Change log for SENTINELONE_ALERT
| Date | Changes |
|---|---|
| 2024-09-18 | Enhancement:
- Changed "siteId" mapping from "principal.namespace" to "additional.fields". |
| 2024-08-08 | Enhancement:
- Added support to parse additional fields. |
| 2024-05-27 | Enhancement:
- Removed "collectionId" from "metadata.ingestion_labels". |
| 2024-05-14 | - When "threatStatus.mitigationStatus" is "not_mitigated", then set "security_result.action" to "ALLOW" and "security_result.threat_status" to "ACTIVE".
- When "threatStatus.mitigationStatus" is "mitigated", then set "security_result.action" to "BLOCK" and "security_result.threat_status" to "CLEARED". |
| 2024-04-19 | - Mapped "threatInfo.externalTicketExists", "threatInfo.externalTicketId", "threatInfo.incidentStatus", "threatInfo.incidentStatusDescription", "threatInfo.initiatedBy", "threatInfo.initiatedByDescription", "threatInfo.initiatingUserId" and "threatInfo.initiatingUsername" to "security_result.detection_fields".
|
| 2024-03-12 | - Changed mapping of "threatInfo.detectionEngines" from "ingestion_labels" to "security_result.detection_fields".
|
| 2023-08-18 | - Mapped "threatInfo.threatName" to "principal.process.file.names".
- Mapped "threatInfo.originatorProcess" to "principal.process.parent_process.file.names". - Mapped "threatInfo.classificationSource" to "security_result.detection_fields". - Mapped "security_result.detection_fields" "detection_type" based on "threatInfo.classificationSource". - Mapped "threatInfo.processUser" to "principal.user.userid". |
| 2023-07-21 | - Added MITRE ATT&CK tactic and technique details mapping to "security_result.attack_details".
|
| 2023-06-07 | - Mapped "indicators.tactics.name" to "security_result.attack_details.tactics.name".
- Mapped "indicators.tactics.technique.name" to "security_result.attack_details.techniques.id". |
| 2023-05-23 | - Mapped "threatInfo.classification" and "alertInfo.source" to "security_result.category_details".
- Mapped "threatInfo.maliciousProcessArguments" to "principal.process.command_line". - Mapped "agentDetectionInfo.osRevision" to "principal.platform_patch_level", "principal.asset.platform_software.platform_patch_level". - Mapped "agentDetectionInfo.agentOsRevision" to "principal.platform_patch_level", "principal.asset.platform_software.platform_patch_level" if "agentDetectionInfo.osRevision" is null. - Mapped "agentDetectionInfo.osName" to "principal.platform_version", "principal.asset.platform_software.platform_version". - Mapped "agentDetectionInfo.agentOsName" to "principal.platform_version", "principal.asset.platform_software.platform_version" if "agentDetectionInfo.osName" is null. - Mapped "agentRealtimeInfo.agentOsType" to "principal.platform". - Mapped "ruleInfo.name" to "security_result.threat_name". |
| 2023-03-09 | Fix -
- Mapped "source_hostname" to "intermediary.hostname" instead of "principal.hostname". - Mapped "collectionId.key" to "alert_aggregation_value". |
| 2023-02-17 | Enhancement -
- If "source_hostname" is not null and "threatInfo.threatId" is not null then mapped ""https://"source_hostname"/incidents/threats/"threatInfo.threatId"/overview"" to "metadata.url_back_to_product". - If "source_hostname" is not null and "threatInfo.threatId" is null then mapped "https://"source_hostname" to "metadata.url_back_to_product". - Mapped "security_result.severity" for cases "ruleInfo.severity" in [critical, high, medium]. |
| 2023-02-02 | Enhancement -
- Modified mapping for "targetProcessInfo.tgtProcCmdLine" from "target.command_line" to "target.process.command_line". - Modified mapping for "targetProcessInfo.tgtFileHashSha1" from "target.file.sha1" to "target.process.file.sha1". - Modified mapping for "targetProcessInfo.tgtFileHashSha256" from "target.file.sha256" to "target.process.file.sha256". - Modified mapping for "targetProcessInfo.tgtFilePath" from "target.file.full_path" to "target.process.file.full_path". - When "target.process" is not set, then update "metadata.event_type" to "STATUS_UPDATE". |
| 2023-01-19 | Enhancement -
- Mapped "source_hostname" to "principal.hostname". |
| 2023-01-10 | Enhancement -
- Added support to parse logs with alertinfo and threatinfo data. |
| 2022-12-06 | Fix -
- Parsed logs where agentIpV4 and agentIpV6 has more than one IP address. |
| 2022-11-18 | Enhancement -
Added support to parser logs with agentDetectionInfo by adding following mappings: - Mapped "agentRealtimeInfo.agentId" to "principal.asset_id" and "principal.asset.asset_id". - Mapped "agentDetectionInfo.accountId" to "metadata.product_deployment_id". - Mapped "agentRealtimeInfo.agentMachineType" to "principal.asset.category". - Mapped "threatInfo.classificationSource" to "security_result.category_details". - Mapped "agentRealtimeInfo.agentOsType" to "principal.asset.platform_software.platform". - Mapped "threatInfo.filePath" to "target.file.full_path". - Mapped "threatInfo.fileSize" to "target.file.size". - Mapped "threatInfo.sha256" to "target.file.sha256". - Mapped "threatInfo.md5" to "target.file.md5". - Mapped "agentRealtimeInfo.fileExtensionType" to "target.process.file.mime_type". - Mapped "agentRealtimeInfo.agentVersion" to "metadata.product_version". - Mapped "threatInfo.collectionId" to "metadata.ingestion_labels". - Mapped "threatInfo.storyline" to "principal.process.product_specific_process_id". - Mapped "agentDetectionInfo.siteName" to "principal.location.name". - Mapped "agentDetectionInfo.siteId" to "principal.namespace". - Mapped "agentDetectionInfo.agentDomain" to "principal.administrative_domain". - Mapped "threatInfo.analystVerdictDescription" to "security_result.summary". - Mapped "threatInfo.threatName" to "security_result.threat_name". - Mapped "threatInfo.identifiedAt" to "metadata.event_timestamp". - Mapped "threatInfo.createdAt" to "metadata.collected_timestamp". - Mapped "agentDetectionInfo.agentIpV4" to "principal.ip". - Mapped "agentDetectionInfo.agentIpV6" to "principal.ip". - Mapped "agentDetectionInfo.agentRegisteredAt" to "principal.asset.first_discover_time". - Mapped "threatInfo.sha1" to "target.file.sha1". - Mapped "security_result.confidence" to "HIGH_CONFIDENCE" if "threatInfo.confidenceLevel" is malicious. - Mapped "security_result.confidence" to "MEDIUM_CONFIDENCE" if "threatInfo.confidenceLevel" is suspicious. |
| 2022-10-27 | Enhancement -
- Mapped "agentMachineType" to "prinicipal.asset.category". - Mapped "agentComputerName" to "principal.hostname" and "principal.asset.hostname". - Mapped "fileContentHash" to "target.file.md5". - Mapped "fileSha256" to "target.file.sha256". - Mapped "filePath" to "target.file.full_path". - Mapped "fileSize" to "target.file.size". - Mapped "event_type" to "FILE_UNCATEGORIZED" where "fileContentHash" or "filePath" is not null. - Mapped "agentDomain" to "principal.administrative_domain". - Mapped "originatorProcess" to "target.process.parent_process.file.full_path". - Mapped "threatName" to "target.file.names". - Mapped "security_result.alert_state" to "ALERTING". - Mapped "collectionId" to "metadata.ingestion_labels". - Mapped "storyline" to "principal.process.product_specific_process_id". - Mapped "metadata.vendor_name" to "SentinelOne". - Mapped "metadata.product_event_type" to "Threats". - Mapped "accountId" to "metadata.product_deployment_id". |
| 2022-09-30 | - Mapped "idm.is_alert" to true.
- Changed the create_time in log file to avoid larger than allowed timestamp issue. |
| 2022-09-08 | Newly created parser
|