From 1195d0c6576281fed5b2333cb84b1bb0a532eadb Mon Sep 17 00:00:00 2001 From: Jayesh Prajapati Date: Fri, 13 Oct 2023 16:39:37 +0530 Subject: [PATCH 1/5] Added few more activities related to Two Factor authentication as User Management suggested by reviewer --- .../ASimUserManagementSentinelOne.yaml | 61 +- .../Parsers/vimUserManagementSentinelOne.yaml | 101 ++- ...entinelOne_ASimUserManagement_DataTest.csv | 26 +- ...tinelOne_ASimUserManagement_SchemaTest.csv | 14 + ...SentinelOne_vimUserManagement_DataTest.csv | 26 +- ...ntinelOne_vimUserManagement_SchemaTest.csv | 14 + ...nelOne_ASimUserManagement_IngestedLogs.csv | 46 +- ...entinelOne_ASimUserManagement_RawLogs.json | 634 ++++++++++++++++++ 8 files changed, 822 insertions(+), 100 deletions(-) diff --git a/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml b/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml index 57a5450cc62..6af3d2d43b3 100644 --- a/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml +++ b/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml @@ -1,7 +1,7 @@ Parser: Title: User Management ASIM parser for SentinelOne - Version: '0.1.0' - LastUpdated: Aug 24, 2023 + Version: '0.1.1' + LastUpdated: Oct 05, 2023 Product: Name: SentinelOne Normalization: @@ -48,22 +48,50 @@ ParserQuery: | 5006, "GroupDeleted", "Group Deleted", "", 5008, "GroupCreated", "User created a Manual or Pinned Group", "", 5011, "GroupModified", "Group Policy Reverted", "Newpolicy", + 67, "", "User 2FA Modified", "", + 145, "UserModified", "Enroll 2FA", "", + 146, "UserModified", "Reset 2FA", "", + 42, "", "Global 2FA modified", "", + 147, "UserModified", "User Configured 2FA", "" ]; + let UsermanagementactivityIds = dynamic([23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011, 67, 145, 146, 42, 147]); let parser = (disabled: bool=false) { - SentinelOne_CL - | where not(disabled) - and event_name_s == "Activities." - and activityType_d in (23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011) - | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string) with (pair_delimiter=",", kv_delimiter=":", quote='"') - | parse modifiedFields with 'Modified fields: ' ModifiedFields:string - | parse description_s with * "with id=" id: string "," restOfMessage - | lookup EventTypeLookup on activityType_d + let alldata = SentinelOne_CL + | where not(disabled) + | where event_name_s == "Activities." + and activityType_d in (UsermanagementactivityIds) + | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string, newValue: string) with (pair_delimiter=",", kv_delimiter=":", quote='"') + | parse modifiedFields with 'Modified fields: ' ModifiedFields: string + | parse description_s with * "with id=" id: string "," restOfMessage + | lookup EventTypeLookup on activityType_d; + let enableddisabled = alldata + | where activityType_d in (67, 42) + | extend + EventType = iff(primaryDescription_s has "enabled", "UserEnabled", "UserDisabled"), + PreviousPropertyValue = iff(primaryDescription_s has "enabled", "disabled", "enabled"), + NewPropertyValue = iff(primaryDescription_s has "enabled", "enabled", "disabled"); + let otherdata = alldata + | where activityType_d !in(67, 42) + | extend + PreviousPropertyValue = case( + activityType_d == 141 and descriptionChanged == "true", + oldDescription, + activityType_d == 141 and descriptionChanged == "false", + oldRole, + "" + ), + NewPropertyValue = case( + activityType_d == 141 and descriptionChanged == "true", + description, + activityType_d == 141 and descriptionChanged == "false", + role, + "" + ); + union enableddisabled, otherdata | extend ActorUsername = iff(activityType_d == 102, "SentinelOne", coalesce(byUser, username, email)), GroupName = coalesce(group, groupName, name), - TargetUsername = iff(isnotempty(byUser), username, ""), - PreviousPropertyValue = coalesce(oldDescription, oldRole), - NewPropertyValue = coalesce(description, role) + TargetUsername = iff(isnotempty(byUser) or activityType_d in (147, 42), username, "") | extend GroupName = iff(GroupName == "null", "", GroupName) | project-rename EventStartTime = createdAt_t, @@ -89,8 +117,8 @@ ParserQuery: | IpAddr = SrcIpAddr, User = ActorUsername, UpdatedPropertyName = EventSubType, - ActorUserIdType = iff(isnotempty(ActorUserId),"Other",""), - ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId), + ActorUserIdType = iff(isnotempty(ActorUserId), "Other", ""), + ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId), ActorUsernameType = _ASIM_GetUsernameType(ActorUsername), GroupIdType = iff(isnotempty(GroupId), "UID", ""), GroupNameType = iff(isnotempty(GroupName), "Simple", ""), @@ -139,6 +167,7 @@ ParserQuery: | Computer, MG, ManagementGroupName, - SourceSystem + SourceSystem, + newValue }; parser(disabled=disabled) \ No newline at end of file diff --git a/Parsers/ASimUserManagement/Parsers/vimUserManagementSentinelOne.yaml b/Parsers/ASimUserManagement/Parsers/vimUserManagementSentinelOne.yaml index 78fd4e9d92c..e60161ddc58 100644 --- a/Parsers/ASimUserManagement/Parsers/vimUserManagementSentinelOne.yaml +++ b/Parsers/ASimUserManagement/Parsers/vimUserManagementSentinelOne.yaml @@ -1,7 +1,7 @@ Parser: Title: User Management ASIM parser for SentinelOne - Version: '0.1.0' - LastUpdated: Aug 24, 2023 + Version: '0.1.1' + LastUpdated: Oct 05, 2023 Product: Name: SentinelOne Normalization: @@ -66,36 +66,64 @@ ParserQuery: | 5006, "GroupDeleted", "Group Deleted", "", 5008, "GroupCreated", "User created a Manual or Pinned Group", "", 5011, "GroupModified", "Group Policy Reverted", "Newpolicy", + 67, "", "User 2FA Modified", "", + 145, "UserModified", "Enroll 2FA", "", + 146, "UserModified", "Reset 2FA", "", + 42, "", "Global 2FA modified", "", + 147, "UserModified", "User Configured 2FA", "" ]; + let UsermanagementactivityIds = dynamic([23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011, 67, 145, 146, 42, 147]); let parser = ( - starttime:datetime=datetime(null), - endtime:datetime=datetime(null), - srcipaddr_has_any_prefix: dynamic=dynamic([]), - targetusername_has_any: dynamic=dynamic([]), - actorusername_has_any: dynamic=dynamic([]), - eventtype_in: dynamic=dynamic([]), - disabled:bool=false - ) { - SentinelOne_CL - | where not(disabled) - and event_name_s == "Activities." - and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) - and activityType_d in (23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011) - and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix)) - and (array_length(targetusername_has_any) == 0 or DataFields_s has_any (targetusername_has_any)) - and (array_length(actorusername_has_any) == 0 or DataFields_s has_any (actorusername_has_any)) - | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string) with (pair_delimiter=",", kv_delimiter=":", quote='"') - | where array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix) - | parse modifiedFields with 'Modified fields: ' ModifiedFields:string - | parse description_s with * "with id=" id: string "," restOfMessage - | lookup EventTypeLookup on activityType_d + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + srcipaddr_has_any_prefix: dynamic=dynamic([]), + targetusername_has_any: dynamic=dynamic([]), + actorusername_has_any: dynamic=dynamic([]), + eventtype_in: dynamic=dynamic([]), + disabled: bool=false + ) { + let alldata = SentinelOne_CL + | where not(disabled) + | where event_name_s == "Activities." + and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) + and activityType_d in (UsermanagementactivityIds) + and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix)) + and (array_length(targetusername_has_any) == 0 or DataFields_s has_any (targetusername_has_any)) + and (array_length(actorusername_has_any) == 0 or DataFields_s has_any (actorusername_has_any)) + | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string, newValue: string) with (pair_delimiter=",", kv_delimiter=":", quote='"') + | where array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix) + | parse modifiedFields with 'Modified fields: ' ModifiedFields: string + | parse description_s with * "with id=" id: string "," restOfMessage + | lookup EventTypeLookup on activityType_d; + let enableddisabled = alldata + | where activityType_d in (67, 42) + | extend + EventType = iff(primaryDescription_s has "enabled", "UserEnabled", "UserDisabled"), + PreviousPropertyValue = iff(primaryDescription_s has "enabled", "disabled", "enabled"), + NewPropertyValue = iff(primaryDescription_s has "enabled", "enabled", "disabled"); + let otherdata = alldata + | where activityType_d !in(67, 42) + | extend + PreviousPropertyValue = case( + activityType_d == 141 and descriptionChanged == "true", + oldDescription, + activityType_d == 141 and descriptionChanged == "false", + oldRole, + "" + ), + NewPropertyValue = case( + activityType_d == 141 and descriptionChanged == "true", + description, + activityType_d == 141 and descriptionChanged == "false", + role, + "" + ); + union enableddisabled, otherdata | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in))) | extend ActorUsername = iff(activityType_d == 102, "SentinelOne", coalesce(byUser, username, email)), GroupName = coalesce(group, groupName, name), - TargetUsername = iff(isnotempty(byUser), username, ""), - PreviousPropertyValue = coalesce(oldDescription, oldRole), - NewPropertyValue = coalesce(description, role) + TargetUsername = iff(isnotempty(byUser) or activityType_d in (147, 42), username, "") | where (array_length(targetusername_has_any) == 0 or TargetUsername has_any (targetusername_has_any)) and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any)) | extend GroupName = iff(GroupName == "null", "", GroupName) @@ -123,8 +151,8 @@ ParserQuery: | IpAddr = SrcIpAddr, User = ActorUsername, UpdatedPropertyName = EventSubType, - ActorUserIdType = iff(isnotempty(ActorUserId),"Other",""), - ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId), + ActorUserIdType = iff(isnotempty(ActorUserId), "Other", ""), + ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId), ActorUsernameType = _ASIM_GetUsernameType(ActorUsername), GroupIdType = iff(isnotempty(GroupId), "UID", ""), GroupNameType = iff(isnotempty(GroupName), "Simple", ""), @@ -173,14 +201,15 @@ ParserQuery: | Computer, MG, ManagementGroupName, - SourceSystem + SourceSystem, + newValue }; parser( - starttime = starttime, - endtime = endtime, - srcipaddr_has_any_prefix = srcipaddr_has_any_prefix , - targetusername_has_any = targetusername_has_any, - actorusername_has_any = actorusername_has_any, - eventtype_in = eventtype_in, - disabled = disabled + starttime = starttime, + endtime = endtime, + srcipaddr_has_any_prefix = srcipaddr_has_any_prefix, + targetusername_has_any = targetusername_has_any, + actorusername_has_any = actorusername_has_any, + eventtype_in = eventtype_in, + disabled = disabled ) \ No newline at end of file diff --git a/Parsers/ASimUserManagement/Tests/SentinelOne_ASimUserManagement_DataTest.csv b/Parsers/ASimUserManagement/Tests/SentinelOne_ASimUserManagement_DataTest.csv index 114a38bd4d2..07050711c52 100644 --- a/Parsers/ASimUserManagement/Tests/SentinelOne_ASimUserManagement_DataTest.csv +++ b/Parsers/ASimUserManagement/Tests/SentinelOne_ASimUserManagement_DataTest.csv @@ -1,15 +1,15 @@ Result -"(0) Error: 4 invalid value(s) (up to 10 listed) in 32 records (52.46%) for field [EventSubType] of type [Enumerated]: [""MultipleProperties"",""PreviousPermissions"",""NewPermissions"",""Newpolicy""] (Schema:UserManagement)" +"(0) Error: 4 invalid value(s) (up to 10 listed) in 32 records (35.96%) for field [EventSubType] of type [Enumerated]: [""MultipleProperties"",""PreviousPermissions"",""NewPermissions"",""Newpolicy""] (Schema:UserManagement)" "(0) Error: type mismatch for column [SrcIpAddr]. It is currently [string] and should be [IP address] (Schema:UserManagement)" -"(2) Info: Empty value in 29 records (47.54%) in optional field [EventSubType] (Schema:UserManagement)" -"(2) Info: Empty value in 44 records (72.13%) in optional field [ActorUserId] (Schema:UserManagement)" -"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupIdType] (Schema:UserManagement)" -"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupId] (Schema:UserManagement)" -"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupNameType] (Schema:UserManagement)" -"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupName] (Schema:UserManagement)" -"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupOriginalType] (Schema:UserManagement)" -"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupType] (Schema:UserManagement)" -"(2) Info: Empty value in 59 records (96.72%) in optional field [PreviousPropertyValue] (Schema:UserManagement)" -"(2) Info: Empty value in 7 records (11.48%) in optional field [NewPropertyValue] (Schema:UserManagement)" -"(2) Info: Empty value in 8 records (13.11%) in optional field [TargetUserType] (Schema:UserManagement)" -"(2) Info: Empty value in 8 records (13.11%) in optional field [TargetUsername] (Schema:UserManagement)" +"(2) Info: Empty value in 57 records (64.04%) in optional field [EventSubType] (Schema:UserManagement)" +"(2) Info: Empty value in 72 records (80.9%) in optional field [ActorUserId] (Schema:UserManagement)" +"(2) Info: Empty value in 73 records (82.02%) in optional field [NewPropertyValue] (Schema:UserManagement)" +"(2) Info: Empty value in 73 records (82.02%) in optional field [PreviousPropertyValue] (Schema:UserManagement)" +"(2) Info: Empty value in 8 records (8.99%) in optional field [TargetUserType] (Schema:UserManagement)" +"(2) Info: Empty value in 8 records (8.99%) in optional field [TargetUsername] (Schema:UserManagement)" +"(2) Info: Empty value in 82 records (92.13%) in optional field [GroupIdType] (Schema:UserManagement)" +"(2) Info: Empty value in 82 records (92.13%) in optional field [GroupId] (Schema:UserManagement)" +"(2) Info: Empty value in 82 records (92.13%) in optional field [GroupNameType] (Schema:UserManagement)" +"(2) Info: Empty value in 82 records (92.13%) in optional field [GroupName] (Schema:UserManagement)" +"(2) Info: Empty value in 82 records (92.13%) in optional field [GroupOriginalType] (Schema:UserManagement)" +"(2) Info: Empty value in 82 records (92.13%) in optional field [GroupType] (Schema:UserManagement)" diff --git a/Parsers/ASimUserManagement/Tests/SentinelOne_ASimUserManagement_SchemaTest.csv b/Parsers/ASimUserManagement/Tests/SentinelOne_ASimUserManagement_SchemaTest.csv index 2a84a67791a..dc7fb7e17d7 100644 --- a/Parsers/ASimUserManagement/Tests/SentinelOne_ASimUserManagement_SchemaTest.csv +++ b/Parsers/ASimUserManagement/Tests/SentinelOne_ASimUserManagement_SchemaTest.csv @@ -10,6 +10,7 @@ "(1) Warning: Missing recommended field [SrcDomain]" "(1) Warning: Missing recommended field [SrcHostname]" "(1) Warning: Missing recommended field [Src]" +"(2) Info: Missing optional alias [Rule] aliasing non-existent column [RuleName]" "(2) Info: Missing optional field [ActingAppId]" "(2) Info: Missing optional field [ActingAppType]" "(2) Info: Missing optional field [ActiveAppName]" @@ -30,6 +31,8 @@ "(2) Info: Missing optional field [EventProductVersion]" "(2) Info: Missing optional field [EventReportUrl]" "(2) Info: Missing optional field [HttpUserAgent]" +"(2) Info: Missing optional field [RuleName]" +"(2) Info: Missing optional field [RuleNumber]" "(2) Info: Missing optional field [SrcDeviceType]" "(2) Info: Missing optional field [SrcDvcId]" "(2) Info: Missing optional field [SrcDvcScopeId]" @@ -42,6 +45,17 @@ "(2) Info: Missing optional field [SrcGeoRegion]" "(2) Info: Missing optional field [TargetOriginalUserType]" "(2) Info: Missing optional field [TargetUserId]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatConfidence]" +"(2) Info: Missing optional field [ThreatField]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalConfidence]" +"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" +"(2) Info: Missing optional field [ThreatRiskLevel]" "(2) Info: Missing recommended alias [Hostname] aliasing non-existent column [DvcHostname]" "(2) Info: extra unnormalized column [TimeGenerated]" "(2) Info: extra unnormalized column [Type]" diff --git a/Parsers/ASimUserManagement/Tests/SentinelOne_vimUserManagement_DataTest.csv b/Parsers/ASimUserManagement/Tests/SentinelOne_vimUserManagement_DataTest.csv index 114a38bd4d2..07050711c52 100644 --- a/Parsers/ASimUserManagement/Tests/SentinelOne_vimUserManagement_DataTest.csv +++ b/Parsers/ASimUserManagement/Tests/SentinelOne_vimUserManagement_DataTest.csv @@ -1,15 +1,15 @@ Result -"(0) Error: 4 invalid value(s) (up to 10 listed) in 32 records (52.46%) for field [EventSubType] of type [Enumerated]: [""MultipleProperties"",""PreviousPermissions"",""NewPermissions"",""Newpolicy""] (Schema:UserManagement)" +"(0) Error: 4 invalid value(s) (up to 10 listed) in 32 records (35.96%) for field [EventSubType] of type [Enumerated]: [""MultipleProperties"",""PreviousPermissions"",""NewPermissions"",""Newpolicy""] (Schema:UserManagement)" "(0) Error: type mismatch for column [SrcIpAddr]. It is currently [string] and should be [IP address] (Schema:UserManagement)" -"(2) Info: Empty value in 29 records (47.54%) in optional field [EventSubType] (Schema:UserManagement)" -"(2) Info: Empty value in 44 records (72.13%) in optional field [ActorUserId] (Schema:UserManagement)" -"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupIdType] (Schema:UserManagement)" -"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupId] (Schema:UserManagement)" -"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupNameType] (Schema:UserManagement)" -"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupName] (Schema:UserManagement)" -"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupOriginalType] (Schema:UserManagement)" -"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupType] (Schema:UserManagement)" -"(2) Info: Empty value in 59 records (96.72%) in optional field [PreviousPropertyValue] (Schema:UserManagement)" -"(2) Info: Empty value in 7 records (11.48%) in optional field [NewPropertyValue] (Schema:UserManagement)" -"(2) Info: Empty value in 8 records (13.11%) in optional field [TargetUserType] (Schema:UserManagement)" -"(2) Info: Empty value in 8 records (13.11%) in optional field [TargetUsername] (Schema:UserManagement)" +"(2) Info: Empty value in 57 records (64.04%) in optional field [EventSubType] (Schema:UserManagement)" +"(2) Info: Empty value in 72 records (80.9%) in optional field [ActorUserId] (Schema:UserManagement)" +"(2) Info: Empty value in 73 records (82.02%) in optional field [NewPropertyValue] (Schema:UserManagement)" +"(2) Info: Empty value in 73 records (82.02%) in optional field [PreviousPropertyValue] (Schema:UserManagement)" +"(2) Info: Empty value in 8 records (8.99%) in optional field [TargetUserType] (Schema:UserManagement)" +"(2) Info: Empty value in 8 records (8.99%) in optional field [TargetUsername] (Schema:UserManagement)" +"(2) Info: Empty value in 82 records (92.13%) in optional field [GroupIdType] (Schema:UserManagement)" +"(2) Info: Empty value in 82 records (92.13%) in optional field [GroupId] (Schema:UserManagement)" +"(2) Info: Empty value in 82 records (92.13%) in optional field [GroupNameType] (Schema:UserManagement)" +"(2) Info: Empty value in 82 records (92.13%) in optional field [GroupName] (Schema:UserManagement)" +"(2) Info: Empty value in 82 records (92.13%) in optional field [GroupOriginalType] (Schema:UserManagement)" +"(2) Info: Empty value in 82 records (92.13%) in optional field [GroupType] (Schema:UserManagement)" diff --git a/Parsers/ASimUserManagement/Tests/SentinelOne_vimUserManagement_SchemaTest.csv b/Parsers/ASimUserManagement/Tests/SentinelOne_vimUserManagement_SchemaTest.csv index 5c8362233ee..405a2e89dcd 100644 --- a/Parsers/ASimUserManagement/Tests/SentinelOne_vimUserManagement_SchemaTest.csv +++ b/Parsers/ASimUserManagement/Tests/SentinelOne_vimUserManagement_SchemaTest.csv @@ -10,6 +10,7 @@ Result "(1) Warning: Missing recommended field [SrcDomain]" "(1) Warning: Missing recommended field [SrcHostname]" "(1) Warning: Missing recommended field [Src]" +"(2) Info: Missing optional alias [Rule] aliasing non-existent column [RuleName]" "(2) Info: Missing optional field [ActingAppId]" "(2) Info: Missing optional field [ActingAppType]" "(2) Info: Missing optional field [ActiveAppName]" @@ -30,6 +31,8 @@ Result "(2) Info: Missing optional field [EventProductVersion]" "(2) Info: Missing optional field [EventReportUrl]" "(2) Info: Missing optional field [HttpUserAgent]" +"(2) Info: Missing optional field [RuleName]" +"(2) Info: Missing optional field [RuleNumber]" "(2) Info: Missing optional field [SrcDeviceType]" "(2) Info: Missing optional field [SrcDvcId]" "(2) Info: Missing optional field [SrcDvcScopeId]" @@ -42,6 +45,17 @@ Result "(2) Info: Missing optional field [SrcGeoRegion]" "(2) Info: Missing optional field [TargetOriginalUserType]" "(2) Info: Missing optional field [TargetUserId]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatConfidence]" +"(2) Info: Missing optional field [ThreatField]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalConfidence]" +"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" +"(2) Info: Missing optional field [ThreatRiskLevel]" "(2) Info: Missing recommended alias [Hostname] aliasing non-existent column [DvcHostname]" "(2) Info: extra unnormalized column [TimeGenerated]" "(2) Info: extra unnormalized column [Type]" diff --git a/Sample Data/ASIM/SentinelOne_ASimUserManagement_IngestedLogs.csv b/Sample Data/ASIM/SentinelOne_ASimUserManagement_IngestedLogs.csv index 99cece1493e..5a10b044826 100644 --- a/Sample Data/ASIM/SentinelOne_ASimUserManagement_IngestedLogs.csv +++ b/Sample Data/ASIM/SentinelOne_ASimUserManagement_IngestedLogs.csv @@ -1,23 +1,25 @@ TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,alertInfo_indicatorDescription_s,alertInfo_indicatorName_s,targetProcessInfo_tgtFileOldPath_s,alertInfo_indicatorCategory_s,alertInfo_registryOldValue_g,alertInfo_dstIp_s,alertInfo_dstPort_s,alertInfo_netEventDirection_s,alertInfo_srcIp_s,alertInfo_srcPort_s,containerInfo_id_s,targetProcessInfo_tgtFileId_g,alertInfo_registryOldValue_s,alertInfo_registryOldValueType_s,alertInfo_dnsRequest_s,alertInfo_dnsResponse_s,alertInfo_registryKeyPath_s,alertInfo_registryPath_s,alertInfo_registryValue_g,ruleInfo_description_s,alertInfo_registryValue_s,alertInfo_loginAccountDomain_s,alertInfo_loginAccountSid_s,alertInfo_loginIsAdministratorEquivalent_s,alertInfo_loginIsSuccessful_s,alertInfo_loginType_s,alertInfo_loginsUserName_s,alertInfo_srcMachineIp_s,targetProcessInfo_tgtProcCmdLine_s,targetProcessInfo_tgtProcImagePath_s,targetProcessInfo_tgtProcName_s,targetProcessInfo_tgtProcPid_s,targetProcessInfo_tgtProcSignedStatus_s,targetProcessInfo_tgtProcStorylineId_s,targetProcessInfo_tgtProcUid_s,sourceParentProcessInfo_storyline_g,sourceParentProcessInfo_uniqueId_g,sourceProcessInfo_storyline_g,sourceProcessInfo_uniqueId_g,targetProcessInfo_tgtProcStorylineId_g,targetProcessInfo_tgtProcUid_g,agentDetectionInfo_machineType_s,agentDetectionInfo_name_s,agentDetectionInfo_osFamily_s,agentDetectionInfo_osName_s,agentDetectionInfo_osRevision_s,agentDetectionInfo_uuid_g,agentDetectionInfo_version_s,agentRealtimeInfo_id_s,agentRealtimeInfo_infected_b,agentRealtimeInfo_isActive_b,agentRealtimeInfo_isDecommissioned_b,agentRealtimeInfo_machineType_s,agentRealtimeInfo_name_s,agentRealtimeInfo_os_s,agentRealtimeInfo_uuid_g,alertInfo_alertId_s,alertInfo_analystVerdict_s,alertInfo_createdAt_t [UTC],alertInfo_dvEventId_s,alertInfo_eventType_s,alertInfo_hitType_s,alertInfo_incidentStatus_s,alertInfo_isEdr_b,alertInfo_reportedAt_t [UTC],alertInfo_source_s,alertInfo_updatedAt_t [UTC],ruleInfo_id_s,ruleInfo_name_s,ruleInfo_queryLang_s,ruleInfo_queryType_s,ruleInfo_s1ql_s,ruleInfo_scopeLevel_s,ruleInfo_severity_s,ruleInfo_treatAsThreat_s,sourceParentProcessInfo_commandline_s,sourceParentProcessInfo_fileHashMd5_g,sourceParentProcessInfo_fileHashSha1_s,sourceParentProcessInfo_fileHashSha256_s,sourceParentProcessInfo_filePath_s,sourceParentProcessInfo_fileSignerIdentity_s,sourceParentProcessInfo_integrityLevel_s,sourceParentProcessInfo_name_s,sourceParentProcessInfo_pid_s,sourceParentProcessInfo_pidStarttime_t [UTC],sourceParentProcessInfo_storyline_s,sourceParentProcessInfo_subsystem_s,sourceParentProcessInfo_uniqueId_s,sourceParentProcessInfo_user_s,sourceProcessInfo_commandline_s,sourceProcessInfo_fileHashMd5_g,sourceProcessInfo_fileHashSha1_s,sourceProcessInfo_fileHashSha256_s,sourceProcessInfo_filePath_s,sourceProcessInfo_fileSignerIdentity_s,sourceProcessInfo_integrityLevel_s,sourceProcessInfo_name_s,sourceProcessInfo_pid_s,sourceProcessInfo_pidStarttime_t [UTC],sourceProcessInfo_storyline_s,sourceProcessInfo_subsystem_s,sourceProcessInfo_uniqueId_s,sourceProcessInfo_user_s,targetProcessInfo_tgtFileCreatedAt_t [UTC],targetProcessInfo_tgtFileHashSha1_s,targetProcessInfo_tgtFileHashSha256_s,targetProcessInfo_tgtFileId_s,targetProcessInfo_tgtFileIsSigned_s,targetProcessInfo_tgtFileModifiedAt_t [UTC],targetProcessInfo_tgtFilePath_s,targetProcessInfo_tgtProcIntegrityLevel_s,targetProcessInfo_tgtProcessStartTime_t [UTC],agentUpdatedVersion_s,agentId_s,hash_s,osFamily_s,threatId_s,creator_s,creatorId_s,inherits_b,isDefault_b,name_s,registrationToken_s,totalAgents_d,type_s,agentDetectionInfo_accountId_s,agentDetectionInfo_accountName_s,agentDetectionInfo_agentDetectionState_s,agentDetectionInfo_agentDomain_s,agentDetectionInfo_agentIpV4_s,agentDetectionInfo_agentIpV6_s,agentDetectionInfo_agentLastLoggedInUserName_s,agentDetectionInfo_agentMitigationMode_s,agentDetectionInfo_agentOsName_s,agentDetectionInfo_agentOsRevision_s,agentDetectionInfo_agentRegisteredAt_t [UTC],agentDetectionInfo_agentUuid_g,agentDetectionInfo_agentVersion_s,agentDetectionInfo_externalIp_s,agentDetectionInfo_groupId_s,agentDetectionInfo_groupName_s,agentDetectionInfo_siteId_s,agentDetectionInfo_siteName_s,agentRealtimeInfo_accountId_s,agentRealtimeInfo_accountName_s,agentRealtimeInfo_activeThreats_d,agentRealtimeInfo_agentComputerName_s,agentRealtimeInfo_agentDomain_s,agentRealtimeInfo_agentId_s,agentRealtimeInfo_agentInfected_b,agentRealtimeInfo_agentIsActive_b,agentRealtimeInfo_agentIsDecommissioned_b,agentRealtimeInfo_agentMachineType_s,agentRealtimeInfo_agentMitigationMode_s,agentRealtimeInfo_agentNetworkStatus_s,agentRealtimeInfo_agentOsName_s,agentRealtimeInfo_agentOsRevision_s,agentRealtimeInfo_agentOsType_s,agentRealtimeInfo_agentUuid_g,agentRealtimeInfo_agentVersion_s,agentRealtimeInfo_groupId_s,agentRealtimeInfo_groupName_s,agentRealtimeInfo_networkInterfaces_s,agentRealtimeInfo_operationalState_s,agentRealtimeInfo_rebootRequired_b,agentRealtimeInfo_scanFinishedAt_t [UTC],agentRealtimeInfo_scanStartedAt_t [UTC],agentRealtimeInfo_scanStatus_s,agentRealtimeInfo_siteId_s,agentRealtimeInfo_siteName_s,agentRealtimeInfo_userActionsNeeded_s,indicators_s,mitigationStatus_s,threatInfo_analystVerdict_s,threatInfo_analystVerdictDescription_s,threatInfo_automaticallyResolved_b,threatInfo_certificateId_s,threatInfo_classification_s,threatInfo_classificationSource_s,threatInfo_cloudFilesHashVerdict_s,threatInfo_collectionId_s,threatInfo_confidenceLevel_s,threatInfo_createdAt_t [UTC],threatInfo_detectionEngines_s,threatInfo_detectionType_s,threatInfo_engines_s,threatInfo_externalTicketExists_b,threatInfo_failedActions_b,threatInfo_fileExtension_s,threatInfo_fileExtensionType_s,threatInfo_filePath_s,threatInfo_fileSize_d,threatInfo_fileVerificationType_s,threatInfo_identifiedAt_t [UTC],threatInfo_incidentStatus_s,threatInfo_incidentStatusDescription_s,threatInfo_initiatedBy_s,threatInfo_initiatedByDescription_s,threatInfo_isFileless_b,threatInfo_isValidCertificate_b,threatInfo_mitigatedPreemptively_b,threatInfo_mitigationStatus_s,threatInfo_mitigationStatusDescription_s,threatInfo_originatorProcess_s,threatInfo_pendingActions_b,threatInfo_processUser_s,threatInfo_publisherName_s,threatInfo_reachedarthentsLimit_b,threatInfo_rebootRequired_b,threatInfo_sha1_s,threatInfo_storyline_s,threatInfo_threatId_s,threatInfo_threatName_s,threatInfo_updatedAt_t [UTC],whiteningOptions_s,threatInfo_maliciousProcessArguments_s,threatInfo_fileExtension_g,threatInfo_threatName_g,threatInfo_storyline_g,accountId_s,accountName_s,activityType_d,activityUuid_g,createdAt_t [UTC],id_s,primaryDescription_s,secondaryDescription_s,siteId_s,siteName_s,updatedAt_t [UTC],userId_s,event_name_s,DataFields_s,description_s,comments_s,activeDirectory_computerMemberOf_s,activeDirectory_lastUserMemberOf_s,activeThreats_d,agentVersion_s,allowRemoteShell_b,appsVulnerabilityStatus_s,computerName_s,consoleMigrationStatus_s,coreCount_d,cpuCount_d,cpuId_s,detectionState_s,domain_s,encryptedApplications_b,externalId_s,externalIp_s,firewallEnabled_b,firstFullModeTime_t [UTC],fullDiskScanLastUpdatedAt_t [UTC],groupId_s,groupIp_s,groupName_s,inRemoteShellSession_b,infected_b,installerType_s,isActive_b,isDecommissioned_b,isPendingUninstall_b,isUninstalled_b,isUpToDate_b,lastActiveDate_t [UTC],lastIpToMgmt_s,lastLoggedInUserName_s,licenseKey_s,locationEnabled_b,locationType_s,locations_s,machineType_s,mitigationMode_s,mitigationModeSuspicious_s,modelName_s,networkInterfaces_s,networkQuarantineEnabled_b,networkStatus_s,operationalState_s,osArch_s,osName_s,osRevision_s,osStartTime_t [UTC],osType_s,rangerStatus_s,rangerVersion_s,registeredAt_t [UTC],remoteProfilingState_s,scanFinishedAt_t [UTC],scanStartedAt_t [UTC],scanStatus_s,serialNumber_s,showAlertIcon_b,tags_sentinelone_s,threatRebootRequired_b,totalMemory_d,userActionsNeeded_s,uuid_g,osUsername_s,scanAbortedAt_t [UTC],activeDirectory_computerDistinguishedName_s,activeDirectory_lastUserDistinguishedName_s,Type,_ResourceId -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/19/2023, 12:40:04 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,23,fb366a5d-1950-4106-80a9-2715c63030d9,"7/19/2023, 12:25:04 PM",1732588999478741481,The management user Nick Man added user Darth as Viewer.,IP address: 1.1.1.1,,,"7/19/2023, 12:25:04 PM",1732588998690212150,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""role"": ""Viewer"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""Darth""}","",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 9:40:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,37,c8e96690-cfc1-4c30-96dc-74c59d18ed96,"7/25/2023, 9:25:03 AM",1736847049504106605,The management user Nick Man added user Dave to role Viewer in scope Crest Data Systems,IP address: 1.1.1.1,,,"7/25/2023, 9:25:03 AM",1716583470262263007,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""role"": ""Viewer"", ""roleName"": ""Viewer"", ""scopeLevel"": ""Account"", ""scopeLevelName"": ""Crest Data Systems"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""Dave""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 9:40:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,37,5d68c5d5-0693-4f28-ae15-5e1a0ea2bb04,"7/25/2023, 9:26:08 AM",1736847596114257723,The management user Nick Man added user Dave to role Admin in scope Crest Data Systems,IP address: 1.1.1.1,,,"7/25/2023, 9:26:08 AM",1716583470262263007,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""role"": ""Admin"", ""roleName"": ""Admin"", ""scopeLevel"": ""Account"", ""scopeLevelName"": ""Crest Data Systems"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""Dave""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/6/2023, 6:04:55 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,23,5298b51f-599a-4613-9118-87bbd70e6b61,"7/5/2023, 1:12:24 PM",1722465966578341798,The management user NisMan added user jack as Admin.,IP address: 1.1.1.2,1712500242422055104,Default site,"7/5/2023, 1:12:24 PM",1722465965663983441,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""NisMan"", ""fullScopeDetails"": ""Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site"", ""groupName"": null, ""ipAddress"": ""1.1.1.2"", ""realUser"": null, ""role"": ""Admin"", ""scopeLevel"": ""Site"", ""scopeName"": ""Default site"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""userScope"": ""site"", ""username"": ""jack""}","",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 9:40:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,24,6d73dfa5-3947-43d2-b716-29e849dc3153,"7/25/2023, 9:25:03 AM",1736847049755764852,"The management user Nick Man updated the management user Dave. -Modified fields: User scope roles",IP address: 1.1.1.1,,,"7/25/2023, 9:25:03 AM",1716583470262263007,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""modifiedFields"": ""Modified fields: User scope roles"", ""realUser"": null, ""role"": ""Viewer"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""Dave""}",Nick Man,Modified fields: User scope roles,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 9:40:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,24,5c5e7e13-fd66-4b2d-a28a-1174af876f70,"7/25/2023, 9:26:08 AM",1736847596407859079,"The management user Nick Man updated the management user Dave. -Modified fields: User scope roles",IP address: 1.1.1.1,,,"7/25/2023, 9:26:08 AM",1716583470262263007,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""modifiedFields"": ""Modified fields: User scope roles"", ""realUser"": null, ""role"": ""Admin"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""Dave""}",Nick Man,Modified fields: User scope roles,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 11:50:04 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,110,89b49441-4f83-4e54-91b0-29f02a4a996e,"7/20/2023, 11:39:00 AM",1733290588638022118,The management user Nick Man gave permission to the management user Nirvato generate API tokens.,IP address: 1.1.1.1,1712500242422055104,Default site,"7/20/2023, 11:39:00 AM",1722466127522197269,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""fullScopeDetails"": ""Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""role"": ""Admin"", ""scopeLevel"": ""Site"", ""scopeName"": ""Default site"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""userScope"": ""site"", ""username"": ""Nirva""}",Nirva,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/21/2023, 7:00:18 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,5006,37b6aca3-6759-4406-9990-9427ff5947ec,"7/21/2023, 6:46:32 AM",1733868167914689364,The management user Nick Man deleted the Manual Group: Test.,IP address: 1.1.1.1,1712500242422055104,Default site,"7/21/2023, 6:46:32 AM",1712986475444464777,Activities.,"{""accountName"": ""Crest Data Systems"", ""fullScopeDetails"": ""Group Test in Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site / Test"", ""groupId"": 1721525955683466807, ""groupName"": ""Test"", ""groupType"": ""Manual"", ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""scopeLevel"": ""Group"", ""scopeName"": ""Test"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""username"": ""Nick Man""}",,,,,,,,,,,,,,,,,,,,,,1721525955683466807,,Test,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/6/2023, 12:50:14 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,25,9b9a0977-8483-4f2c-8bba-f85c50f01559,"6/27/2023, 10:24:22 AM",1716583181635393170,The management user NisMan deleted the user Dave.,IP address: 1.1.1.2,1712500242422055104,Default site,"6/27/2023, 10:24:22 AM",1716583004803512585,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""NisMan"", ""deactivationPeriodInDays"": ""90"", ""fullScopeDetails"": ""Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site"", ""groupName"": null, ""ipAddress"": ""1.1.1.2"", ""realUser"": null, ""role"": ""Viewer"", ""scopeLevel"": ""Site"", ""scopeName"": ""Default site"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""userScope"": ""site"", ""username"": ""Dave""}",NisMan,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/19/2023, 12:50:03 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,140,2ad1ba17-d519-4866-b401-67da64e3317a,"7/19/2023, 12:38:17 PM",1732595655286628841,The management user Nick Man added a new Service User Darth with the description Darth to Crest Data Systems with role Admin.,IP address: 1.1.1.1,,,"7/19/2023, 12:38:17 PM",1732595654439379351,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""description"": ""Darth"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""roleName"": ""Admin"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""username"": ""Darth""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/19/2023, 12:50:03 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,140,3f33a1f3-9f08-490b-8f94-760a9135e13f,"7/19/2023, 12:39:28 PM",1732596251003720722,The management user Nick Man added a new Service User Darth with the description Darth to Default site with role C-Level.,IP address: 1.1.1.1,1712500242422055104,Default site,"7/19/2023, 12:39:28 PM",1732595654439379351,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""description"": ""Darth"", ""fullScopeDetails"": ""Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""roleName"": ""C-Level"", ""scopeLevel"": ""Site"", ""scopeName"": ""Default site"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""username"": ""Darth""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/6/2023, 12:50:14 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,5008,327cc7b4-f116-490d-9a0b-53d572cce162,"6/22/2023, 12:44:45 PM",1713029962565392283,The management user Nick Man created the new Manual Group: Crest Data Systems.,IP address: 1.1.1.1,1712500242422055104,Default site,"6/22/2023, 12:44:45 PM",1712986475444464777,Activities.,"{""accountName"": ""Crest Data Systems"", ""fullScopeDetails"": ""Group Crest Data Systems in Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site / Crest Data Systems"", ""groupId"": ""1713029962380842894"", ""groupName"": ""Crest Data Systems"", ""groupType"": ""Manual"", ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""scopeLevel"": ""Group"", ""scopeName"": ""Crest Data Systems"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""username"": ""Nick Man""}",,,,,,,,,,,,,,,,,,,,,,1713029962380842894,,Crest Data Systems,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/6/2023, 12:50:14 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,5008,6a5ae272-d4df-4986-a8ec-b1c9c09ef60d,"7/4/2023, 6:04:46 AM",1721525955893182011,The management user Dave created the new Manual Group: Test.,IP address: 1.1.1.2,1712500242422055104,Default site,"7/4/2023, 6:04:46 AM",1716583470262263007,Activities.,"{""accountName"": ""Crest Data Systems"", ""fullScopeDetails"": ""Group Test in Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site / Test"", ""groupId"": ""1721525955683466807"", ""groupName"": ""Test"", ""groupType"": ""Manual"", ""ipAddress"": ""1.1.1.2"", ""realUser"": null, ""scopeLevel"": ""Group"", ""scopeName"": ""Test"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""username"": ""Dave""}",,,,,,,,,,,,,,,,,,,,,,1721525955683466807,,Test,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/19/2023, 12:50:03 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,142,46b211c2-1223-4ff0-9cfc-a3fc7eed4b05,"7/19/2023, 12:39:28 PM",1732596250928223249,The management user Nick Man deleted the Service User Darth from scope Crest Data Systems.,IP address: 1.1.1.1,,,"7/19/2023, 12:39:28 PM",1732595654439379351,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""description"": ""Darth"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""username"": ""Darth""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 10:20:04 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,5006,a180e2f3-fb7e-44fc-adfe-cbc5d250d9ed,"7/20/2023, 10:03:42 AM",1733242623065122727,The management user Nirvadeleted the Manual Group: Test Group Activity.,IP address: 1.1.1.2,1712500242422055104,Default site,"7/20/2023, 10:03:42 AM",1722466127522197269,Activities.,"{""accountName"": ""Crest Data Systems"", ""fullScopeDetails"": ""Group Test Group Activity in Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site / Test Group Activity"", ""groupId"": 1733236199462385361, ""groupName"": ""Test Group Activity"", ""groupType"": ""Manual"", ""ipAddress"": ""1.1.1.2"", ""realUser"": null, ""scopeLevel"": ""Group"", ""scopeName"": ""Test Group Activity"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""username"": ""Nirva""}",,,,,,,,,,,,,,,,,,,,,,1733236199462385361,,Test Group Activity,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/19/2023, 12:50:03 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,25,eded5a54-86c8-4337-9dff-e3e13a9305f2,"7/19/2023, 12:37:15 PM",1732595136375643864,The management user Nick Man deleted the user Darth.,IP address: 1.1.1.1,,,"7/19/2023, 12:37:15 PM",1732588998690212150,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""deactivationPeriodInDays"": ""90"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""role"": ""Admin"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""Darth""}",Nick Man,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/19/2023, 12:50:03 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,141,df06ac01-c280-4a06-b3a3-0563c04b7e58,"7/19/2023, 12:38:55 PM",1732595970044029527,The management user Nick Man changed the role of the Service User Darth on scope Crest Data Systems. Previous role: Admin. New role: SOC.,IP address: 1.1.1.1,,,"7/19/2023, 12:38:55 PM",1732595654439379351,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""description"": ""Darth"", ""descriptionChanged"": false, ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""oldDescription"": ""N/A"", ""oldRole"": ""Admin"", ""realUser"": null, ""role"": ""SOC"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""username"": ""Darth""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/19/2023, 1:00:02 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,141,f4804b82-7729-499d-9157-f1ea3aa7e361,"7/19/2023, 12:41:17 PM",1732597165974508627,The management user Nick Man changed the role of the Service User Darth on scope Default site. Previous role: C-Level. New role: User Test.,IP address: 1.1.1.1,1712500242422055104,Default site,"7/19/2023, 12:41:17 PM",1732595654439379351,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""description"": ""Darth"", ""descriptionChanged"": false, ""fullScopeDetails"": ""Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""oldDescription"": ""N/A"", ""oldRole"": ""C-Level"", ""realUser"": null, ""role"": ""User Test"", ""scopeLevel"": ""Site"", ""scopeName"": ""Default site"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""username"": ""Darth""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 11:50:04 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,111,9cce98f3-b039-4ba0-a8f2-e0105b688546,"7/20/2023, 11:38:42 AM",1733290437886321178,The management user Nick Man blocked the management user Nirvafrom generating API tokens.,IP address: 1.1.1.1,1712500242422055104,Default site,"7/20/2023, 11:38:42 AM",1722466127522197269,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""fullScopeDetails"": ""Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""role"": ""Admin"", ""scopeLevel"": ""Site"", ""scopeName"": ""Default site"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""userScope"": ""site"", ""username"": ""Nirva""}",Nirva,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, -1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 10:20:04 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,5011,1b86a2ea-9f84-4e5b-a918-a521b20d8f09,"7/20/2023, 10:07:15 AM",1733244408404449162,The management user Nirvareverted the policy of Group Test Pinned group to its Site policy.,IP address: 1.1.1.2,1712500242422055104,Default site,"7/20/2023, 10:07:14 AM",1722466127522197269,Activities.,"{""accountName"": ""Crest Data Systems"", ""fullScopeDetails"": ""Group Test Pinned group in Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site / Test Pinned group"", ""groupId"": ""1733241822456258550"", ""groupName"": ""Test Pinned group"", ""groupType"": ""Pinned"", ""ipAddress"": ""1.1.1.2"", ""realUser"": null, ""scopeLevel"": ""Group"", ""scopeName"": ""Test Pinned group"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""username"": ""Nirva""}",,,,,,,,,,,,,,,,,,,,,,1733241822456258550,,Test Pinned group,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, \ No newline at end of file +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/19/2023, 12:40:04 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,23,fb366a5d-1950-4106-80a9-2715c63030d9,"7/19/2023, 12:25:04 PM",1.73258899947874E+018,The management user Nick Man added user Darth as Viewer.,IP address: 1.1.1.1,,,"7/19/2023, 12:25:04 PM",1.73258899869021E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""role"": ""Viewer"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""Darth""}","",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 9:40:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,37,c8e96690-cfc1-4c30-96dc-74c59d18ed96,"7/25/2023, 9:25:03 AM",1.73684704950411E+018,The management user Nick Man added user Dave to role Viewer in scope Crest Data Systems,IP address: 1.1.1.1,,,"7/25/2023, 9:25:03 AM",1.71658347026226E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""role"": ""Viewer"", ""roleName"": ""Viewer"", ""scopeLevel"": ""Account"", ""scopeLevelName"": ""Crest Data Systems"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""Dave""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 9:40:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,37,5d68c5d5-0693-4f28-ae15-5e1a0ea2bb04,"7/25/2023, 9:26:08 AM",1.73684759611426E+018,The management user Nick Man added user Dave to role Admin in scope Crest Data Systems,IP address: 1.1.1.1,,,"7/25/2023, 9:26:08 AM",1.71658347026226E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""role"": ""Admin"", ""roleName"": ""Admin"", ""scopeLevel"": ""Account"", ""scopeLevelName"": ""Crest Data Systems"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""Dave""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/6/2023, 6:04:55 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,23,5298b51f-599a-4613-9118-87bbd70e6b61,"7/5/2023, 1:12:24 PM",1.72246596657834E+018,The management user NisMan added user jack as Admin.,IP address: 1.1.1.2,1.71250024242206E+018,Default site,"7/5/2023, 1:12:24 PM",1.72246596566398E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""NisMan"", ""fullScopeDetails"": ""Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site"", ""groupName"": null, ""ipAddress"": ""1.1.1.2"", ""realUser"": null, ""role"": ""Admin"", ""scopeLevel"": ""Site"", ""scopeName"": ""Default site"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""userScope"": ""site"", ""username"": ""jack""}","",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 9:40:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,24,6d73dfa5-3947-43d2-b716-29e849dc3153,"7/25/2023, 9:25:03 AM",1.73684704975576E+018,"The management user Nick Man updated the management user Dave. +Modified fields: User scope roles",IP address: 1.1.1.1,,,"7/25/2023, 9:25:03 AM",1.71658347026226E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""modifiedFields"": ""Modified fields: User scope roles"", ""realUser"": null, ""role"": ""Viewer"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""Dave""}",Nick Man,Modified fields: User scope roles,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 9:40:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,24,5c5e7e13-fd66-4b2d-a28a-1174af876f70,"7/25/2023, 9:26:08 AM",1.73684759640786E+018,"The management user Nick Man updated the management user Dave. +Modified fields: User scope roles",IP address: 1.1.1.1,,,"7/25/2023, 9:26:08 AM",1.71658347026226E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""modifiedFields"": ""Modified fields: User scope roles"", ""realUser"": null, ""role"": ""Admin"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""Dave""}",Nick Man,Modified fields: User scope roles,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 11:50:04 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,110,89b49441-4f83-4e54-91b0-29f02a4a996e,"7/20/2023, 11:39:00 AM",1.73329058863802E+018,The management user Nick Man gave permission to the management user Nirvato generate API tokens.,IP address: 1.1.1.1,1.71250024242206E+018,Default site,"7/20/2023, 11:39:00 AM",1.7224661275222E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""fullScopeDetails"": ""Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""role"": ""Admin"", ""scopeLevel"": ""Site"", ""scopeName"": ""Default site"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""userScope"": ""site"", ""username"": ""Nirva""}",Nirva,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/21/2023, 7:00:18 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,5006,37b6aca3-6759-4406-9990-9427ff5947ec,"7/21/2023, 6:46:32 AM",1.73386816791469E+018,The management user Nick Man deleted the Manual Group: Test.,IP address: 1.1.1.1,1.71250024242206E+018,Default site,"7/21/2023, 6:46:32 AM",1.71298647544447E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""fullScopeDetails"": ""Group Test in Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site / Test"", ""groupId"": 1721525955683466807, ""groupName"": ""Test"", ""groupType"": ""Manual"", ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""scopeLevel"": ""Group"", ""scopeName"": ""Test"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""username"": ""Nick Man""}",,,,,,,,,,,,,,,,,,,,,,1.72152595568347E+018,,Test,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/6/2023, 12:50:14 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,25,9b9a0977-8483-4f2c-8bba-f85c50f01559,"6/27/2023, 10:24:22 AM",1.71658318163539E+018,The management user NisMan deleted the user Dave.,IP address: 1.1.1.2,1.71250024242206E+018,Default site,"6/27/2023, 10:24:22 AM",1.71658300480351E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""NisMan"", ""deactivationPeriodInDays"": ""90"", ""fullScopeDetails"": ""Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site"", ""groupName"": null, ""ipAddress"": ""1.1.1.2"", ""realUser"": null, ""role"": ""Viewer"", ""scopeLevel"": ""Site"", ""scopeName"": ""Default site"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""userScope"": ""site"", ""username"": ""Dave""}",NisMan,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/19/2023, 12:50:03 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,140,2ad1ba17-d519-4866-b401-67da64e3317a,"7/19/2023, 12:38:17 PM",1.73259565528663E+018,The management user Nick Man added a new Service User Darth with the description Darth to Crest Data Systems with role Admin.,IP address: 1.1.1.1,,,"7/19/2023, 12:38:17 PM",1.73259565443938E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""description"": ""Darth"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""roleName"": ""Admin"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""username"": ""Darth""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/19/2023, 12:50:03 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,140,3f33a1f3-9f08-490b-8f94-760a9135e13f,"7/19/2023, 12:39:28 PM",1.73259625100372E+018,The management user Nick Man added a new Service User Darth with the description Darth to Default site with role C-Level.,IP address: 1.1.1.1,1.71250024242206E+018,Default site,"7/19/2023, 12:39:28 PM",1.73259565443938E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""description"": ""Darth"", ""fullScopeDetails"": ""Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""roleName"": ""C-Level"", ""scopeLevel"": ""Site"", ""scopeName"": ""Default site"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""username"": ""Darth""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/6/2023, 12:50:14 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,5008,327cc7b4-f116-490d-9a0b-53d572cce162,"6/22/2023, 12:44:45 PM",1.71302996256539E+018,The management user Nick Man created the new Manual Group: Crest Data Systems.,IP address: 1.1.1.1,1.71250024242206E+018,Default site,"6/22/2023, 12:44:45 PM",1.71298647544447E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""fullScopeDetails"": ""Group Crest Data Systems in Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site / Crest Data Systems"", ""groupId"": ""1713029962380842894"", ""groupName"": ""Crest Data Systems"", ""groupType"": ""Manual"", ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""scopeLevel"": ""Group"", ""scopeName"": ""Crest Data Systems"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""username"": ""Nick Man""}",,,,,,,,,,,,,,,,,,,,,,1.71302996238084E+018,,Crest Data Systems,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/6/2023, 12:50:14 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,5008,6a5ae272-d4df-4986-a8ec-b1c9c09ef60d,"7/4/2023, 6:04:46 AM",1.72152595589318E+018,The management user Dave created the new Manual Group: Test.,IP address: 1.1.1.2,1.71250024242206E+018,Default site,"7/4/2023, 6:04:46 AM",1.71658347026226E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""fullScopeDetails"": ""Group Test in Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site / Test"", ""groupId"": ""1721525955683466807"", ""groupName"": ""Test"", ""groupType"": ""Manual"", ""ipAddress"": ""1.1.1.2"", ""realUser"": null, ""scopeLevel"": ""Group"", ""scopeName"": ""Test"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""username"": ""Dave""}",,,,,,,,,,,,,,,,,,,,,,1.72152595568347E+018,,Test,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/19/2023, 12:50:03 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,142,46b211c2-1223-4ff0-9cfc-a3fc7eed4b05,"7/19/2023, 12:39:28 PM",1.73259625092822E+018,The management user Nick Man deleted the Service User Darth from scope Crest Data Systems.,IP address: 1.1.1.1,,,"7/19/2023, 12:39:28 PM",1.73259565443938E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""description"": ""Darth"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""username"": ""Darth""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 10:20:04 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,5006,a180e2f3-fb7e-44fc-adfe-cbc5d250d9ed,"7/20/2023, 10:03:42 AM",1.73324262306512E+018,The management user Nirvadeleted the Manual Group: Test Group Activity.,IP address: 1.1.1.2,1.71250024242206E+018,Default site,"7/20/2023, 10:03:42 AM",1.7224661275222E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""fullScopeDetails"": ""Group Test Group Activity in Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site / Test Group Activity"", ""groupId"": 1733236199462385361, ""groupName"": ""Test Group Activity"", ""groupType"": ""Manual"", ""ipAddress"": ""1.1.1.2"", ""realUser"": null, ""scopeLevel"": ""Group"", ""scopeName"": ""Test Group Activity"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""username"": ""Nirva""}",,,,,,,,,,,,,,,,,,,,,,1.73323619946239E+018,,Test Group Activity,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/19/2023, 12:50:03 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,25,eded5a54-86c8-4337-9dff-e3e13a9305f2,"7/19/2023, 12:37:15 PM",1.73259513637564E+018,The management user Nick Man deleted the user Darth.,IP address: 1.1.1.1,,,"7/19/2023, 12:37:15 PM",1.73258899869021E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""deactivationPeriodInDays"": ""90"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""role"": ""Admin"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""Darth""}",Nick Man,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/19/2023, 12:50:03 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,141,df06ac01-c280-4a06-b3a3-0563c04b7e58,"7/19/2023, 12:38:55 PM",1.73259597004403E+018,The management user Nick Man changed the role of the Service User Darth on scope Crest Data Systems. Previous role: Admin. New role: SOC.,IP address: 1.1.1.1,,,"7/19/2023, 12:38:55 PM",1.73259565443938E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""description"": ""Darth"", ""descriptionChanged"": false, ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""oldDescription"": ""N/A"", ""oldRole"": ""Admin"", ""realUser"": null, ""role"": ""SOC"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""username"": ""Darth""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/19/2023, 1:00:02 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,141,f4804b82-7729-499d-9157-f1ea3aa7e361,"7/19/2023, 12:41:17 PM",1.73259716597451E+018,The management user Nick Man changed the role of the Service User Darth on scope Default site. Previous role: C-Level. New role: User Test.,IP address: 1.1.1.1,1.71250024242206E+018,Default site,"7/19/2023, 12:41:17 PM",1.73259565443938E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""description"": ""Darth"", ""descriptionChanged"": false, ""fullScopeDetails"": ""Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""oldDescription"": ""N/A"", ""oldRole"": ""C-Level"", ""realUser"": null, ""role"": ""User Test"", ""scopeLevel"": ""Site"", ""scopeName"": ""Default site"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""username"": ""Darth""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 11:50:04 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,111,9cce98f3-b039-4ba0-a8f2-e0105b688546,"7/20/2023, 11:38:42 AM",1.73329043788632E+018,The management user Nick Man blocked the management user Nirvafrom generating API tokens.,IP address: 1.1.1.1,1.71250024242206E+018,Default site,"7/20/2023, 11:38:42 AM",1.7224661275222E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""fullScopeDetails"": ""Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""role"": ""Admin"", ""scopeLevel"": ""Site"", ""scopeName"": ""Default site"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""userScope"": ""site"", ""username"": ""Nirva""}",Nirva,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 10:20:04 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,5011,1b86a2ea-9f84-4e5b-a918-a521b20d8f09,"7/20/2023, 10:07:15 AM",1.73324440840445E+018,The management user Nirvareverted the policy of Group Test Pinned group to its Site policy.,IP address: 1.1.1.2,1.71250024242206E+018,Default site,"7/20/2023, 10:07:14 AM",1.7224661275222E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""fullScopeDetails"": ""Group Test Pinned group in Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site / Test Pinned group"", ""groupId"": ""1733241822456258550"", ""groupName"": ""Test Pinned group"", ""groupType"": ""Pinned"", ""ipAddress"": ""1.1.1.2"", ""realUser"": null, ""scopeLevel"": ""Group"", ""scopeName"": ""Test Pinned group"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""username"": ""Nirva""}",,,,,,,,,,,,,,,,,,,,,,1.73324182245626E+018,,Test Pinned group,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/31/2023, 8:10:05.826 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,67,5fa60864-c413-4cc7-9355-249439407966,"7/31/2023, 7:53:03.633 AM",1.74114940552361E+018,The management user user1 enabled Two factor authentication on the user user1.,IP address: 1.2.3.4,,,"7/31/2023, 7:53:03.610 AM",1.73894939698783E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""user1"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.2.3.4"", ""newValue"": true, ""realUser"": null, ""role"": ""Admin"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""user1""}",user1,True,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/31/2023, 8:10:05.826 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1.71250023793415E+018,Crest Data Systems,147,799c8282-d4ca-4e71-8cd9-5849edcd2243,"7/31/2023, 7:53:03.645 AM",1.74114940561588E+018,The Management User user1 successfully configured 2FA.,IP address: 1.2.3.4,,,"7/31/2023, 7:53:03.623 AM",1.73894939698783E+018,Activities.,"{""accountName"": ""Crest Data Systems"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.2.3.4"", ""realUser"": null, ""role"": ""Admin"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""user1""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, diff --git a/Sample Data/ASIM/SentinelOne_ASimUserManagement_RawLogs.json b/Sample Data/ASIM/SentinelOne_ASimUserManagement_RawLogs.json index 9c64872bb30..e49a23ff9ea 100644 --- a/Sample Data/ASIM/SentinelOne_ASimUserManagement_RawLogs.json +++ b/Sample Data/ASIM/SentinelOne_ASimUserManagement_RawLogs.json @@ -6346,5 +6346,639 @@ "activeDirectory_lastUserDistinguishedName": "", "Type": "SentinelOne_CL", "_ResourceId": "" + }, + { + "activityType": 67, + "TimeGenerated": "7/31/2023, 8:10:05.826 AM", + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected": "", + "agentRealtimeInfo_isActive": "", + "agentRealtimeInfo_isDecommissioned": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr": "", + "alertInfo_reportedAt": "", + "alertInfo_source": "", + "alertInfo_updatedAt": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt": "", + "agentRealtimeInfo_scanStartedAt": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityUuid": "5fa60864-c413-4cc7-9355-249439407966", + "createdAt": "7/31/2023, 7:53:03.633 AM", + "id": 1741149405523608000, + "primaryDescription": "The management user user1 enabled Two factor authentication on the user user1.", + "secondaryDescription": "IP address: 1.2.3.4", + "siteId": "", + "siteName": "", + "updatedAt": "7/31/2023, 7:53:03.610 AM", + "userId": 1738949396987828700, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "byUser": "user1", + "fullScopeDetails": "Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems", + "groupName": null, + "ipAddress": "1.2.3.4", + "newValue": true, + "realUser": null, + "role": "Admin", + "scopeLevel": "Account", + "scopeName": "Crest Data Systems", + "siteName": null, + "sourceType": "UI", + "userScope": "account", + "username": "user1" + }, + "description": "user1", + "comments": "True", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime": "", + "fullDiskScanLastUpdatedAt": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt": "", + "remoteProfilingState": "", + "scanFinishedAt": "", + "scanStartedAt": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "activityType": 147, + "TimeGenerated": "7/31/2023, 8:10:05.826 AM", + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected": "", + "agentRealtimeInfo_isActive": "", + "agentRealtimeInfo_isDecommissioned": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr": "", + "alertInfo_reportedAt": "", + "alertInfo_source": "", + "alertInfo_updatedAt": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt": "", + "agentRealtimeInfo_scanStartedAt": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityUuid": "799c8282-d4ca-4e71-8cd9-5849edcd2243", + "createdAt": "7/31/2023, 7:53:03.645 AM", + "id": 1741149405615882800, + "primaryDescription": "The Management User user1 successfully configured 2FA.", + "secondaryDescription": "IP address: 1.2.3.4", + "siteId": "", + "siteName": "", + "updatedAt": "7/31/2023, 7:53:03.623 AM", + "userId": 1738949396987828700, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "fullScopeDetails": "Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems", + "groupName": null, + "ipAddress": "1.2.3.4", + "realUser": null, + "role": "Admin", + "scopeLevel": "Account", + "scopeName": "Crest Data Systems", + "siteName": null, + "sourceType": "UI", + "userScope": "account", + "username": "user1" + }, + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime": "", + "fullDiskScanLastUpdatedAt": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt": "", + "remoteProfilingState": "", + "scanFinishedAt": "", + "scanStartedAt": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" } ] \ No newline at end of file From 0d08b0a2a189b4d8117fe379eec60e039a4838a4 Mon Sep 17 00:00:00 2001 From: Nirali Shah Date: Thu, 23 Nov 2023 18:17:00 +0530 Subject: [PATCH 2/5] Done review1 changes to remove union. --- .../ASimUserManagementSentinelOne.yaml | 57 ++++++++------- .../Parsers/vimUserManagementSentinelOne.yaml | 70 +++++++++---------- 2 files changed, 63 insertions(+), 64 deletions(-) diff --git a/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml b/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml index 6af3d2d43b3..edbb4e7b3e1 100644 --- a/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml +++ b/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml @@ -1,7 +1,7 @@ Parser: Title: User Management ASIM parser for SentinelOne Version: '0.1.1' - LastUpdated: Oct 05, 2023 + LastUpdated: Nov 07, 2023 Product: Name: SentinelOne Normalization: @@ -56,39 +56,38 @@ ParserQuery: | ]; let UsermanagementactivityIds = dynamic([23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011, 67, 145, 146, 42, 147]); let parser = (disabled: bool=false) { - let alldata = SentinelOne_CL - | where not(disabled) - | where event_name_s == "Activities." - and activityType_d in (UsermanagementactivityIds) - | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string, newValue: string) with (pair_delimiter=",", kv_delimiter=":", quote='"') - | parse modifiedFields with 'Modified fields: ' ModifiedFields: string - | parse description_s with * "with id=" id: string "," restOfMessage - | lookup EventTypeLookup on activityType_d; - let enableddisabled = alldata - | where activityType_d in (67, 42) - | extend - EventType = iff(primaryDescription_s has "enabled", "UserEnabled", "UserDisabled"), - PreviousPropertyValue = iff(primaryDescription_s has "enabled", "disabled", "enabled"), - NewPropertyValue = iff(primaryDescription_s has "enabled", "enabled", "disabled"); - let otherdata = alldata - | where activityType_d !in(67, 42) - | extend - PreviousPropertyValue = case( - activityType_d == 141 and descriptionChanged == "true", - oldDescription, - activityType_d == 141 and descriptionChanged == "false", - oldRole, - "" - ), - NewPropertyValue = case( + SentinelOne_CL + | where not(disabled) + | where event_name_s == "Activities." + and activityType_d in (UsermanagementactivityIds) + | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string, newValue: string) with (pair_delimiter=",", kv_delimiter=":", quote='"') + | parse modifiedFields with 'Modified fields: ' ModifiedFields: string + | parse description_s with * "with id=" id: string "," restOfMessage + | lookup EventTypeLookup on activityType_d//; + | extend + EventType = iff(activityType_d in (67, 42) and primaryDescription_s has "enabled", "UserEnabled", "UserDisabled"), + PreviousPropertyValue = case( + activityType_d in (67, 42) and primaryDescription_s has "enabled", + "disabled", + activityType_d in (67, 42) and primaryDescription_s has "disabled", + "enabled", + activityType_d == 141 and descriptionChanged == "true", + oldDescription, + activityType_d == 141 and descriptionChanged == "false", + oldRole, + "" + ), + NewPropertyValue = case( + activityType_d in (67, 42) and primaryDescription_s has "enabled", + "enabled", + activityType_d in (67, 42) and primaryDescription_s has "disabled", + "disabled", activityType_d == 141 and descriptionChanged == "true", description, activityType_d == 141 and descriptionChanged == "false", role, "" - ); - union enableddisabled, otherdata - | extend + ), ActorUsername = iff(activityType_d == 102, "SentinelOne", coalesce(byUser, username, email)), GroupName = coalesce(group, groupName, name), TargetUsername = iff(isnotempty(byUser) or activityType_d in (147, 42), username, "") diff --git a/Parsers/ASimUserManagement/Parsers/vimUserManagementSentinelOne.yaml b/Parsers/ASimUserManagement/Parsers/vimUserManagementSentinelOne.yaml index e60161ddc58..bc6d2d38faf 100644 --- a/Parsers/ASimUserManagement/Parsers/vimUserManagementSentinelOne.yaml +++ b/Parsers/ASimUserManagement/Parsers/vimUserManagementSentinelOne.yaml @@ -1,7 +1,7 @@ Parser: Title: User Management ASIM parser for SentinelOne Version: '0.1.1' - LastUpdated: Oct 05, 2023 + LastUpdated: Nov 07, 2023 Product: Name: SentinelOne Normalization: @@ -82,45 +82,45 @@ ParserQuery: | eventtype_in: dynamic=dynamic([]), disabled: bool=false ) { - let alldata = SentinelOne_CL - | where not(disabled) - | where event_name_s == "Activities." - and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) - and activityType_d in (UsermanagementactivityIds) - and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix)) - and (array_length(targetusername_has_any) == 0 or DataFields_s has_any (targetusername_has_any)) - and (array_length(actorusername_has_any) == 0 or DataFields_s has_any (actorusername_has_any)) - | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string, newValue: string) with (pair_delimiter=",", kv_delimiter=":", quote='"') - | where array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix) - | parse modifiedFields with 'Modified fields: ' ModifiedFields: string - | parse description_s with * "with id=" id: string "," restOfMessage - | lookup EventTypeLookup on activityType_d; - let enableddisabled = alldata - | where activityType_d in (67, 42) - | extend - EventType = iff(primaryDescription_s has "enabled", "UserEnabled", "UserDisabled"), - PreviousPropertyValue = iff(primaryDescription_s has "enabled", "disabled", "enabled"), - NewPropertyValue = iff(primaryDescription_s has "enabled", "enabled", "disabled"); - let otherdata = alldata - | where activityType_d !in(67, 42) - | extend - PreviousPropertyValue = case( - activityType_d == 141 and descriptionChanged == "true", - oldDescription, - activityType_d == 141 and descriptionChanged == "false", - oldRole, - "" - ), - NewPropertyValue = case( + SentinelOne_CL + | where not(disabled) + | where event_name_s == "Activities." + and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) + and activityType_d in (UsermanagementactivityIds) + and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix)) + and (array_length(targetusername_has_any) == 0 or DataFields_s has_any (targetusername_has_any)) + and (array_length(actorusername_has_any) == 0 or DataFields_s has_any (actorusername_has_any)) + | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string, newValue: string) with (pair_delimiter=",", kv_delimiter=":", quote='"') + | where array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix) + | parse modifiedFields with 'Modified fields: ' ModifiedFields: string + | parse description_s with * "with id=" id: string "," restOfMessage + | lookup EventTypeLookup on activityType_d + | extend + EventType = iff(activityType_d in (67, 42) and primaryDescription_s has "enabled", "UserEnabled", "UserDisabled") + | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in))) + | extend + PreviousPropertyValue = case( + activityType_d in (67, 42) and primaryDescription_s has "enabled", + "disabled", + activityType_d in (67, 42) and primaryDescription_s has "disabled", + "enabled", + activityType_d == 141 and descriptionChanged == "true", + oldDescription, + activityType_d == 141 and descriptionChanged == "false", + oldRole, + "" + ), + NewPropertyValue = case( + activityType_d in (67, 42) and primaryDescription_s has "enabled", + "enabled", + activityType_d in (67, 42) and primaryDescription_s has "disabled", + "disabled", activityType_d == 141 and descriptionChanged == "true", description, activityType_d == 141 and descriptionChanged == "false", role, "" - ); - union enableddisabled, otherdata - | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in))) - | extend + ), ActorUsername = iff(activityType_d == 102, "SentinelOne", coalesce(byUser, username, email)), GroupName = coalesce(group, groupName, name), TargetUsername = iff(isnotempty(byUser) or activityType_d in (147, 42), username, "") From 504e326c3cfcc6cc4f1b2540e829118c10886772 Mon Sep 17 00:00:00 2001 From: Varun Kohli <97222872+vakohl@users.noreply.github.com> Date: Thu, 7 Mar 2024 16:16:32 +0530 Subject: [PATCH 3/5] Update ASimUserManagementSentinelOne.yaml --- .../Parsers/ASimUserManagementSentinelOne.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml b/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml index edbb4e7b3e1..27f7e154cd5 100644 --- a/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml +++ b/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml @@ -65,7 +65,13 @@ ParserQuery: | | parse description_s with * "with id=" id: string "," restOfMessage | lookup EventTypeLookup on activityType_d//; | extend - EventType = iff(activityType_d in (67, 42) and primaryDescription_s has "enabled", "UserEnabled", "UserDisabled"), + EventType = case ( + activityType_d in (67, 42) and primaryDescription_s has "enabled", + "UserEnabled", + activityType_d in (67, 42) and primaryDescription_s has "disabled", + "UserDisabled", + EventType + ), PreviousPropertyValue = case( activityType_d in (67, 42) and primaryDescription_s has "enabled", "disabled", @@ -169,4 +175,4 @@ ParserQuery: | SourceSystem, newValue }; - parser(disabled=disabled) \ No newline at end of file + parser(disabled=disabled) From 64b91002642a66e9d6aa9334dfa36a5208f025f8 Mon Sep 17 00:00:00 2001 From: Varun Kohli <97222872+vakohl@users.noreply.github.com> Date: Thu, 7 Mar 2024 16:17:02 +0530 Subject: [PATCH 4/5] Update vimUserManagementSentinelOne.yaml --- .../Parsers/vimUserManagementSentinelOne.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/Parsers/ASimUserManagement/Parsers/vimUserManagementSentinelOne.yaml b/Parsers/ASimUserManagement/Parsers/vimUserManagementSentinelOne.yaml index bc6d2d38faf..b9499b52666 100644 --- a/Parsers/ASimUserManagement/Parsers/vimUserManagementSentinelOne.yaml +++ b/Parsers/ASimUserManagement/Parsers/vimUserManagementSentinelOne.yaml @@ -96,7 +96,13 @@ ParserQuery: | | parse description_s with * "with id=" id: string "," restOfMessage | lookup EventTypeLookup on activityType_d | extend - EventType = iff(activityType_d in (67, 42) and primaryDescription_s has "enabled", "UserEnabled", "UserDisabled") + EventType = case ( + activityType_d in (67, 42) and primaryDescription_s has "enabled", + "UserEnabled", + activityType_d in (67, 42) and primaryDescription_s has "disabled", + "UserDisabled", + EventType + ) | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in))) | extend PreviousPropertyValue = case( @@ -212,4 +218,4 @@ ParserQuery: | actorusername_has_any = actorusername_has_any, eventtype_in = eventtype_in, disabled = disabled - ) \ No newline at end of file + ) From 9367a3b975066464baebaf3669e5c085e48e1281 Mon Sep 17 00:00:00 2001 From: Varun Kohli <97222872+vakohl@users.noreply.github.com> Date: Thu, 7 Mar 2024 16:34:02 +0530 Subject: [PATCH 5/5] Update ASimUserManagementSentinelOne.yaml --- .../Parsers/ASimUserManagementSentinelOne.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml b/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml index 27f7e154cd5..5ef9ef7fe6c 100644 --- a/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml +++ b/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml @@ -63,7 +63,7 @@ ParserQuery: | | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string, newValue: string) with (pair_delimiter=",", kv_delimiter=":", quote='"') | parse modifiedFields with 'Modified fields: ' ModifiedFields: string | parse description_s with * "with id=" id: string "," restOfMessage - | lookup EventTypeLookup on activityType_d//; + | lookup EventTypeLookup on activityType_d | extend EventType = case ( activityType_d in (67, 42) and primaryDescription_s has "enabled",