[sentinel_one] Initial Release for the SentinelOne Package#3232
Merged
andrewkroh merged 5 commits intoelastic:mainfrom May 26, 2022
Merged
[sentinel_one] Initial Release for the SentinelOne Package#3232andrewkroh merged 5 commits intoelastic:mainfrom
andrewkroh merged 5 commits intoelastic:mainfrom
Conversation
vinit-chauhan
force-pushed
the
package_sentinel_one
branch
from
66edf63 to
eb4461f
Compare
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
vinit-chauhan
added
enhancement
🌐 Coverage report
|
vinit-chauhan
changed the title
andrewkroh
added
Integration:sentinel_one
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
efd6
reviewed
May 4, 2022
| @@ -0,0 +1,20 @@ | |||
| - name: data_stream.dataset | |||
Contributor
There was a problem hiding this comment.
Should these constant_keyword fields not have values?
Contributor
Author
There was a problem hiding this comment.
Actually, neither of the connectors has any values for the data_stream.dataset.
vinit-chauhan
force-pushed
the
package_sentinel_one
branch
from
250251c to
afebf16
Compare
Member
|
Please add |
Member
|
Some of the fields are duplicated. Soon we will be validating for this (see elastic/package-spec#309). Can you please address the duplicates. |
andrewkroh
reviewed
May 6, 2022
| "id": "13491234512345", | ||
| "ip": "81.2.69.143", | ||
| "mac": [ | ||
| "42-X1-0X-9X-X0-0X" |
Member
There was a problem hiding this comment.
This will fail validation due to the X. I assume this was anonymized. Some safe values to use are the ranges listed in https://www.rfc-editor.org/rfc/rfc7042.html#section-2.1.2.
For example if change _dev/build/build.yml to use ECS 8.3, remove the duplicate non-ECS definition of host.mac, then run elastic-package test pipeline you will see an error:
[0] parsing field value failed: field "host.mac"'s value, 42-X1-0X-9X-X0-0X, does not match the expected pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
4 tasks
Contributor
Author
|
Hey @andrewkroh, I have updated the PR as per your comments. Please have a look and let me know if there are any changes. |
andrewkroh
reviewed
May 12, 2022
| "ingested": "2022-05-09T12:54:52Z", | ||
| "kind": "event", | ||
| "original": "{\"agentDetectionInfo\":{\"machineType\":\"string\",\"name\":\"string\",\"osFamily\":\"string\",\"osName\":\"string\",\"osRevision\":\"string\",\"siteId\":\"123456789123456789\",\"uuid\":\"string\",\"version\":\"3.x.x.x\"},\"alertInfo\":{\"alertId\":\"123456789123456789\",\"analystVerdict\":\"string\",\"createdAt\":\"2018-02-27T04:49:26.257525Z\",\"dnsRequest\":\"string\",\"dnsResponse\":\"string\",\"dstIp\":\"0.0.0.0\",\"dstPort\":\"1234\",\"dvEventId\":\"string\",\"eventType\":\"string\",\"hitType\":\"Events\",\"incidentStatus\":\"string\",\"indicatorCategory\":\"string\",\"indicatorDescription\":\"string\",\"indicatorName\":\"string\",\"loginAccountDomain\":\"string\",\"loginAccountSid\":\"string\",\"loginIsAdministratorEquivalent\":\"string\",\"loginIsSuccessful\":\"string\",\"loginType\":\"string\",\"loginsUserName\":\"string\",\"modulePath\":\"string\",\"moduleSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"netEventDirection\":\"string\",\"registryKeyPath\":\"string\",\"registryOldValue\":\"string\",\"registryOldValueType\":\"string\",\"registryPath\":\"string\",\"registryValue\":\"string\",\"reportedAt\":\"2018-02-27T04:49:26.257525Z\",\"source\":\"string\",\"srcIp\":\"0.0.0.0\",\"srcMachineIp\":\"0.0.0.0\",\"srcPort\":\"string\",\"tiIndicatorComparisonMethod\":\"string\",\"tiIndicatorSource\":\"string\",\"tiIndicatorType\":\"string\",\"tiIndicatorValue\":\"string\",\"updatedAt\":\"2018-02-27T04:49:26.257525Z\"},\"containerInfo\":{\"id\":\"string\",\"image\":\"string\",\"labels\":\"string\",\"name\":\"string\"},\"kubernetesInfo\":{\"cluster\":\"string\",\"controllerKind\":\"string\",\"controllerLabels\":\"string\",\"controllerName\":\"string\",\"namespace\":\"string\",\"namespaceLabels\":\"string\",\"node\":\"string\",\"pod\":\"string\",\"podLabels\":\"string\"},\"ruleInfo\":{\"description\":\"string\",\"id\":\"string\",\"name\":\"string\",\"scopeLevel\":\"string\",\"severity\":\"Low\",\"treatAsThreat\":\"UNDEFINED\"},\"sourceParentProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"sourceProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"targetProcessInfo\":{\"tgtFileCreatedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"tgtFileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"tgtFileId\":\"string\",\"tgtFileIsSigned\":\"string\",\"tgtFileModifiedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileOldPath\":\"string\",\"tgtFilePath\":\"string\",\"tgtProcCmdLine\":\"string\",\"tgtProcImagePath\":\"string\",\"tgtProcIntegrityLevel\":\"unknown\",\"tgtProcName\":\"string\",\"tgtProcPid\":\"12345\",\"tgtProcSignedStatus\":\"string\",\"tgtProcStorylineId\":\"string\",\"tgtProcUid\":\"string\",\"tgtProcessStartTime\":\"2018-02-27T04:49:26.257525Z\"}}", | ||
| "type": "string" |
Member
There was a problem hiding this comment.
[0] parsing field value failed: field "event.type"'s value "string" is not one of the allowed values (access, admin, allowed, change, connection, creation, deletion, denied, end, error, group, indicator, info, installation, protocol, start, user)
And it should be an array.
See #3016 (comment) for testing info.
Contributor
Author
There was a problem hiding this comment.
For the time being we are not sure of the possible values of the mapped field as we are not able to generate the alerts. Once we have the alerts available we can update event.type accordingly.
Member
There was a problem hiding this comment.
We can't leave this with an invalid value so I moved the original value into sentinel_one.alert.info.event_type. After we have samples then we can set event.type and event.category based on this value.
Don't set event.type with the raw evenType value because it won't conform to ECS's allowed values. After we have real alert samples then this value can be used to inform the event.category and event.type values.
andrewkroh
force-pushed
the
package_sentinel_one
branch
from
58357d6 to
196fbb5
Compare
andrewkroh
approved these changes
May 26, 2022
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Checklist
changelog.ymlfile.manifest.ymlfile to point to the latest Elastic stack release (e.g.^7.17.0 || ^8.0.0).How to test this PR locally
Screenshots