
    "agentOsType": "windows",
    "agentUuid": "7902f3f9562348c0ac8912c2d690d479",
    "agentVersion": "4.6.13.298",
    "groupId": "1038391807164313750",
    "groupName": "<Placeholder>",
    "networkInterfaces": [
      {
        "id": "1224294323249917782",
        "inet": [
          "10.31.101.216"
        ],
        "inet6": [
          "fe80::c48c:608f:32f5:a784"
        ],
        "name": "Ethernet",
        "physical": "50:6b:8d:ba:2e:90"
      }
    ],
    "operationalState": "na",
    "rebootRequired": false,
    "scanAbortedAt": null,
    "scanFinishedAt": null,
    "scanStartedAt": null,
    "scanStatus": "none",
    "siteId": "1038387378499381063",
    "siteName": "UDG",
    "storageName": null,
    "storageType": null,
    "userActionsNeeded": []
  },
  "containerInfo": {
    "id": null,
    "image": null,
    "labels": null,
    "name": null
  },
  "id": "1259418827086770521",
  "indicators": [
    {
      "category": "Evasion",
      "description": "Internal process resource was manipulated in memory.",
      "ids": [
        68
      ],
      "tactics": [
        {
          "name": "Defense Evasion",
          "source": "MITRE",
          "techniques": []
        }
      ]
    },
    {
      "category": "Evasion",
      "description": "Code injection to other process memory space during the target process' initialization",
      "ids": [
        153
      ],
      "tactics": [
        {
          "name": "Defense Evasion",
          "source": "MITRE",
          "techniques": [
            {
              "link": "https://www.google.com/url?q=https://attack.mitre.org/techniques/T1055/012/&source=gmail-imap&ust=1633982586000000&usg=AOvVaw2zmfjvqhlmNVizfvOZqVqK",
              "name": "T1055.012"
            }
          ]
        },
        {
          "name": "Privilege Escalation",
          "source": "MITRE",
          "techniques": [
            {
              "link": "https://www.google.com/url?q=https://attack.mitre.org/techniques/T1055/012/&source=gmail-imap&ust=1633982586000000&usg=AOvVaw2zmfjvqhlmNVizfvOZqVqK",
              "name": "T1055.012"
            }
          ]
        }
      ]
    },
    {
      "category": "Injection",
      "description": "Suspicious library loaded into the process memory.",
      "ids": [
        126
      ],
      "tactics": []
    }
  ],
  "kubernetesInfo": {
    "cluster": null,
    "controllerKind": null,
    "controllerLabels": null,
    "controllerName": null,
    "namespace": null,
    "namespaceLabels": null,
    "node": null,
    "pod": null,
    "podLabels": null
  },
  "mitigationStatus": [
    {
      "action": "quarantine",
      "actionsCounters": {
        "failed": 0,
        "notFound": 0,
        "pendingReboot": 0,
        "success": 1,
        "total": 1
      },
      "agentSupportsReport": true,
      "groupNotFound": false,
      "lastUpdate": "2021-10-04T16:00:24.159175Z",
      "latestReport": "/threats/mitigation-report/1259418831591455141",
      "mitigationEndedAt": "2021-10-04T16:00:26.284000Z",
      "mitigationStartedAt": "2021-10-04T16:00:26.284000Z",
      "status": "success"
    },
    {
      "action": "kill",
      "actionsCounters": {
        "failed": 0,
        "notFound": 0,
        "pendingReboot": 0,
        "success": 11,
        "total": 11
      },
      "agentSupportsReport": true,
      "groupNotFound": false,
      "lastUpdate": "2021-10-04T16:00:23.755761Z",
      "latestReport": "/threats/mitigation-report/1259418828210844550",
      "mitigationEndedAt": "2021-10-04T16:00:25.514000Z",
      "mitigationStartedAt": "2021-10-04T16:00:25.512000Z",
      "status": "success"
    }
  ],
  "threatInfo": {
    "analystVerdict": "undefined",
    "analystVerdictDescription": "Undefined",
    "automaticallyResolved": false,
    "browserType": null,
    "certificateId": "",
    "classification": "Malware",
    "classificationSource": "Static",
    "cloudFilesHashVerdict": null,
    "collectionId": "1259418827128713568",
    "confidenceLevel": "malicious",
    "createdAt": "2021-10-04T16:00:23.621914Z",
    "detectionEngines": [
      {
        "key": "data_files",
        "title": "Documents, Scripts"
      }
    ],
    "detectionType": "dynamic",
    "engines": [
      "Documents, Scripts"
    ],
    "externalTicketExists": false,
    "externalTicketId": null,
    "failedActions": false,
    "fileExtension": "PDF",
    "fileExtensionType": "Document",
    "filePath": "\\Device\\HarddiskVolume2\\Users\\<Placeholder>\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\G3UN9NNW\\20211004105215422.pdf",
    "fileSize": 651328,
    "fileVerificationType": "NotSigned",
    "identifiedAt": "2021-10-04T16:00:23.610318Z",
    "incidentStatus": "unresolved",
    "incidentStatusDescription": "Unresolved",
    "initiatedBy": "agent_policy",
    "initiatedByDescription": "Agent Policy",
    "initiatingUserId": null,
    "initiatingUsername": null,
    "isFileless": false,
    "isValidCertificate": false,
    "maliciousProcessArguments": "\"C:\\Users\\<Placeholder>\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\G3UN9NNW\\20211004105215422.pdf\"",
    "md5": null,
    "mitigatedPreemptively": false,
    "mitigationStatus": "mitigated",
    "mitigationStatusDescription": "Mitigated",
    "originatorProcess": null,
    "pendingActions": false,
    "processUser": "<Placeholder>\\<Placeholder>",
    "publisherName": "",
    "reachedEventsLimit": false,
    "rebootRequired": false,
    "sha1": "624eb9da5abde90da2feda009407187f3f44af3f",
    "sha256": null,
    "storyline": "4B187034DBF3268C",
    "threatId": "1259418827086770521",
    "threatName": "20211004105215422.pdf",
    "updatedAt": "2021-10-04T16:00:24.155073Z"
  },
  "whiteningOptions": [
    "hash",
    "file_type",
    "path"
  ]
}