Change log for SENTINELONE_ALERT

Date Changes
2024-11-21 Enhancement:
- Mapped "agentDetectionInfo.cloudProviders.AWS.cloudLocation" to "principal.resource.attribute.cloud.availability_zone".
- Mapped "agentDetectionInfo.cloudProviders.AWS.cloudInstanceId" and "agentDetectionInfo.cloudProviders.AWS.cloudAccount" to "principal.resource.attribute.labels".
2024-11-08 Enhancement:
- When "threatInfo.processUser" is not null, then mapped "agentLastLoggedInUserName" to "additional.fields".
2024-10-24 Enhancement:
- Changed mapping of "agentRealtimeInfo.name" from "principal.hostname" to "target.hostname".
2024-10-23 Enhancement:
- Added support for CEF format logs.
2024-09-18 Enhancement:
- Changed "siteId" mapping from "principal.namespace" to "additional.fields".
2024-08-08 Enhancement:
- Added support to parse additional fields.
2024-05-27 Enhancement:
- Removed "collectionId" from "metadata.ingestion_labels".
2024-05-14 - When "threatStatus.mitigationStatus" is "not_mitigated", then set "security_result.action" to "ALLOW" and "security_result.threat_status" to "ACTIVE".
- When "threatStatus.mitigationStatus" is "mitigated", then set "security_result.action" to "BLOCK" and "security_result.threat_status" to "CLEARED".
2024-04-19 - Mapped "threatInfo.externalTicketExists", "threatInfo.externalTicketId", "threatInfo.incidentStatus", "threatInfo.incidentStatusDescription", "threatInfo.initiatedBy", "threatInfo.initiatedByDescription", "threatInfo.initiatingUserId" and "threatInfo.initiatingUsername" to "security_result.detection_fields".
2024-03-12 - Changed mapping of "threatInfo.detectionEngines" from "ingestion_labels" to "security_result.detection_fields".
2023-08-18 - Mapped "threatInfo.threatName" to "principal.process.file.names".
- Mapped "threatInfo.originatorProcess" to "principal.process.parent_process.file.names".
- Mapped "threatInfo.classificationSource" to "security_result.detection_fields".
- Mapped "security_result.detection_fields" "detection_type" based on "threatInfo.classificationSource".
- Mapped "threatInfo.processUser" to "principal.user.userid".
2023-07-21 - Added MITRE ATT&CK tactic and technique details mapping to "security_result.attack_details".
2023-06-07 - Mapped "indicators.tactics.name" to "security_result.attack_details.tactics.name".
- Mapped "indicators.tactics.technique.name" to "security_result.attack_details.techniques.id".
2023-05-23 - Mapped "threatInfo.classification" and "alertInfo.source" to "security_result.category_details".
- Mapped "threatInfo.maliciousProcessArguments" to "principal.process.command_line".
- Mapped "agentDetectionInfo.osRevision" to "principal.platform_patch_level", "principal.asset.platform_software.platform_patch_level".
- Mapped "agentDetectionInfo.agentOsRevision" to "principal.platform_patch_level", "principal.asset.platform_software.platform_patch_level" if "agentDetectionInfo.osRevision" is null.
- Mapped "agentDetectionInfo.osName" to "principal.platform_version", "principal.asset.platform_software.platform_version".
- Mapped "agentDetectionInfo.agentOsName" to "principal.platform_version", "principal.asset.platform_software.platform_version" if "agentDetectionInfo.osName" is null.
- Mapped "agentRealtimeInfo.agentOsType" to "principal.platform".
- Mapped "ruleInfo.name" to "security_result.threat_name".
2023-03-09 Fix -
- Mapped "source_hostname" to "intermediary.hostname" instead of "principal.hostname".
- Mapped "collectionId.key" to "alert_aggregation_value".
2023-02-17 Enhancement -
- If "source_hostname" is not null and "threatInfo.threatId" is not null then mapped ""https://"source_hostname"/incidents/threats/"threatInfo.threatId"/overview"" to "metadata.url_back_to_product".
- If "source_hostname" is not null and "threatInfo.threatId" is null then mapped "https://"source_hostname" to "metadata.url_back_to_product".
- Mapped "security_result.severity" for cases "ruleInfo.severity" in [critical, high, medium].
2023-02-02 Enhancement -
- Modified mapping for "targetProcessInfo.tgtProcCmdLine" from "target.command_line" to "target.process.command_line".
- Modified mapping for "targetProcessInfo.tgtFileHashSha1" from "target.file.sha1" to "target.process.file.sha1".
- Modified mapping for "targetProcessInfo.tgtFileHashSha256" from "target.file.sha256" to "target.process.file.sha256".
- Modified mapping for "targetProcessInfo.tgtFilePath" from "target.file.full_path" to "target.process.file.full_path".
- When "target.process" is not set, then update "metadata.event_type" to "STATUS_UPDATE".
2023-01-19 Enhancement -
- Mapped "source_hostname" to "principal.hostname".
2023-01-10 Enhancement -
- Added support to parse logs with alertinfo and threatinfo data.
2022-12-06 Fix -
- Parsed logs where agentIpV4 and agentIpV6 has more than one IP address.
2022-11-18 Enhancement -
Added support to parser logs with agentDetectionInfo by adding following mappings:
- Mapped "agentRealtimeInfo.agentId" to "principal.asset_id" and "principal.asset.asset_id".
- Mapped "agentDetectionInfo.accountId" to "metadata.product_deployment_id".
- Mapped "agentRealtimeInfo.agentMachineType" to "principal.asset.category".
- Mapped "threatInfo.classificationSource" to "security_result.category_details".
- Mapped "agentRealtimeInfo.agentOsType" to "principal.asset.platform_software.platform".
- Mapped "threatInfo.filePath" to "target.file.full_path".
- Mapped "threatInfo.fileSize" to "target.file.size".
- Mapped "threatInfo.sha256" to "target.file.sha256".
- Mapped "threatInfo.md5" to "target.file.md5".
- Mapped "agentRealtimeInfo.fileExtensionType" to "target.process.file.mime_type".
- Mapped "agentRealtimeInfo.agentVersion" to "metadata.product_version".
- Mapped "threatInfo.collectionId" to "metadata.ingestion_labels".
- Mapped "threatInfo.storyline" to "principal.process.product_specific_process_id".
- Mapped "agentDetectionInfo.siteName" to "principal.location.name".
- Mapped "agentDetectionInfo.siteId" to "principal.namespace".
- Mapped "agentDetectionInfo.agentDomain" to "principal.administrative_domain".
- Mapped "threatInfo.analystVerdictDescription" to "security_result.summary".
- Mapped "threatInfo.threatName" to "security_result.threat_name".
- Mapped "threatInfo.identifiedAt" to "metadata.event_timestamp".
- Mapped "threatInfo.createdAt" to "metadata.collected_timestamp".
- Mapped "agentDetectionInfo.agentIpV4" to "principal.ip".
- Mapped "agentDetectionInfo.agentIpV6" to "principal.ip".
- Mapped "agentDetectionInfo.agentRegisteredAt" to "principal.asset.first_discover_time".
- Mapped "threatInfo.sha1" to "target.file.sha1".
- Mapped "security_result.confidence" to "HIGH_CONFIDENCE" if "threatInfo.confidenceLevel" is malicious.
- Mapped "security_result.confidence" to "MEDIUM_CONFIDENCE" if "threatInfo.confidenceLevel" is suspicious.
2022-10-27 Enhancement -
- Mapped "agentMachineType" to "prinicipal.asset.category".
- Mapped "agentComputerName" to "principal.hostname" and "principal.asset.hostname".
- Mapped "fileContentHash" to "target.file.md5".
- Mapped "fileSha256" to "target.file.sha256".
- Mapped "filePath" to "target.file.full_path".
- Mapped "fileSize" to "target.file.size".
- Mapped "event_type" to "FILE_UNCATEGORIZED" where "fileContentHash" or "filePath" is not null.
- Mapped "agentDomain" to "principal.administrative_domain".
- Mapped "originatorProcess" to "target.process.parent_process.file.full_path".
- Mapped "threatName" to "target.file.names".
- Mapped "security_result.alert_state" to "ALERTING".
- Mapped "collectionId" to "metadata.ingestion_labels".
- Mapped "storyline" to "principal.process.product_specific_process_id".
- Mapped "metadata.vendor_name" to "SentinelOne".
- Mapped "metadata.product_event_type" to "Threats".
- Mapped "accountId" to "metadata.product_deployment_id".
2022-09-30 - Mapped "idm.is_alert" to true.
- Changed the create_time in log file to avoid larger than allowed timestamp issue.
2022-09-08 Newly created parser