From 0cc29cf19f55d2373a36d2a9d29729216df11881 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Wed, 27 Nov 2024 12:15:11 +0200 Subject: [PATCH 1/7] Feature: SentinelOne Singularity --- SentinelOne/identity/CHANGELOG.md | 8 +++ SentinelOne/identity/_meta/fields.yml | 39 ++++++++++ SentinelOne/identity/_meta/logo.png | Bin 0 -> 27937 bytes SentinelOne/identity/_meta/manifest.yml | 8 +++ .../identity/_meta/smart-descriptions.json | 46 ++++++++++++ SentinelOne/identity/ingest/parser.yml | 67 ++++++++++++++++++ SentinelOne/identity/tests/test_alert_1.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_10.json | 34 +++++++++ SentinelOne/identity/tests/test_alert_11.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_12.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_13.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_14.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_15.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_16.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_2.json | 22 ++++++ SentinelOne/identity/tests/test_alert_3.json | 34 +++++++++ SentinelOne/identity/tests/test_alert_4.json | 34 +++++++++ SentinelOne/identity/tests/test_alert_5.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_6.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_7.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_8.json | 34 +++++++++ SentinelOne/identity/tests/test_alert_9.json | 34 +++++++++ 22 files changed, 850 insertions(+) create mode 100644 SentinelOne/identity/CHANGELOG.md create mode 100644 SentinelOne/identity/_meta/fields.yml create mode 100644 SentinelOne/identity/_meta/logo.png create mode 100644 SentinelOne/identity/_meta/manifest.yml create mode 100644 SentinelOne/identity/_meta/smart-descriptions.json create mode 100644 SentinelOne/identity/ingest/parser.yml create mode 100644 SentinelOne/identity/tests/test_alert_1.json create mode 100644 SentinelOne/identity/tests/test_alert_10.json create mode 100644 SentinelOne/identity/tests/test_alert_11.json create mode 100644 SentinelOne/identity/tests/test_alert_12.json create mode 100644 SentinelOne/identity/tests/test_alert_13.json create mode 100644 SentinelOne/identity/tests/test_alert_14.json create mode 100644 SentinelOne/identity/tests/test_alert_15.json create mode 100644 SentinelOne/identity/tests/test_alert_16.json create mode 100644 SentinelOne/identity/tests/test_alert_2.json create mode 100644 SentinelOne/identity/tests/test_alert_3.json create mode 100644 SentinelOne/identity/tests/test_alert_4.json create mode 100644 SentinelOne/identity/tests/test_alert_5.json create mode 100644 SentinelOne/identity/tests/test_alert_6.json create mode 100644 SentinelOne/identity/tests/test_alert_7.json create mode 100644 SentinelOne/identity/tests/test_alert_8.json create mode 100644 SentinelOne/identity/tests/test_alert_9.json diff --git a/SentinelOne/identity/CHANGELOG.md b/SentinelOne/identity/CHANGELOG.md new file mode 100644 index 000000000..11bddf32c --- /dev/null +++ b/SentinelOne/identity/CHANGELOG.md @@ -0,0 +1,8 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [Unreleased] diff --git a/SentinelOne/identity/_meta/fields.yml b/SentinelOne/identity/_meta/fields.yml new file mode 100644 index 000000000..36e8acf65 --- /dev/null +++ b/SentinelOne/identity/_meta/fields.yml @@ -0,0 +1,39 @@ +sentinelone.identity.attackSurfaces: + description: '' + name: sentinelone.identity.attackSurfaces + type: keyword + +sentinelone.identity.classification: + description: '' + name: sentinelone.identity.classification + type: keyword + +sentinelone.identity.confidenceLevel: + description: '' + name: sentinelone.identity.confidenceLevel + type: keyword + +sentinelone.identity.id: + description: '' + name: sentinelone.identity.id + type: keyword + +sentinelone.identity.name: + description: '' + name: sentinelone.identity.name + type: keyword + +sentinelone.identity.result: + description: '' + name: sentinelone.identity.result + type: keyword + +sentinelone.identity.status: + description: '' + name: sentinelone.identity.status + type: keyword + +sentinelone.identity.storyLineId: + description: '' + name: sentinelone.identity.storyLineId + type: keyword diff --git a/SentinelOne/identity/_meta/logo.png b/SentinelOne/identity/_meta/logo.png new file mode 100644 index 0000000000000000000000000000000000000000..bad66643418120e4e1dbdc385258d64188b37661 GIT binary patch literal 27937 zcmeFXWl)>Z_bwWsNb%ss358Oe0!50JAO#AfkO0A*;!@m;1-C+Jp-`X{2<}$gU5a~g zhZ0;*`a3dn=YQ|FJ9FmDoOcF3ZgGG;YE^RN7<7HRNA3U{2%Z-h+?=KpR?NlHClmpQ5 zH+?bvZQ42`!z_bG+OU>N`)r*pD>z0#80RJzJB^xOlGMADcc$4xcy9iN>iwp~5!1Le zTk&qm?%~nR)%Kymdm-1S#R_r5Uc;^c(Eok@uLb^(wE!Gr#|;Z%ZSNg1dtsS#eh>0y z-fEpg>WOtdeBrExhp3bY0y;7IW6ir}Klt7qIo$0Bh5z~~SJt2UwQ(l~b8g$zvvhz*4SXpDgnZGl!$_7bTNX)7_7O!fWG8t#1f zZA*cRbk0?YR}W^^W8ATTJI za}5CoGjs!@5Z>LGGAwmA?uasAaF?Gh#t$25Y9Pew-#kH3o)2VUn&1gs)N-9KD9F^}4+mV-5E%2#dCg=H0H$oKYI3^RnQB zE{-|Fx zFn}iv@BB7dvQwI9Jko&!_Kgc)0on(z?yO7aHRJ5p_SEM_RoePMz=DSN^Yok&C+FUao{9HW!jv{&o1$Oy6_ z!O;O1c19@#pt7^}&!1sn1bXQt6*l|3WFi!BxKK#=;|4G_U+xXu>_lTo zqW)v(KK)cov|#|F6!nqYJi_`4_V6UtI@zZ@$tx~|^;u{)Rd5t(VE^218+_Pw?2Z{% z7LPyxe;P>G6CR&7@U_UUp?TV#HG9J>P+q7tqv@(U{E4$+38XZ6-KV4oFt=qO5;<3S zW3yqNe69hd!{j~~qx}>(kWETa_!??5(fa74+gI_eHX&d> zw1k;7@-d80nzU_;aBVesh_`6-@rA0KV%n}R-R+p}3rW($9oc;r6+ku&SlrndZhyDc zOW=-4tR-tQKdKtp@k_2>wT{0mQqY;rftGp{wj^&2MqtKbuLiX}F4rvGGwDEBe?ilP z=zCPS|7mZ+tS0Y=k7vR)+ea&rR8O=>2xBl~g`GOaaBmsTo9eBIo@QI14J#BF=0cuX ziS@}!OZ`0$*ZXo&>uOqfuns}tyY~qbqW}WA^WqV>$C{_3o;W@|L+ppO?pV7i z3>uuGp4L#pR(McT*-TP$Kn#@ogXcPzq#c@p2rH3n441KnQt9@{n+4_+IZ{22siy47 ztg5Zz59~k8h!i%-FTAEwn3}3Ycv!PxXk^eb6W92^;P5}53t|KbVJ)1yN3!CW5rQAV zP{0(}y7?1fntq4Qu(f9`4-&qOuvG@&8StNdSH;r&uU{smDXkYK(b2fEV5K{nQ}ToO zD}=@qBj>ae6ue*qLmRufo_3F7BV?ff=g8cb8fLIRQFeXvfBN&Ct3yWmddK#J}wBoTRy4QVD8pv=1Y4`kS2&=iH8 z7H~2}EF6KD3&fy;WYQ6Dtd$U*OwQ)q(wFn&8Iuz3CyFXm@HbS{Xm9EfneuQ4zxF9y zgl#y}V6U?9i)VVGy!8BQ3h3;gW>2Bby=%s2@PG=4l`Zr|%ta2YI7df~!gVHB_r+|u zl|AFIb7sVS`jeX+NPy5DKvcfEB(C%v!s#X#hMAx0dz7prbJ7HZ5OH$_e!bUUxRUT4 zE^tfh>spD_b7eOX%!Wh8Ms=&t@b(U_ehErZ8%+hx_hyeSSuAKXs|ReJA7#uQ{&NWR zO%4DcROE&47D+pNreZzYH!fMeIacc-RI63K-0vc)P;4Z`6F+Pr3#HKPTx&}rb>g() z{!&OI;nuGG<*9K&RYtf4N$kVXRT}XDqD}uZL-UpE^kMTwEo>p4SW{NOR;9?4qxO&! zKv;peCPec}>NMJ3WNDV3Ad|=z;C8ae|86^X{Pj^Zt@SBnz5`g}`Zsi_gHAE?6?a;u z#HVkbb!pgPMIba0P$qRad>=t{E7j&mw7k_t3O(J=IzNt4Y2_q=|1yFOi%@~pRv!z~d`Owrdy5|lY1EJC9 zXKmm<5Fj3U_&nGbGR)zL@V421;cYj!F?RW9s#x^zuT%j(>KqR@OY9N>ek!Ml_Izey zEN9a;?T#KEt$9VfpwkyG9<7KEL$sYfVugm}wC)q@v|&9hBSGkS&1%WUA8=W^Bqih#8SEt4{@S$3y1D16(f)^m z@n2=K1a;AvYAl`tI{ST*A7MeE!2ksw(-}NLk5#Vli^Zdvs4(J|3;9c3JF%V*%<+_3 z6}6^WrY7wsghLsZu@*-Nv=8{_RXnG{m@=eZyt?OC#4s)&h8DI_mfhYK=BX_lpQ365 zwwxqpPG1V>V)eBv1B5Z`vZi1Zt@59}4}N3tFxyPX*xjF6W8+238w2tQ3Y|k%O?mO0 zB+|phBWFX`_y%IrRN9T6->P>QJJ>=8?=`3UNL3$c@V|Z|wQ+R?48(b~hr^EG*nTV4CFBB6Zw# zY3hjO!=`3igtXmHqV77L3*%%Q6ZTywchwlt%U=Yo)OvF)z-oqnNNn}mbDTMRoncH7 zNW=oeDAX7-()jE1L12o4PeW6`P=l?%%Vz)f@?uFU@zqW&OU$B`wF%x|efko&!UgFE zAE6{j)%m@BR&mTHm}%)Ria2C79~Wh1t5bYSC;pW-T2ARZ0?#rDGe(BdHfaN z;J*I}HT7^@L@6l%t}^|{ZP~i}GYkq^KNsZlQ`OX|!X%MdpAWnaQX3Kr_n#B?pF4hX z!UCh@-p0DI*z`-Skf!~IkYr6 z!$?c>-1ul#wi1H()}KRdf@jd!_TJtmx1Ocp*|+1|&qZ{RixtD2YP25-dQweGA=Md4 zHcabhC2@o{#IQ=`V0s912q=%uQVoCKS`D(x51BJ4T zNs_q^>Z&h#%h}Y&MIm6ZXk^DpG6wi3ke7%kBpBT*sFveCH;O8_tNgpl?*2xVzB48& zb&b0ZgSKim;2Y%ORL7QsujR6)l_t1OFa%ghsrRw**Uu?`({A~q(WuGTEcKkg!jEU} zH@4a}&p`0UXcsQ|5+79oBqAlT_uuZLrK#q}!+*1h0Z3~pF(G~@MKTa6dj`Vy5^#>I zC+*bg_x?_MrUaE_RDGic+Y>Wxva-?F7<_LF6$nt#? zl2f~_rh+HZWyP?_ik0I!@;vIwJmTK7#cu_U=PQ*?8H9phv5Y8*xCXa$*oAVc&r6jw* z7-1*1;XkpWK14~}mg_mr%ydhVL6ZJKq_@7@anVOhZPtdLP_}vI2V7S7UVR5UN|JTV zqM++f*R|QZje7ayjt~eh%%bckzr|-ZWL14Bw5Ar;*p+eto7^6Qe`U1-)bWdJRXz?% zYFSskAGc1}|H+ubS+r?uV=u6mQCHCf9CIOTeG+f&27i_(DarecIZPCs9;r8fJY^@~ z5%qO)9|fl^gEluuz2-hQuFk={&-NwV#@WkUt}!5k{I1g?hQxJ#yToRl3Izt2=@9=0 zM81B@s+sc{snvDB&>xJP%&E9;$%0C?)MSSbz$CVkOSPNxMkk(o?0)~1F{PZTNy!}T z-PUR9X|kVAd6jE9j9Lx%v~?VV*>aRGK^u9FKF#f$ z2V3f5*jbynMtV9(8pa0ei-+eA{IgqY1Ms3RRyfe+;EN5LEG$QPHy4{PO~uf|IQv(L zg)}}V9S%1^B$szR9PaI7k!^F&@(4y*B2I%dya&fZ-~qz%BD~v&Vx<%)0`Vy9GsLDI zJ)7*hf&Le`Bw=|-0wNUrije8W**Y(PMXLdm7-v!35%Q=r$l*T1)`#C z?)K;YWeW0g)Q$z^wOu5~`C9`Vq$EM#BS?0>cRQ%q8YQ3QLsR_oCAz;ShjA2qH1bHx zN97ffTkj-kH{7q8D!}f(n#-AJ^4P!e|8smBMeecM%fsE;P0fh6!gnA|3xswsa%Y#g z9@<6|*yggzdH*b`VUt!Jm)@Fhj8@zGPAn^zY z{U;?p>jwLzw)YfJfl>|E-wJ3KK2!x>eC)CRO(T7E|&dX-<4&%pWk*6 ze9Yj0E&J)K_*!7is+HfjOHGdXy#BCrrXYmPlaNZLF=TcmLz4rRo1s+C(58yxX@dZu zXd7Kakf};3Lr*^-e&sdr3(0Hyo76PVuy#D-O|op->Kmb%nPB-UWoI1YJT30`6M-dV zo_3Ag0W_(Ilwe66ux&i8|4K=^{NGnLF~clTOXr;Da>j~PF!Y8H`N4Luo8m zI?&?GoiwvPhAAFFdzj=lXhV3;an2epkVbPdRaEG-1+>eoS^nLl)T!=ce&b~ZE4ngc zBZzi9w(oQ}cv=^-x{({kK;UE#%j;~}cVCKO;S>0aC9xmI{C$09K8u$2>-n8-6&3Wb%>QQ2%VRDvSs6VrZB^KrY^(% zr^9ip;gZ~-Yzbl@8BqmNo}W&z@M&$+i+tpun2iHZv-pUv1w#=AD?I-t3E{pOGp!an z1S57exN&SC@0xh(i>Wkwn_kSh_>I3bGnStqK)=P&-QjK@Uy8)p=e!!^`6kaXXBP)W z6_xW(aepfoW0qAB0IYk5fDJ@wtR91Gia>Z}Djz>i7HdY)>X`v4&1ysCE1>ZK&A8iQ zo7p4a#V#~%WyiO%n)*n5V?Kspq%|yaC|TF@rhMJ4e-pX|$t{c9_M)Wl!N>hmz;(X; zxb^5adJua5Z(T$QO5Sj?iD`#saM`|np#H0crS$2?^8Fu85Hb#fYD}hZ+6;PAV_jEx z6dZ!Hi%oRkWjC48VI!t{7bO=AZfYwn1%r7CfFFRsWHblHXrI#DE)_PDZa7BBx8UgN zgTnJg(4MLoeui)DvXHL};o&kaKe8bW{w-@KIL5p;QmPLI`^8Gifwf4`I6%O1#=*B3 z%KgvaJpYEtnxZ86V-)bU@5K{=f~HJ)VKJ*e{9@(4f)|B7(e}%hYJHE1{yrA^43XSOqQWN(Wh=@^X=2bW_vXJz zZY`lm_v5ikFJ!I!Q7~K`(KmHuX&-rr;Tk3|TjujsD zkD}}X6*hB;$b+%;_ILYCp#L}vTI+$E*r(RoM^ML>9JgP%y!a*Ang5kRIonaha>UxC zZq&=JVDw}Ej{tA+>lF-s{}=kafAiYiE&EDkfK|Jgv1Mp)8M;Xh9gepRXig}&oLz15 zkr0~MTO%*FKw}y9{I_|T{5MMM%BCq2duF(bCl0#COBt*UvI(?$oIRO6&2%j(_5Vtv z1LYW`&+YKDQEeP(vY6sfahLX%SYc7HurZimax*B%j}RP;&QQ>Y5ZNWeql~O&tDQ8( zuh&-4D^Z`bBrHOB2ca>_%=Il-drogG(0|O@=U4_gBtJ7F<^A z=Qx4-aq;KqxOMWBT z+(JsUe&0o|f=VIrqc*0VX|XN(XnLjWnHCgeq-lB5bB6kX<5V>E3+O_SxLu5r7?*xu z^BeyG_YJXCoA8_5r(4KTSBv7E2T+C$AR_T}UfNd~eD<&IWqsxyZL>^8ZSxoK$M~LB{@;W{cXQIcw%ct5DY#;0~BE`%=xyH>H81g z?8%SlVYE+QE@M@0D&o^o5DZ4M@Re9=9#gdA`r6qWiO5g-cj%)j z7YuL8#Jx+sA81siV9C3Cl;{7?VD$eU9%Y&R?%D`THx45x1;q1i}jc4_w~;>@$vnQx>bvq;sSmRQp?FjltUm`GG(n zBn^!gbRhDKgZ6k^PhFyv!2=!t;#|#oM@zkNYf<9DdH;9hi!JLe+rRQ7j;ET)1sIB^ zDIigP$n+Hr2bmk?KffogMJ2~Z39vCX3B<7_q&48)o|~Vvq0s@JVgAbuG|X7wP1hbO z%2vRXbC{5^cAu5Q`#{#YFvddsm}%R6KR&2r*H2f;*V!d{YMqKG*lokrJnz-Tj1&PMB*@ViN|#@CqS_ z(ZdEEPWF~K&MOs*9^~1ti_0q>bYNn(L6gS~h(pXmazkjwfWbzN_&v!_K}t+QP)PrGFE?` zg%8K{9LltO?<1SECu1jX05$85QRw`T`s{vDy{enzSW!01(WDhCUDoO?`IXk&Pwo70 z$#|}Ff1Xk=dyA}qLpM6a6d9UjQ%YV{kW&_Ppp##r?&PlSS06ux(~yu znFpwja$1gh3&U3_zPye0WuyHjyc2gY2^I??oAk!iCxGo%Jsat8S0l? z$smtWeI2t@gYKxIEA$f<+Cx$^Bw^=PECcCpl-@o+S9qi2n%2L9oMkNaw_-E0<-uQ# z!PNbBqgy&JUzKvauQq`tYjTQHVuub(~v8?AWmLsAK9ZZY_o zFlI5F_MD%mlDhD-EbKI$7Q4umuxEPlHe#td%-Y`c-=OKk05DwDvymp0CTK^NZ_4Jg zbiJ?~pub=Hq|Wdyp_VQO-p*L|^)q}T*-Sj?oqa9oI6QVMPl1=-!L;M%gP8hPdzGwkJYS&< zA_wiaHI}I_U8+&&hhna)9;k3^P#4!}ElE3_d``!}3~rb;ge)cVJkre_QKJAS6N{zb zz`7RrxSLM{ASa92s!PFkjz|(0i>8H93%v!8?@? z!IDCLLa4a|xg0*mFlJaCFOqQS&0W0Jk20n&1g;kYVeT!V#q&=!Pc)5RxZc&Cj2r@kmaa!TZ_&<|tt)gF9>Mt)6 z9kl`SFiJ%%KY2&E0{9;swhKL56Y?6Dee#mdmPk7+5npcyODTB(-=_CS9u!LYW1Gz6 zU*#K#vG6@|sypX(ndK(Maf&8L#c^Zp%;t_vx=z0IftG1u_qLl7D>k1$Nxv>!s``ld zm(7_?GX!kY1<#zC%#aGW8AlFO&WI1x6-B?S>~*FS^^^Kh!=D*Sgi#$>y&>Ee*`=%! zoNw9}cG8M`@vO*o#J*WFyGFsU)OWE^>~T5M?~x-dE=0Zn`aJzw!xTqELcbUhqh(cMD4IW7vY>2sZp5DL80P3{35=nJ;&A#%Q+t{kPY^~ z9>MWW=rezY_(J+mI6B{ae9m32QvA`Gr|u&SdkPHQPZyRO4@Pr(&|-72pj|Qw;+n6EURJ?)8{!_*@>JP^a^_9Gihuh$Z=V(h_clrppCzu}cLHYn(HAUgsZg=th z&9ppzh6jncZt&4n+eUNt937f!CklS5mlED90t1eOz-oejt8u~meS!bSGKcYT<3d*$ z-9jmO2dp|)u$NX!(FVVgAShX@135U4+#f^gJC2oyMqxVO5#nC;ABYuN8HPS%vfq&< zgD9d~y}PVTZGOZ@ZG1<5;0sf!)bKE>vLW#EE0WV@xV2|;eB$eDi+UY+3##wahW#Wg zfY;RPm9o)tR}Bq9w9N8wfyDGgWJrn^EtUV7c{Ay9Z~34$puXqhuv|MS`-JaK7;U|n zOf$9o1UKyXXAm&uHlX~Ot-wAfj}z@i4E^|(v~SkO+HkPT#k0i@Ph zJ*6ifyE27Qv&w3j=nB$C?)S6E;i!uk_E!i|QfB~bAl6JOs>hBu_0qa*4VULA10nve zdYE}5>Mp^uHE8&VVrnUBsT!W4WRH#4#mvv^(#>p6GKD`uPy$ymcKlQbg$>yBIiF-> zmv;%o>rfHw9eNIgQ`LNPX6yD4StJGRa-tWDwUUE+W@zC$>lPI9AR<(wLDd>c-pw)< ziccy^g(_+LwPxDp3@rNb0pRwwIBOxF>T9Iz3a1@mAo)$7^Q`pQnA}BuRn%K_3wH$` zg6@E_9$S_N=1IHGUyMx6t_KiViKtt%An;@4nSYK3TL2@2Hs*bdXWHSDR8fKy7_DJc zJsZqrJ5I#I?I@{VH!Kg61MXxH6k4p)@=x#k^m+iE8j>!f)U*fpP;#MHwH2-H9HdAB z>w~VS*;*(v-h=I>bjmY)p|s4OKZh@kTr0)6QsQySQkkq`x_r6s%55(s_dzC8^kXuA zyi%-X43ZgqI@-pJG9{$F_efmI%>aR^)d)&_jguis&#L%v3p1QQ$NL8}>GjKQD3Sn- zV6N=8f8`ep_k%x`4p_%4Rt~otmD3w)S2_|x&Hz$#7M=VjW(BPL3Zy4yJ{Bo@?^{AJ zeuzHhklDtpEGvDO*q_))HTZiNk*|2k_Su@UZnO7G=9P7sv(mNyvYB{! zd0o>t$5%i%+J74Q3(0B-6H9oE`ttQqRCv1Gq-<+CImii96yah2XG=D>qK^KD@*B(s zq2bUGz6m>%DtD5p@|czYi#n%$SEI#;I@W{t0>CpYG>i%-+!~pjEsEz~Kcm>=_)Zlo z+;swok^i=I7T){gDf4@8g(YS(y>~sxTe0UnP5eKqw`l#@P@`W<$$>3owH#FH~a1cRHjF*E=@#i0wE7@Y%3X%&1BDo)a~QSoZ1%a zHu~u@QVDvZI82zyYwZ2;r6QNYhY5&duMjO&k^Uw-vYqjDf@V}bbL-ggip9|+y1!DA z3!aFBJ?JJPkPX+ZcO{~3=U@?`>wd{LXkjEqHO2MYBwh?(K6(e7UlB5q@@$ zp)Yavmms!m#^UX~v97Hlq$vwwv)?11T0i_}cdpvBZ^3>RXX(I*e2dSr`+0GWEi3sq zNjG6R9t${Io_}BF;AFGq;o0*d;4zhCIf3u+2gu&D)D7ZlQ)TrT73t)=?qB-ePUQuV zEp@a6HtrwU4@Bf^r>?7k>o$*b{Bc&+KNsEnk?xMoJSoMe4%FSxc)rurH|-wjpH#sV z81($s=200Id{~G{A5$f9T9`NoC+qP^B`aH?Foug-e2e6k@3CBcl2PQGMJd8M23<=5 zQu-ZV2HziyhAle`G$`I@Cf^zxzyAvPWcI0LCNcv#=_(%Kou{QSu33F~nQbTz2_F5@ zv)?f9?_<6`?Qx~Sdo`XR{1tJHk5<$9gU@0!Dw$f%9;gJ>ojQHT^JnQXL;KegkG^qI z3|DbXcqitzC3BDx!v}M(TqtGU8z%?&;sk!>HpXCm*;4EV6vs6>oo%u*7;97@he*>_ z{bmBX^@a2QO}^NkNvR*3zb6?4B8Y%<03=J1P6(b!aVRus?$)9@B5~m@3pLNbHZj_1 z(!KIuRPz~VD2!W5Yoi46w4oEn-G}{$(>mrsde9jS(dB>zmuFyk*u0Ny~o;)S;-B8#KI%}V!3X_j&DvCe21=C0fkTh z?8`kIGpc5Mp&Qbd*g90S^OImQr?jN9c|&<=`YRVF_Wa^`_ov&Um#8u2=DDVJ<_}f^ zBHr`T0jB>=S#qJ}(b?GSvu~S+8E4W~F~O;XvO>i9>wD6D ztF*qsA6z2HE^;;EWre}Kgw6|_PBWWMy_?O_mB)DzBlO~^3d7oD1P)fxLPS2>v>_Ku zpp`!VNy|geZtNbtoe~DVK%g*{T2@66DA0CQX6ESV4twM#U0ih##~ z?c5#uqsy8E*lOi|oT1}nFD|yshV3sdO=JHZ7ZW;@gqPFBO8ajLh96z@wl1D&<$tT@ zN0?9qDXV7r(VKrs4VC4E@3MdT9Pq)UXUC{N<80orHX4CLhaPH^rcN(@L%`Jkws=6i zN4g9Uq(nc$@Gyj~PD9fiNSrCq>+pA8?q;&TjbFTOHmpUUpZuQ$#y8HFZz zJ#OV?Wq=+x6L9QlgCBT;=3nkEm5`n)Y9w#?EZ*li_jmjrHy{p%X*o@_fQD^{VQmtE z7JY9GU5g=$=w!kWGr(_&qUpq!)GpT{bl?u-$Mc>;UoK-r-}OLT2O`q7yuJ~=MmLeM zKZbG}3kR@dH~*)2Lz2JiTfG#qxIUkfmO}?dbk?t8iAJq_4dnA^C(6U z=I@qkoFPZU9GB6PWw=)*;VeIXmL5;fNP8WKIeppuV1&L5RZRSx&x^Em(|euf7=;9$nb z0Gq$#r>fV%O%Bw>#CJ5tUgS%;3dfuXyGJP*e5f3ZC>uYMn3_VuGP}Nein=9;&(5&w z<`$Q|2t=A@o8|Qg>b?ulP@7B5&Z<8jk5@;!;qc?w*qAnYS4-yyU#|5fz9=;lj!sAP z>g*7K&aF#nR&J5}b{9t^^;XMp^Oi zs_>iXb#72!zInj|-l>&<$|MUa8u{c`a!3-D~P zl?bTjFu&P1dTh_}rigpeCUA0})PxOsEBft?^!NJW_Zrc0am$Nt>3i5O9&6nM>i&Rb zHra}}mgP%&OM+8X*_ZhuKc_I1t{)jerP;HO9H&W_YV7AEz?)>1N4y(g?BPj_j34 zYn~bOr^5RB`lM;h3~j&~-a)|D71ql7(3nQcTk0x7X`AI{KSd9V@dvA|=uAAy5smGV zany%Dd0Vtw7a3ay6D4b8ZUZvdI=qAGPo;k@Gl3Zs(JNluv(&iJS@A@7`X+cXw!TS8 zNJwC<@XAQ-NHl~@`FAi%y0i~}xJGwP4)&~@O}yFf>J6R*^uzCbjCVep0PDw5zXA@- z=@4`F#+XHK_`HN4J&V{3$H-A(OFkh0a5xpdE`_a}jUGD+RjI$54A6)QAd(NLOJw8) zdRcHLH}v!~GMo`L{x~HaL#}%*y$9T<4p}M&-Kw^1|9YP_qGolg_?Ah`<$Id_*QJ9N zE8bpqiffhcw-UUdhg7Af_f2UBEbxdRB^ULWyhGlPTh+dbT|U7%-n!S;-T@tEo=aR> ze~&;F>09ggfD5DUI|QP^!PImW47}3h{mf-(RUC@=5zOp)JUBRb&}1{e)Z}9YSQt?8 ze0UBj0x_X}X z6aC~9H2ey8rD2AApi-5mWPH2wX$bh(1;*6nF%SjAu!uxPpx)|N=i)sTpll~wJ~(9lLWHcGI-G2_dZde_o< zSl`8+N5QTwSE)$1uP53B(S}tK`MQ2g#xb31rA41ztNBGp%JEr0CS?6tAh?a%!!a9D zy4gX=RoCirXcZcP*jgTjl;axdpJjNi@}E?4=BPZVVp^Au_lPa5)c^q8?ZQUZRi{U# z#}7fDlyem{PNc-k)$hCKc#@Ty{LRhRvtrj;o$2#A>3e1?twu6lX~QgzsGE--(vbJA z8)va=3p2r+6N0|oPpmpII*&f&y&^J^dFPbxdW~X$uKt)%1NF_fs;bD`^zYKV!aX&#cqajxq9z;(jemW&heBN9LvG|-txm%8YO zK{$XOP^JQPq)2d7RabwgBR{}AQR(e8EnkaWGgomH2QcGd<|Ccyt>kz=H`*U9HPs5u zEq8WyJ}D8{ib(CjP{QZ8 z12P79^q<7_Jky#isQ!kGL_{NZ7Y-L21GG>x86M)8Kfvu~S4#r5o{_O#CnOIu( zgiyN_tTJt=BYA=&F%gm9$&{X>{pD8=h@Fki?tXoJy&^X^cY2c-YV$F4ksY)LXaxqr zL#tn2)6M5aE^=N=7J9EWxa~Fj4e-=*f5TUBSdOKmuQ<$S5Cqgz{_I7z;Lk;q_Yln^d#kjl0O_f%;;iF*wrR0-ix zy*q$za3@g*sVpe~K;Hua+yGRuE`yMUX?^C`)m7>e=zSW18J~hYpp!{}XcOlqXI4-E zM%i!p%?&?cKm!^jMzw3LXrDy9G7m5XxyV38FypVTt~3=_|GKhl-Ua$|e(U@7BHR z9;NPj)c_SJpK9K3?b^M|=f<5+-vyK^7%|6d2HiSsulBJ?Zxo-_I~#cPT^qACn-@3D zUEJ~26vm*X#9mlbA-~+TH)^5&WG#AlMeG}V|KfB0LR<=j}njK(!h#q55;kgqe>VF!v=(DeSXj&HzQ zb#)PxuIRqk(jMSfD~%xbr-vr$k1nb0m@_6c*&ou#GVwZ&jjSv!{g>_1UYYp%-a5pt zNhpFdh*#7G<{~CD3s(o~`7aXM*F#d+$ReKiI7<~FNm^HzABfOq{QG?5MnuLC3!oUw zAo)kh1h$8EggS%H9)$qpHRJNdgTL;@70yxg$3i8FPMWn=VPgGh9z)tw8;MyORHzoG@RpaM zUds0ww2u4BPiPVywAav;q#_J*`7w8v)VH2C9T&|=)n>~)GqatlK+R`ygL_EqELF{# zupqeOrS9-I>qAGDw}?$2ihL3j8TP%nx@%x`loUX3`+*-QwqV{^FtGoO^HK;_@y= zfC*jH8V}^Wj<1;l5z2*_)IG)iPOG?nkAL-D0Q0|krRSTe zAm#wA@o_+Ne{o`BLiBa9+zM)0LaDBY`r2&M%aJcaS6&3x#R;o6J+NUvq{7s7inJ|jBs(}b(8YAF0us!M+y*x1kF zdb#XPO_+ncl5~Dm*S$T((7u$!7vjtehf_mCG3VtsqLRp$K9{!}&M9zVOnAq#=GF%z z;llB{3$V(wLz3?_owQ~j73`@CXZstRCwa?M=BrtSuR_Ph{*2IeDHR9SoQjbaUg`J3 zM-;6E$e7yO7j8ESLM}d+mzQhORtK=LOCIIkxF7Y2$4@8Mye$G9)>*_Y1F?c{`^sL( z6#3G}Iy0M+u49UJV|3o$HT+4)d6k&txU;?%p#u$xSqox|p7eMX?<)fgLp;G1&!hhE zJ%S+_9U~sEpdf+z+rk0HXvyzXdBY!R_ctA*HE4qV3@4t4PfFY06sR6ZRhGO?iypJ*>`t-$JZ{H1!aGtvSD2Rd$rL zUaiC8hn3c#D;2&bAwb{&Z=+qGyH%!N&DD^jzo0kzO#{>Sv!^|Y0T%kc?%d4{@wqJsw?uOnxChc>810Lm`Ky@g3--Gs1rULS<00QnTKf z$L21nJj_N63azo(_54_|iYzD3`{|IGnRXFNFZPjWZ|=94=D7!p%e#e`#Z|AR`sSm6 z0v=or8YU(qk@fCo#*nt)kIW&?^rE4LlQscqQEd|^&9+n*&+E)Ng|9@u8hEakNcuP! zObv^h_oFiK5`Jq@%F-B{n^P#p(fd7QVEK5QHP{abNJ~F>$jQm6^E3_9pkM$Jz2W<+ z?wj$n<9mqwJru+E@2xvUJeM3%DLQevdLwwF{*>&3D!~fF^D%P{^yQVtIEpdj{EjkU zwwUdUsv+*m`)UX6$x=X_iG#yo<3(MMq{H>FN3-S`!NR}HgRt?i37oFj+FOsw{U!^T zfZG$}Gymzc_nlh6^@-&?&E$8jF;o3)kTb^jQ5DmYn<;dD(I_@mGNK!0%yNMvviVC- z%T(B7&diU&_&M|2(my^cYB7Si+I-)+?&kipJ-f5uF4qmxyeWz;Pg^ zgw&Vg^Zb=8w7z?vdsA7>7`!V1h>nT*Mrel2Nav*Xv4?Klt;xyhX`R(foKL*}?UUzd zxMZj;lH8T$#+OjX_L<<9r$nr$gyC(9k%|SL_Ln4RT#)Y=>Q|KCvf}_h)O5baXLj^n zG`=;aUVx^Df_&=L&-E+d%G1u(T2;2Bts~VuJ>IkN=bW2~+ZGW$tD^3w9G$|Yg+6&w zH6BMxU(m{hD9|cJ-_ISCFf+DGT>#%gnuD%PfZS7a@91G&QR9O5TX1_v_7?xO5sY8# zVhO&C;AJilopLR(_v+2aE0%+st*V9xZ?qr%hH;D6n!+ivY*XCSc`-m;^ziQhTmwSc zlA87EZZ&Pzx{E6uI?_6OmoYdpk3pB8843y%mjs$BXM3JfO0#hCK8iQ%S;}O1;@4Dt zo--xdAu!#F*W3D*j4znJR2#eER1>^BivNkKbS%5>T967j=#H9#1xU95HSSi%?Th85($flQD$a z&ns}cmc5JU+#C4FwcYqraA#=e%ZGtBXfC=yv9=T40z_sO{2GFIb)r-8*%Bn+Urq}>e&&S(LmZ<^;+j3hN>B)fg1)pda8VYL zJ-|qqZMq&%hC2QeT(bA;JqKe;=AQUP8Ev!s#o=O)oGpgI)Gn97*fa)gcrHvcymHo; z@Momph@6#oxj38fAA>_cDff`$`%ltP<)@kE(flD0W|$Hh?5S(_KfghDROWf(FV|Bq zq#$+$$$~JimhFe3{g%1A;-Rfji%Q)d8F3gg`=oB{K}EQdP_y_(Tgu4ZeSz*G<9(+D zXMZu`WR||~VHx<|rM0|yJUwQcOmJ9Ro9tH2Yl+-oT3^%4Pe@3oA<)_46{stMwc%8l z!-s+M1ZqQuN&thL|GF?~HufGLtK>W=#);r{{0z6hoZq=WweTeKzk8$mZ zTZ=xJpI#2|zV;itakmn`tB;6?H~;{~!pL*Hb4#&`(4&K6YM#*2wjUq!qXq48Q~|k< z|7+WnEidY}-bhQW0?t?_=@L1)4%ewUvwAyTYehb}LFa%yucaEwqx_GN5{i%BW=f>I zQq?ICO{NvKP;@ylIGEk5usiruZu@TApp)AmRvBz8r_ND9v2s!DWA3=%PCzZp2;$Wwv$SQebAKg*mX%_r{&24*q!iaT zwTBLui}~omw!z_7mbZf6uO>A<@(+?s7B20`F}Trj-Ei>u=s*aaYKdUgS1i4RXlQu3Py>+O3`PE+-apzNOZpJQenJHp62oLg*j4ep9O96xxy~OO*~uO z7I{ic8zUDqC)2q;R@yAK7!rSmh5~=hp?*D_`UP}7Zbn`^6WmZDD&ImGaM|P&s*VG& zjg2RE#euW))|m(RoO+OLT|JlAeBAd0^H_TH;?-lapXf+8i0>h%@m72a~cbRR_(Y`9jEyMiv}spPsQ|@;g;i@+R-C^Ci^X~ zC60%!T3_bL`x2idG8xCVtuM@W)d@c?paaNoeyz%VEYJbzQqO*!xY!~-a zAB#ZY1{29xrdP22`w<@Qg>s*VX3eqtuR8WgCyBoSiLK**GE8?uIWbb;HzTjCZs%st zp-+2~NSx?>0U#?_W0U1;?|a0N%}*bRFUJ$l3j&}oDKzVE5`P#cx36i@6MuI+wYnt{ z5{Eq%K5SZ`@uEIaN#hnX+`u*3Il{bZ=MA_n$j`1Awa%^RA>Yk$Km6M=W|v0yhV9n~ zU9YBcsUDdO)je;8iPO6rc`wa~^zE z06^EET7dZ2{$`TlNhN4}qAZ^0wDpOZahCST&`3*Gay#N#y3=bHPwVYv27wX8eOMZC z7-h@1;U7n1)|Hm{F_?kKrG(+jXD{a*#!(q;ru{B{LWGC4ww9J}j=H}qv;A6@{c$Nj zs&m&d{G{cOx?`g50^e+1I;h_yZ|$A+Ta$0t#z&)w zfTRL~pdc+FAgQD@0wYFucZ?2cP(r0k8a76ch9M!LgdiX}q^15k>LV*<{ZuS%em_vfSOCwcsD4ul?*MdN;$reRd^%-+W%5Ouje8DO7O^sYW6Fvy`9+v z4^(B6dHb$Duvgnz1-m4Q5n(^BuNP364y`Z%E}tnUC&b|>QRFx}7J+2JfP>l)7=o&8 z^|AwP2$+q!x9*=i^yz1VGu^cH{rP6C#%yRQ%wQouKeSub9tVi3SeF#%e|&A9`eNql zo7ihb4&U_~Ph_2*=+}?s32&e9o|;2C(J{WeX4C%gs~v=___&_z=TRV3`JW}Teqd$5 zfwKc+*QPO!*;m?BBnBc&cjH?5O$PAv!j3=T!kRD7=iP6?yRMKgKvNa+mrP);Na?17 zQUtBy#)>f;^2|^?JUlk9+Zp~61yh?o&wa$`TscFR;!Al#2hy$_G}`@idT?q0D)|9< z=1>W$j88*x>iI&~uR<36{sA=z43e8_#9)R>-V8|IF@?94V+eRbq=oJ^RTa!jVo77Z$5-M zN}j*WJ3>>uLU6plpK?=K>>3cQnMrnB|LpIggQ>NWkdCJy5bAsk7_#eiBfYTFY z1ild1?1J4T<&Rpuu~Zg9N($!t&)*-DY?vpK2Gd$H$TZKc!d8--vF-Yg3H1&`ZnZ>R zx>o80iK_?a=VpnCZuZ6+p*!Al7X_sbH|`3A&@-tT2zWhz+tz~iSHjcDw7E3RFj5$r zP!(P_lac#Yrgmu`-&>_~zE{rj9XugAnkdSNXJ*-%3@lCktTq2*tQ(T&$2RCPdL@I2 z`55lTj50pQpbM1xA=yP6efsBA2&gj=#=-mt#2#U)lRM2Y`I}eI*BbL&K(|-evY>sA3ok+|Rf!RIku2Wwq_a_kg)s zo?K5zwi*rbl^D;g0iVtU?czOyGqXGgWlo=p8}LIgRtbG!Ki_E{-%8(diIm8hTM~qv z$oHRgOg^c|vM(--HUwrk^sRbkW@3vZ4_eq8KG=yh0?m>2qb+Z>la)um5%UKh1DNle za}WLd_o?Rx_Z8NSseS&#l>GWwbCbA2CiME>kruKBjNthx!e?x^4anH!^jhc3A0+^r zFEI>SnAY^+eq$mATY#4$Z#kt!MZz|!*y(0aPOcvQQdsyz7u;Dpg#{w1yq(XN4V^I@ z-#Z2wg88!EZY2#>%H~S>uCzn<{``usED#u-p>~o|ErboE3d}$>{ZF++x}( zzvuVfH!lUJjlrmCxhc86?wBV)$>ooAZC;$#tDg3{Y{xm%WV-nUc{(+t^7=eA@rUhC zVLKX&;(io+@PD1_f!=pJw-5jJY7|IHY-N<92;X=VC_z0q_a=c~OMl_%fzOPpkcb+X z2j4J2-yJd`O+amd_gW&aYYsA>eoe`WCZqGVHZ(L0-)$LOuZQ00Sx$QtHKX-RS7N<1 zR5tBxS7B}bWW6gO_Y;JpguZ_rXY5pP)H3FmG(c*;l`Ngy#ud)RsL2{SQ$;;VVwQz? z7mn*!tjNyQ6-bc$Lyfp`cS}qD`4mw^+aNeUD#+rKw_&#w|8=9;kDwA_#vT@Tjpb>) zRLmE1nfsk4MS;B18gb)sef%EL57FfvvI9S1BklDlWE?n<;4=RvA8z}FG_{P*?LY*~ z=R7bzKCXvwP5f}uI6=is)rjy>m#o~GQN5u6&u0kZ<{iJ{^Rl9+7-Ig$gF&@4tbAvW8%*B!O6J*?B=du;hcM&I3K_Ff|w;swd_8}=b?1&JqhkjaY_aS z^b5LqqpZl%_ep#s+KzsH=k4S($7FJSO!Srxoe(Tl>dLq?DMBK#M%#FM>l84ae2xW6 zp_m)~l(5D3Ce^=mxYQm*1XV(krt0m+_#@%3t$#VI9cCfDz`n76gP8ppik*H+K zZT{&e1F;ZF_OQj%royE^r%gQn(F^jhxzku}uleB^)h81=o&&abH#avU3k#nBhUrTO ztyS2pvm#JhTbCz4VMDnze%uxJU?$njgD!n?m*T!!wo5Kext(#s>Q?|$LOc)9-~2$J zl5x0h_K73HbY^??{QYxo_^lX@w(n#A3o*$=Q{nc|sU>|rEnYev#!e3=lJY!1$jI!d zp!ESG4yBEh&LqC_uN0To_Uup37b#XFmgr8{JH;_VFSlct|NKHsuPAEc-jpYEv5n=Z zm!{Zt944C6-y?_n zLJfAMj6jeh2xocL#OAui?^hwkSLcM&Pvzp?^hTlMVpNS`7hCzse!qkr$cuGf`y~+XjoRjjqn#-C)99m z8M3AqQI)TC(M*bcSxhz+jw0W>M*`hO0s(=gJsw{lxUpm6r^ZHL+V2)oi1Ek==*ZtCmP7Vx%voClFzk>~;A@zp-8k&1Vm7bVp zwtAyNyID-Z7P&RtoR6*0p@kx)?1un@1=cHPl2>q==-zK`i(~U;tGYj*EN7-((^y_| zsbd_@yOIPm^LEkq3trq4l#(*>?k82Ysj9k8J`F+MfSI+y5HOy8>2}sOBWMA%W`7L0 z+Y|&pKNALOBKjSQ6%zqvYFX4%=D|19@{YAJzpHH+x_V$>U?v_M2O2N!M`f%{ijTGz zL3Ot^kX?aIklgxA3Z2zZB%K;DsKPP8F|)oOMidL_y!A2~snMOan0^Elb#tAH=-UMc z0&xG~p~uwW@aso(9K4r60sCA)k(DPbs?6%vR*ZIu?xoijY|B5wn7ntsZ$zNl_r0=V?h4HC~F`m!%3q8|bd3n=qBX`B$Jhn8o$WOF*-NU9&WkpEwzQPvY_8N*( zG2y+S!&SrJ^#(8NVFXn=0Gc6rclk#&S(D3by(4aL5Qldn^?Hmp^&P9Z8t2{m_a^s` z{5y_D6%V8V<{V8(m%+lX=snpyaJ}HIGD)lRs zYCmnc`j`?*7N0>w&39cjqfYA+Jj=f;-kjbwt4F)C^$^rGwQUW}iF4t`nS!$qfbk#- zOU}`jD2Xsl38qd{JzBPn4(9mZqS4hE+|-KPM5K(a6Gg*gty`68OvmQ6KkUdMJif6E z#EaQ?YPp#K=IQWTBnj&N@-8TaNlT{NbFJtFDgS-F#5)rs`u_Cn?y7k1HR>;X?lWn7 zT2Zo(dt4UWUxX-?dTp4`x@z2eHnopejC8XNqn#7)*f~d=ZXbO}4|_1}lBhaB2D$2z zl}!7YT%pw2g6}=1$wLVXg~@~(KXIgHnII~;slp0;{UMsh~K&-`Vej(cb#qwE+PP#&bs zb1}b#>3~R<#OJp(Y2%0$@=^X4yv`rHLg^v{UT|}8`WCOf<&5V)4_>>~a~dPBb5d08 zY9VmO^y776a)PQy!RXt<%>XWv zdgbi>;Rg=^`$AGEOWl)BjUmR4R{BQ}qr2R1E&{19x^lnL0zE*dL9bQ9iSCtuAHc|T z20?Y#ZHeE1b-5z|?(9_N+a|BfY^2?i6WPKohFDVE-d{40v1SCl=>YAc?KZv#pzSgT0+TKY(#tiSCHSsFfDQhGSeCZ(!cVUPD zmxGLr%*N>7snNu;p8Y`31bv_hdsmSdjJ!z#c01iDdi$3N6)lu5?^l$4F_RqnYb0uA z)8eDncvVFpwFA>DIR4BjjH{D1VS57Q#`)OT5+UcrNo+`7Vm~pX#i1+vlI?;V;o4z{ zNX34A+U*oAcYzuH$6R2kAd-1%(NH(B*RzlX7%1Wse~HhKJ`y35dP2UG&!*}>X3`V< zn^{7_LZrrmylfZc?v%6>*#-UNb`vV4=2PGZnt25KtxV8}Q?rn9Vj^(vUC9pmWjoZA z&~9K>?i5CiLwUKj98+wL(>$w#`v{8jlJIE>#dV4qg5f|!- z?!bG!&&gB$YWAc9eDs8uEzI0=$|TVJ$^fy)4na4d6$%7CDm~X*w=Y%exbxyy9-WRb zgT>2leLtbD4o@`rCaTq7P0syyx6ht7Jv*4vS&f?}MIN6h&98aA>RVu-!^hUTHCCdD zx=DCyyd!2#i}?0M1O@9%6^6~Nr^ZezUP*sm`h4TN?pvwnG?Wp%Lr!d{k(rY-pGM}@ zk6%L0`*4LCiFPhuU#xL0;!Acl(+UT7p)^DP$NuP?LREvG6>k ze}?s8{KPH?^$>J#xWs%BE{f1zfMD+qc+yRZ(8!)$T#{#4LDFbuh73%Z$yY8oXs&_KH@IPhIh zdw`j#4rlAV+$Xg(e_GdWf-aVXvfe(X{QB2wi2ENLaHcdUF0V&-hdI!KE5jU z69wuV9TahcS1W1n4P0mI*ZD{QXmz2tj4yFBfTd}=2h!dmk{VOve11dsj7T;+e{qp< zWG$A6ct)aIRsoebxaj9HpWb4P?o#KRpXO#me{j)XX;4x_z#H{< zY<&2t=erEe>v@7I-`(lOnYc=`%XxFy8Oz!AuCQLw2<$oBPaF*PTiq=6q=@y*CwJ`Osqa6D`9Bb`1XbFAxvl z{@njYK;y;q(h3|Q5$*#1H9ygH`$4m*oDS(MCpt%Hm3EzM0=ZRI~$3JWWe#{G{8D>t^9mm7Udcl=A zlbX3nKEO?lP7+>yJq&+2^Gc9$P#CYHaB=^|i!nz(<2Pr)JdBx8NkI`>i}+>FrA%lN zYQR0yyPjz&3R+1Xd7`8gn=-P&oosr=2zpIky{8~aocA^|x~pQ}@A4*tv$I6h=o+df zlp3ro@j29*bMDjIr;qQZ&ftFxTuEp?cQK+2YYx+xIN_&$>-qc++h$-sv>Jmo-vhTp zXcPP0D)s{Omu;n;G|}3>!e|HQ!>z`yOSg(ayQ?g>{}NY^#JyUtH$TF9AlRkHV(`@~ zi6Ln~ppPxOgov_nYH~cdaI|OaKrEGz@;mqiwX>oTej$P8R~%CtWY_VL0!0Mz73H~J z!+9T4)s&T#v$JU{Vbd453uHTU$dAU;e8Z_b*&%9&EE?|I{=EQrXO!m<6FKd~A3ZH9 z{b7pgjYsG@nD{vQKeMURK@%=D*8U*eATW4W1?Mqn&y4_6$dcibbbA7+-C&7iYuC!P7 zx8dgAZ*1WH*1&KUh;N;Ojp@WmXvlVHM$`VwV<~qLG1Q?jXmB0hreXHkn0=b^*|{Hc z80FjNBNsvpo$e$#_1ub>)nW7xe)97t14*68H0!qSm!rVNm}dN1$o^z@oI~l@wUM&I zDJ(1;=3vhVNn2{zoVjcINpFt<& zFEOF7fYTul#(_YV2GrE-+vc>D0?MLdz|w1ZwsNh&A^5!Ko?Z|3gC1|cb~41o40HaU zOi5#?(_BIqk$YapBikmKrCyfZsRi)9uHKezNLUU8$RFnoT~DeeOTVqE3vHOcyY_JZ zUbv$pNPlFsHB5`6pEnqLWyIQ-n~ z(~hJP_QuG~04-It)@|Feg1uvbr|C-)m?fOt=1(30!Dgv!!Y{^dBNwC{>%vlb< z=z^niGIP*ZSUN(UHAT7P!O~3NR2c-Y{x8{%*SWnuA$-T=pzeOR6ve7OIDiliS?HUlH}tC-BqPk?zCQ(&vJ9{Bf9 zMORmsQw!iRq+W^o4gUs~ru3L3B2t6JACZ1V+FN@@jT}_u5@=0P^*8XJ&kmB-p{7n& z3mkH9{eD>oLY#5%+}E)#qu?i;xp>a+Pk5s3+1sB*i6ZGeV_jd zIS6*<6a2JOWHS!5_tWM^8EM5}xJIRGR=;gEv+uDI&v{=2q_HcO zl#T(odO$OXnl^hGGO(`^hCLC!Ve~608}+h2AOPCF9XCl?S&Eqcr0lO94SfHuIlAs8OH$jq zQdV%)W!@UP1{0;kqXRjF55y<3@CA{uZN@D#ebr9s)HYWug3bw{9lX80!w&6*=#haa z$ucM~TlHBv9FHH>Yd-?;deuQ(-tWaaT734!w`A^;QRdHmQ^M@++a zM5Y|kRyDLAj1B{K2>XP=;*5X_OR9jUtjUCQS_J$57Qo0c4K4f7i5OE~1wi!av9UVl zU0rTJ@jhWN6?>HC`q1y=i3UKgILuuLxK*<$1?{~p$@fb$^VB%^AAR|~TRhR15_~oZ z)P@=}kA%A?woiKjzjaL2J5F(}hVyf!JY8TYa7?Rm{s)hnxqmRyQ8WYJZeee55}rRp zMJeT@KrcFjt_C9J=znMX&ajinA%EbChekK+Imv395quCXWOD9OdmDUL^wW^dO~tr- zQxIw{!Zw%K)b@U9(U}<$`hukxW{!DFkTC@56v-QE^i}fa+#BAz%Kvl7&nW69Zq?gg z?{?{X^HULMrX)l~r;i?*1IXQySr1mxA#zs_At@yE-jG+n!xW58AF^REL9*s)qLslv zycCESJXvq0v(#^%zZCq{6h3g$VIP#AQAuTjTe!fbE63_bM%<|dbzk6;;|Ix#&>54G zllP-LqC5X%X?_2rU^3bZ0C()Mqy#WN33O$p68WP1VqqIv*0TL|i0E6QM6I!YD25Wa z1oGt=NVD>0f?KZe@0Ff6kjrI1^zCP;+D=rlax!lK2F`6V(;4jI!kh8-=@P(Gm(2z2 zttlK|mt%^J4)n*euDAe2_*Ci zTWyg&m%{jsotU+UV9#}p7cYRLG6Z0eP@JEKh^Q_b^|*|SU_kf?Jw5j&(#9f&l)c?= z|LV`$+8W;*%HS!6hU)nN7UqZF{<15FHU?qxWAO)HcE}UN9(R;%hN!S=ImuHSmyPG} z9d@7QpWc`;p;-238#V=o;^R;H#AnXi_~0tGHQwuD9ha8@EzhLs5pT;UleIV=xKj!C zQ&tzG}7-uci+D`bDOo?rG^jf*;39$KsW0 z{%n;T*y2aDgSlyNI>1sRfQVDL0ofd@=X60W-BMbF;FC#!Bvg&_m%91by4N!a(7RBd zeu~UX6C;#=Ujn`oph6w$hZjWdqp1A zl`j>IOS+pULa#gxRSv8|9Xs>6?>U=gs6Ulud;d({D>^?-7syFRm;k7A%8zw7D3g8p zs<=$}d=;`G+Vx{xF1`gkF1G^4`6{K&JONCry;$jF-pKQL`|WI;T)S$`4%~JgLH<{Q ze`QyxP`@zA^r-p091?p3n3pVlgXaNiNz5+#nt|{%`mkKLCeZ&2MJX8h0c|)w9m3ahh3oy({*Qgz($4swK~wmJsxdF zjngNUb}g4(>|9nY<>3@c+tAEp`#3M0Hxz8vAWjaGHTLX%)CiyTBk0zq#!Hu*KbLBZ z&Mq4j+f`DIpv}#(v$N}x+%Io_G&pZEz;|v%WU0M3;#6!r6{7`2ZImsdspYS>&a&0) zC+Oe$J*kAvfN0m5RK;?0B6r(3fp~|s2wkGIE*Q_o|QK+%EEWFQ*W^Uf4qjl&F=pgV=7nGKKv z;X495H7mb9p(=J{%O)KyJ&+C-1XXbuENWr9{C3WcUK6|(`)gy?{ca~m?cYU!-fQ^Z z?$Pg{JsYSBS=51q(0+#|*QvEb?+Y6)@U<-C+CiOgUZ?_Kc2yopKjM~rrO5dgR?4a% z*8JC>Jf1)6v5A`QGwKQKgqVi?HP$Jdgv&!Z9h?2UX}Y~N+OJpiUoCecYJR|Ir=;C$T?WFSWTsaWNfZx2;rOU`j53yUT4*k5 zVeb&hb1pWGkQA6xL(Oi&e@RaCdU?Ui_7|vkh3@)WKI@|Y8%2sEwX?T3mWhGExVvl! zq$~^quQVlrzSdc7b(iu_!J9MeU0i~kyPhIiUFk4HcDLmKN=H|3Zfcl`GAl%rg=hb$ z;hW({-~Q2*4Z*MvB)bxyz5;b^#qALt_wIaDy{y=I48{?MXAr)5k*`^V zTeO@S+iqJ^QAJsjQoSNw-kqKsvlGf<9KSgxnP ziZ&Giyvs%?D@ourkOn~~UF&d=@bKspgvT*}7fCHLFakBCHve&ef*bdo_wy9iY^Y`- z`-Zdw?Xwp+dcFCw+OZi%>ro<)uS)HT;8?sqpoYpvhTY!yM2d!LD;)5%#e#iRW;6;- zb3hA!u{Yk2q}FIpq%bD$OxU^~)84@Ym!Hx+rOcraN&*5SvgEEe#>|Y2?XkOUz@pW~ zyQZx@#hI)9y~LIw&%J?-+!lyi3Gcfwf`B4L3$`=F=2fw@`-}}`?#NfM{)mxLvfp>H z0VGA$&8}#ZCrI2Bo&N@mi-s+Ig^7*+{2APA{jqdCu2iQ|kV=Jy&OS-Tf-rn!-75ceuVY)J@af{xO~L z^=e(%2ZDNG68?wFm~UeE@4x`5u0c*g0VrCIY!8%&f)v5bRI}7Ee+xbcqJTKm*+JIJ zo|6t?@RRQ8BR#IJ- + SentinelOne Singularity Identity is a cybersecurity solution that provides identity protection and zero-trust security by continuously monitoring and analyzing user behaviors to detect and prevent potential threats. + +data_sources: diff --git a/SentinelOne/identity/_meta/smart-descriptions.json b/SentinelOne/identity/_meta/smart-descriptions.json new file mode 100644 index 000000000..ad570cb92 --- /dev/null +++ b/SentinelOne/identity/_meta/smart-descriptions.json @@ -0,0 +1,46 @@ +[ + { + "value": "Alert defined {sentinelone.identity.name} with status {sentinelone.identity.status} on {process.command_line}", + "conditions": [ + { + "field": "sentinelone.identity.name" + }, + { + "field": "sentinelone.identity.status" + }, + { + "field": "process.command_line" + } + ] + }, + { + "value": "Alert defined {sentinelone.identity.name} with status {sentinelone.identity.status}", + "conditions": [ + { + "field": "sentinelone.identity.name" + }, + { + "field": "sentinelone.identity.status" + } + ] + }, + { + "value": "Alert defined {sentinelone.identity.name} on {process.command_line}", + "conditions": [ + { + "field": "sentinelone.identity.name" + }, + { + "field": "process.command_line" + } + ] + }, + { + "value": "Alert defined {sentinelone.identity.name}", + "conditions": [ + { + "field": "sentinelone.identity.name" + } + ] + } +] \ No newline at end of file diff --git a/SentinelOne/identity/ingest/parser.yml b/SentinelOne/identity/ingest/parser.yml new file mode 100644 index 000000000..507745cb7 --- /dev/null +++ b/SentinelOne/identity/ingest/parser.yml @@ -0,0 +1,67 @@ +name: identity +pipeline: + - name: json_event + external: + name: json.parse-json + properties: + input_field: "{{original.message}}" + + - name: detected_at + filter: "{{json_event.message.detectedAt != null}}" + external: + name: date.parse + properties: + input_field: "{{json_event.message.detectedAt}}" + output_field: timestamp + + - name: started_at + filter: "{{json_event.message.firstSeenAt != null}}" + external: + name: date.parse + properties: + input_field: "{{json_event.message.firstSeenAt}}" + output_field: timestamp + + - name: last_seen_at + filter: "{{json_event.message.lastSeenAt != null}}" + external: + name: date.parse + properties: + input_field: "{{json_event.message.lastSeenAt}}" + output_field: timestamp + + - name: set_meta_fields +stages: + set_meta_fields: + actions: + - set: + event.kind: "alert" + event.category: "intrusion_detection" + event.type: "info" + observer.vendor: "SentinelOne" + observer.product: "Singularity Identity" + + "@timestamp": "{{detected_at.timestamp}}" + event.start: "{{started_at.timestamp}}" + event.end: "{{last_seen_at.timestamp}}" + + event.provider: "{{json_event.message.detectionSource.product}}" + event.reason: "{{json_event.message.description}}" + + process.command_line: "{{json_event.message.process.cmdLine}}" + process.parent.name: "{{json_event.message.process.parentName}}" + + file.path: "{{json_event.message.process.file.path}}" + file.name: "{{json_event.message.process.file.path | basename}}" + file.hash.sha1: "{{json_event.message.process.file.sha1}}" + file.hash.sha256: "{{json_event.message.process.file.sha256}}" + file.hash.md5: "{{json_event.message.process.file.md5}}" + + sentinelone.identity.id: "{{json_event.message.id}}" + sentinelone.identity.name: "{{json_event.message.name}}" + sentinelone.identity.attackSurfaces: "{{json_event.message.attackSurfaces}}" + sentinelone.identity.status: "{{json_event.message.status}}" + sentinelone.identity.classification: "{{json_event.message.classification}}" + sentinelone.identity.confidenceLevel: "{{json_event.message.confidenceLevel}}" + sentinelone.identity.result: "{{json_event.message.result}}" + sentinelone.identity.storyLineId: "{{json_event.message.storyLineId}}" \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_1.json b/SentinelOne/identity/tests/test_alert_1.json new file mode 100644 index 000000000..1e8b5bf2b --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_1.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\n \"id\": \"ba485919-e4c1-4496-9e2f-feb320f6841a\",\n \"name\": \"Domain Controller Discovery Detected\",\n \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\",\n \"detectedAt\": \"2024-11-22T05:35:09.000Z\",\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"status\": \"NEW\",\n \"assignee\": null,\n \"classification\": \"ENUMERATION\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"firstSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"lastSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"process\": {\n \"cmdLine\": \"C:\\\\Windows\\\\system32\\\\net1 group \\\"Domain Controllers\\\" /domain\",\n \"file\": {\n \"path\": \"c:\\\\windows\\\\system32\\\\net1.exe\",\n \"sha1\": null,\n \"sha256\": \"18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398\",\n \"md5\": null\n },\n \"parentName\": null\n },\n \"result\": null,\n \"storylineId\": null\n}" + }, + "expected": { + "message": "{\n \"id\": \"ba485919-e4c1-4496-9e2f-feb320f6841a\",\n \"name\": \"Domain Controller Discovery Detected\",\n \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\",\n \"detectedAt\": \"2024-11-22T05:35:09.000Z\",\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"status\": \"NEW\",\n \"assignee\": null,\n \"classification\": \"ENUMERATION\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"firstSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"lastSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"process\": {\n \"cmdLine\": \"C:\\\\Windows\\\\system32\\\\net1 group \\\"Domain Controllers\\\" /domain\",\n \"file\": {\n \"path\": \"c:\\\\windows\\\\system32\\\\net1.exe\",\n \"sha1\": null,\n \"sha256\": \"18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398\",\n \"md5\": null\n },\n \"parentName\": null\n },\n \"result\": null,\n \"storylineId\": null\n}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T05:35:09Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T05:35:09Z", + "type": "info" + }, + "@timestamp": "2024-11-22T05:35:09Z", + "file": { + "hash": { + "sha256": "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398" + }, + "name": "net1.exe", + "path": "c:\\windows\\system32\\net1.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "C:\\Windows\\system32\\net1 group \"Domain Controllers\" /domain" + }, + "related": { + "hash": [ + "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "ba485919-e4c1-4496-9e2f-feb320f6841a", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_10.json b/SentinelOne/identity/tests/test_alert_10.json new file mode 100644 index 000000000..deb56e2a5 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_10.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935322-7b49-71f0-89e0-f52562c26e53\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:09:48.731Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:09:48.731Z\", \"lastSeenAt\": \"2024-11-22T09:09:48.731Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935322-7b49-71f0-89e0-f52562c26e53\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:09:48.731Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:09:48.731Z\", \"lastSeenAt\": \"2024-11-22T09:09:48.731Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:09:48.731000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T09:09:48.731000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:09:48.731000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935322-7b49-71f0-89e0-f52562c26e53", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_11.json b/SentinelOne/identity/tests/test_alert_11.json new file mode 100644 index 000000000..a4d81025f --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_11.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935310-d00e-7616-81b9-fcb227ebb13d\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-d00e-7616-81b9-fcb227ebb13d\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T08:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:51Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-d00e-7616-81b9-fcb227ebb13d", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_12.json b/SentinelOne/identity/tests/test_alert_12.json new file mode 100644 index 000000000..1618da843 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_12.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935310-eb28-7a57-9c27-87843b2cec61\", \"name\": \"AD Service Account Enumeration Detected\", \"description\": \"This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-eb28-7a57-9c27-87843b2cec61\", \"name\": \"AD Service Account Enumeration Detected\", \"description\": \"This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.", + "start": "2024-11-22T08:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:51Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-eb28-7a57-9c27-87843b2cec61", + "name": "AD Service Account Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_13.json b/SentinelOne/identity/tests/test_alert_13.json new file mode 100644 index 000000000..a31ef954f --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_13.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935310-c715-72c9-bbd9-dc1ff6a7ff1e\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-c715-72c9-bbd9-dc1ff6a7ff1e\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-c715-72c9-bbd9-dc1ff6a7ff1e", + "name": "AD Domain Computer Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_14.json b/SentinelOne/identity/tests/test_alert_14.json new file mode 100644 index 000000000..7b9fc10e1 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_14.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935310-cb9b-770e-96ee-632d4d21520b\", \"name\": \"AD ACL Enumeration\", \"description\": \"This event is generated when a command used to query or read the ACL's\\\\ Permission of any object in Active Directory.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-cb9b-770e-96ee-632d4d21520b\", \"name\": \"AD ACL Enumeration\", \"description\": \"This event is generated when a command used to query or read the ACL's\\\\ Permission of any object in Active Directory.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is generated when a command used to query or read the ACL's\\ Permission of any object in Active Directory.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-cb9b-770e-96ee-632d4d21520b", + "name": "AD ACL Enumeration", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_15.json b/SentinelOne/identity/tests/test_alert_15.json new file mode 100644 index 000000000..d8a7c1f8a --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_15.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935310-d4ba-7131-9e08-defa8b3aeb52\", \"name\": \"Domain Users Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-d4ba-7131-9e08-defa8b3aeb52\", \"name\": \"Domain Users Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-d4ba-7131-9e08-defa8b3aeb52", + "name": "Domain Users Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_16.json b/SentinelOne/identity/tests/test_alert_16.json new file mode 100644 index 000000000..8a5217a55 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_16.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This events is raised when a LDAP search Query is detected from the endpoint.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-dc47-75de-8925-5f026bd5a705", + "name": "LDAP Search Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_2.json b/SentinelOne/identity/tests/test_alert_2.json new file mode 100644 index 000000000..6d697a5be --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_2.json @@ -0,0 +1,22 @@ +{ + "input": { + "message": "{\n \"uuid\": \"c0d4da63-0b2b-41ea-8cfe-0eb6bf78c398\",\n \"lastMigration\": 33,\n \"name\": \"Mocked api\",\n \"endpointPrefix\": \"\",\n \"latency\": 0,\n \"port\": 3000,\n \"hostname\": \"\",\n \"folders\": [\n {\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\",\n \"name\": \"user\",\n \"children\": [\n {\n \"type\": \"route\",\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\"\n }\n ]\n }\n ],\n \"routes\": [\n {\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\",\n \"type\": \"http\",\n \"documentation\": \"Creates new user\",\n \"method\": \"post\",\n \"endpoint\": \"user\",\n \"responses\": [\n {\n \"uuid\": \"0a1cd03e-8140-42cb-a0a3-67e99f44b595\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"w34k\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"CreateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"2334411e-b9c5-425e-8bd8-470da7d11077\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\",\n \"type\": \"http\",\n \"documentation\": \"Logout\",\n \"method\": \"post\",\n \"endpoint\": \"user/logout\",\n \"responses\": [\n {\n \"uuid\": \"8e9bafc8-78e5-4685-88cd-3b90f85edb87\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\",\n \"type\": \"http\",\n \"documentation\": \"Authenticate user with credentials\",\n \"method\": \"post\",\n \"endpoint\": \"user/authenticate\",\n \"responses\": [\n {\n \"uuid\": \"91ecae5f-67e0-4264-b724-964d54d7d458\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"AuthenticateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"6e78ae1f-c46c-43fc-a96b-6718ec506d26\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\",\n \"type\": \"http\",\n \"documentation\": \"Refresh Session\",\n \"method\": \"post\",\n \"endpoint\": \"user/refresh-session\",\n \"responses\": [\n {\n \"uuid\": \"5505a95b-80d0-46cc-b388-9d5afac52102\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": true,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"7d54557c-5d32-44c1-92dc-a594615ce7d8\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\",\n \"type\": \"http\",\n \"documentation\": \"Auth required\",\n \"method\": \"all\",\n \"endpoint\": \"*\",\n \"responses\": [\n {\n \"uuid\": \"c49cf55f-b651-4a26-9c10-9806af40c0c4\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"header\",\n \"modifier\": \"funfy-auth-token\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user\",\n \"invert\": true,\n \"operator\": \"equals\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user/authenticate\",\n \"invert\": true,\n \"operator\": \"equals\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\",\n \"type\": \"http\",\n \"documentation\": \"RefreshToken is required\",\n \"method\": \"all\",\n \"endpoint\": \"user/*\",\n \"responses\": [\n {\n \"uuid\": \"e5d4e8a4-037e-4e72-b8a3-1e4b9c5da3bd\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$.refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\",\n \"type\": \"http\",\n \"documentation\": \"\",\n \"method\": \"get\",\n \"endpoint\": \"test\",\n \"responses\": [\n {\n \"uuid\": \"acc619a1-6ec7-45a6-888c-a7a860ed237b\",\n \"body\": \"{\\n \\\"message\\\": \\\"route required auth\\\"\\n}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n }\n ],\n \"rootChildren\": [\n {\n \"type\": \"route\",\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\"\n },\n {\n \"type\": \"folder\",\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\"\n }\n ],\n \"proxyMode\": false,\n \"proxyHost\": \"\",\n \"proxyRemovePrefix\": false,\n \"tlsOptions\": {\n \"enabled\": false,\n \"type\": \"CERT\",\n \"pfxPath\": \"\",\n \"certPath\": \"\",\n \"keyPath\": \"\",\n \"caPath\": \"\",\n \"passphrase\": \"\"\n },\n \"cors\": true,\n \"headers\": [\n {\n \"key\": \"Content-Type\",\n \"value\": \"application/json\"\n },\n {\n \"key\": \"Access-Control-Allow-Origin\",\n \"value\": \"*\"\n },\n {\n \"key\": \"Access-Control-Allow-Methods\",\n \"value\": \"GET,POST,PUT,PATCH,DELETE,HEAD,OPTIONS\"\n },\n {\n \"key\": \"Access-Control-Allow-Headers\",\n \"value\": \"Content-Type, Origin, Accept, Authorization, Content-Length, X-Requested-With\"\n }\n ],\n \"proxyReqHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"proxyResHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"data\": [\n {\n \"uuid\": \"38fb975d-c6f0-48d9-ae52-9e3fbc5cb654\",\n \"id\": \"8wey\",\n \"name\": \"Globals\",\n \"documentation\": \"\",\n \"value\": \"\"\n },\n {\n \"uuid\": \"2372a308-c890-479c-a18b-54abe4696967\",\n \"id\": \"zzay\",\n \"name\": \"ISODate\",\n \"documentation\": \"Datetime shared format comes from backend\",\n \"value\": \"\\\"{{now 'yyyy-MM-dd\\\\'T\\\\'HH:mm:ss\\\\'Z\\\\''}}\\\"\"\n },\n {\n \"uuid\": \"160c80f4-39c7-494d-a489-06da2e51aa87\",\n \"id\": \"g4qq\",\n \"name\": \"CreateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"email\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"c1d673ba-f7cf-4fd2-8cc8-449017a3ff17\",\n \"id\": \"ofz6\",\n \"name\": \"AuthenticateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"2844853c-c892-4671-9201-0b252711a36b\",\n \"id\": \"w34k\",\n \"name\": \"User\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"id\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"email\\\": \\\"{{faker 'internet.email'}}\\\",\\n \\\"phone\\\": \\\"{{faker 'phone.number' style='international'}}\\\",\\n \\\"createdAt\\\": \\\"{{data 'ISODate'}}\\\",\\n \\\"updatedAt\\\": \\\"{{data 'ISODate'}}\\\",\\n}\"\n },\n {\n \"uuid\": \"e698b979-5934-45f2-8612-5782a8b1e0be\",\n \"id\": \"77fk\",\n \"name\": \"Authentication\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"refreshToken\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"accessToken\\\": \\\"{{faker 'string.uuid'}}\\\"\\n}\"\n }\n ],\n \"callbacks\": []\n}" + }, + "expected": { + "message": "{\n \"uuid\": \"c0d4da63-0b2b-41ea-8cfe-0eb6bf78c398\",\n \"lastMigration\": 33,\n \"name\": \"Mocked api\",\n \"endpointPrefix\": \"\",\n \"latency\": 0,\n \"port\": 3000,\n \"hostname\": \"\",\n \"folders\": [\n {\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\",\n \"name\": \"user\",\n \"children\": [\n {\n \"type\": \"route\",\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\"\n }\n ]\n }\n ],\n \"routes\": [\n {\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\",\n \"type\": \"http\",\n \"documentation\": \"Creates new user\",\n \"method\": \"post\",\n \"endpoint\": \"user\",\n \"responses\": [\n {\n \"uuid\": \"0a1cd03e-8140-42cb-a0a3-67e99f44b595\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"w34k\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"CreateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"2334411e-b9c5-425e-8bd8-470da7d11077\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\",\n \"type\": \"http\",\n \"documentation\": \"Logout\",\n \"method\": \"post\",\n \"endpoint\": \"user/logout\",\n \"responses\": [\n {\n \"uuid\": \"8e9bafc8-78e5-4685-88cd-3b90f85edb87\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\",\n \"type\": \"http\",\n \"documentation\": \"Authenticate user with credentials\",\n \"method\": \"post\",\n \"endpoint\": \"user/authenticate\",\n \"responses\": [\n {\n \"uuid\": \"91ecae5f-67e0-4264-b724-964d54d7d458\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"AuthenticateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"6e78ae1f-c46c-43fc-a96b-6718ec506d26\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\",\n \"type\": \"http\",\n \"documentation\": \"Refresh Session\",\n \"method\": \"post\",\n \"endpoint\": \"user/refresh-session\",\n \"responses\": [\n {\n \"uuid\": \"5505a95b-80d0-46cc-b388-9d5afac52102\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": true,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"7d54557c-5d32-44c1-92dc-a594615ce7d8\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\",\n \"type\": \"http\",\n \"documentation\": \"Auth required\",\n \"method\": \"all\",\n \"endpoint\": \"*\",\n \"responses\": [\n {\n \"uuid\": \"c49cf55f-b651-4a26-9c10-9806af40c0c4\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"header\",\n \"modifier\": \"funfy-auth-token\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user\",\n \"invert\": true,\n \"operator\": \"equals\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user/authenticate\",\n \"invert\": true,\n \"operator\": \"equals\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\",\n \"type\": \"http\",\n \"documentation\": \"RefreshToken is required\",\n \"method\": \"all\",\n \"endpoint\": \"user/*\",\n \"responses\": [\n {\n \"uuid\": \"e5d4e8a4-037e-4e72-b8a3-1e4b9c5da3bd\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$.refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\",\n \"type\": \"http\",\n \"documentation\": \"\",\n \"method\": \"get\",\n \"endpoint\": \"test\",\n \"responses\": [\n {\n \"uuid\": \"acc619a1-6ec7-45a6-888c-a7a860ed237b\",\n \"body\": \"{\\n \\\"message\\\": \\\"route required auth\\\"\\n}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n }\n ],\n \"rootChildren\": [\n {\n \"type\": \"route\",\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\"\n },\n {\n \"type\": \"folder\",\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\"\n }\n ],\n \"proxyMode\": false,\n \"proxyHost\": \"\",\n \"proxyRemovePrefix\": false,\n \"tlsOptions\": {\n \"enabled\": false,\n \"type\": \"CERT\",\n \"pfxPath\": \"\",\n \"certPath\": \"\",\n \"keyPath\": \"\",\n \"caPath\": \"\",\n \"passphrase\": \"\"\n },\n \"cors\": true,\n \"headers\": [\n {\n \"key\": \"Content-Type\",\n \"value\": \"application/json\"\n },\n {\n \"key\": \"Access-Control-Allow-Origin\",\n \"value\": \"*\"\n },\n {\n \"key\": \"Access-Control-Allow-Methods\",\n \"value\": \"GET,POST,PUT,PATCH,DELETE,HEAD,OPTIONS\"\n },\n {\n \"key\": \"Access-Control-Allow-Headers\",\n \"value\": \"Content-Type, Origin, Accept, Authorization, Content-Length, X-Requested-With\"\n }\n ],\n \"proxyReqHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"proxyResHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"data\": [\n {\n \"uuid\": \"38fb975d-c6f0-48d9-ae52-9e3fbc5cb654\",\n \"id\": \"8wey\",\n \"name\": \"Globals\",\n \"documentation\": \"\",\n \"value\": \"\"\n },\n {\n \"uuid\": \"2372a308-c890-479c-a18b-54abe4696967\",\n \"id\": \"zzay\",\n \"name\": \"ISODate\",\n \"documentation\": \"Datetime shared format comes from backend\",\n \"value\": \"\\\"{{now 'yyyy-MM-dd\\\\'T\\\\'HH:mm:ss\\\\'Z\\\\''}}\\\"\"\n },\n {\n \"uuid\": \"160c80f4-39c7-494d-a489-06da2e51aa87\",\n \"id\": \"g4qq\",\n \"name\": \"CreateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"email\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"c1d673ba-f7cf-4fd2-8cc8-449017a3ff17\",\n \"id\": \"ofz6\",\n \"name\": \"AuthenticateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"2844853c-c892-4671-9201-0b252711a36b\",\n \"id\": \"w34k\",\n \"name\": \"User\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"id\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"email\\\": \\\"{{faker 'internet.email'}}\\\",\\n \\\"phone\\\": \\\"{{faker 'phone.number' style='international'}}\\\",\\n \\\"createdAt\\\": \\\"{{data 'ISODate'}}\\\",\\n \\\"updatedAt\\\": \\\"{{data 'ISODate'}}\\\",\\n}\"\n },\n {\n \"uuid\": \"e698b979-5934-45f2-8612-5782a8b1e0be\",\n \"id\": \"77fk\",\n \"name\": \"Authentication\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"refreshToken\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"accessToken\\\": \\\"{{faker 'string.uuid'}}\\\"\\n}\"\n }\n ],\n \"callbacks\": []\n}", + "event": { + "category": "intrusion_detection", + "kind": "alert", + "type": "info" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "name": "Mocked api" + } + } + } +} diff --git a/SentinelOne/identity/tests/test_alert_3.json b/SentinelOne/identity/tests/test_alert_3.json new file mode 100644 index 000000000..cbc475032 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_3.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935359-3eda-7903-93fc-af6a0e5d0a8f\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:37.779Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:37.779Z\", \"lastSeenAt\": \"2024-11-22T10:09:37.779Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935359-3eda-7903-93fc-af6a0e5d0a8f\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:37.779Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:37.779Z\", \"lastSeenAt\": \"2024-11-22T10:09:37.779Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T10:09:37.779000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T10:09:37.779000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T10:09:37.779000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935359-3eda-7903-93fc-af6a0e5d0a8f", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_4.json b/SentinelOne/identity/tests/test_alert_4.json new file mode 100644 index 000000000..64efcfc10 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_4.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935358-ee81-7eb7-b57f-022c6f0019a9\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:17.184Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:17.184Z\", \"lastSeenAt\": \"2024-11-22T10:09:17.184Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935358-ee81-7eb7-b57f-022c6f0019a9\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:17.184Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:17.184Z\", \"lastSeenAt\": \"2024-11-22T10:09:17.184Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T10:09:17.184000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T10:09:17.184000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T10:09:17.184000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935358-ee81-7eb7-b57f-022c6f0019a9", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_5.json b/SentinelOne/identity/tests/test_alert_5.json new file mode 100644 index 000000000..f1339df60 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_5.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"0193534d-63c1-7497-b854-b883425af3f5\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:54:58.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:54:58.000Z\", \"lastSeenAt\": \"2024-11-22T09:54:58.000Z\", \"process\": {\"cmdLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\", \"file\": {\"path\": \"c:\\\\windows\\\\system32\\\\cmd.exe\", \"sha1\": null, \"sha256\": \"4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"0193534d-63c1-7497-b854-b883425af3f5\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:54:58.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:54:58.000Z\", \"lastSeenAt\": \"2024-11-22T09:54:58.000Z\", \"process\": {\"cmdLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\", \"file\": {\"path\": \"c:\\\\windows\\\\system32\\\\cmd.exe\", \"sha1\": null, \"sha256\": \"4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:54:58Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T09:54:58Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:54:58Z", + "file": { + "hash": { + "sha256": "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22" + }, + "name": "cmd.exe", + "path": "c:\\windows\\system32\\cmd.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "\"C:\\Windows\\system32\\cmd.exe\"" + }, + "related": { + "hash": [ + "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "0193534d-63c1-7497-b854-b883425af3f5", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_6.json b/SentinelOne/identity/tests/test_alert_6.json new file mode 100644 index 000000000..e43c64e20 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_6.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935347-abf7-7457-8467-e3443470e6f3\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935347-abf7-7457-8467-e3443470e6f3\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.", + "start": "2024-11-22T09:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:45:51Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935347-abf7-7457-8467-e3443470e6f3", + "name": "AD Domain Computer Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_7.json b/SentinelOne/identity/tests/test_alert_7.json new file mode 100644 index 000000000..d4acce26a --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_7.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935347-b05a-7d28-a929-5294ee16628a\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935347-b05a-7d28-a929-5294ee16628a\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T09:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:45:51Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935347-b05a-7d28-a929-5294ee16628a", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_8.json b/SentinelOne/identity/tests/test_alert_8.json new file mode 100644 index 000000000..384a41648 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_8.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935342-d073-7ed0-8c5e-2373fc013310\", \"name\": \"Default Admin Account Usage\", \"description\": \"This event is raised for default administrator account logon anywhere in the domain.\", \"detectedAt\": \"2024-11-22T09:45:07.655Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:07.655Z\", \"lastSeenAt\": \"2024-11-22T09:45:07.655Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935342-d073-7ed0-8c5e-2373fc013310\", \"name\": \"Default Admin Account Usage\", \"description\": \"This event is raised for default administrator account logon anywhere in the domain.\", \"detectedAt\": \"2024-11-22T09:45:07.655Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:07.655Z\", \"lastSeenAt\": \"2024-11-22T09:45:07.655Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:45:07.655000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised for default administrator account logon anywhere in the domain.", + "start": "2024-11-22T09:45:07.655000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:45:07.655000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935342-d073-7ed0-8c5e-2373fc013310", + "name": "Default Admin Account Usage", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_9.json b/SentinelOne/identity/tests/test_alert_9.json new file mode 100644 index 000000000..74ab3a7f3 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_9.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935322-cc3a-76cc-890b-a1c2d1b815d4\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:10:09.467Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:10:09.467Z\", \"lastSeenAt\": \"2024-11-22T09:10:09.467Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935322-cc3a-76cc-890b-a1c2d1b815d4\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:10:09.467Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:10:09.467Z\", \"lastSeenAt\": \"2024-11-22T09:10:09.467Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:10:09.467000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T09:10:09.467000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:10:09.467000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935322-cc3a-76cc-890b-a1c2d1b815d4", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file From e898b653c1cbe982f1f50db26b795f2e018db548 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Wed, 27 Nov 2024 12:20:13 +0200 Subject: [PATCH 2/7] Apply linter --- SentinelOne/identity/_meta/smart-descriptions.json | 2 +- SentinelOne/identity/ingest/parser.yml | 2 +- SentinelOne/identity/tests/test_alert_2.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/SentinelOne/identity/_meta/smart-descriptions.json b/SentinelOne/identity/_meta/smart-descriptions.json index ad570cb92..e09c5db80 100644 --- a/SentinelOne/identity/_meta/smart-descriptions.json +++ b/SentinelOne/identity/_meta/smart-descriptions.json @@ -43,4 +43,4 @@ } ] } -] \ No newline at end of file +] diff --git a/SentinelOne/identity/ingest/parser.yml b/SentinelOne/identity/ingest/parser.yml index 507745cb7..79cd3ec9f 100644 --- a/SentinelOne/identity/ingest/parser.yml +++ b/SentinelOne/identity/ingest/parser.yml @@ -64,4 +64,4 @@ stages: sentinelone.identity.classification: "{{json_event.message.classification}}" sentinelone.identity.confidenceLevel: "{{json_event.message.confidenceLevel}}" sentinelone.identity.result: "{{json_event.message.result}}" - sentinelone.identity.storyLineId: "{{json_event.message.storyLineId}}" \ No newline at end of file + sentinelone.identity.storyLineId: "{{json_event.message.storyLineId}}" diff --git a/SentinelOne/identity/tests/test_alert_2.json b/SentinelOne/identity/tests/test_alert_2.json index 6d697a5be..39420a5e0 100644 --- a/SentinelOne/identity/tests/test_alert_2.json +++ b/SentinelOne/identity/tests/test_alert_2.json @@ -19,4 +19,4 @@ } } } -} +} \ No newline at end of file From 5421cd89a9054a25770e7ce2e8e8ef1c1c018655 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Wed, 27 Nov 2024 12:21:17 +0200 Subject: [PATCH 3/7] Fix datasources --- SentinelOne/identity/_meta/manifest.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/SentinelOne/identity/_meta/manifest.yml b/SentinelOne/identity/_meta/manifest.yml index 449172f8a..33be89396 100644 --- a/SentinelOne/identity/_meta/manifest.yml +++ b/SentinelOne/identity/_meta/manifest.yml @@ -6,3 +6,4 @@ description: >- SentinelOne Singularity Identity is a cybersecurity solution that provides identity protection and zero-trust security by continuously monitoring and analyzing user behaviors to detect and prevent potential threats. data_sources: + Application logs: activites performed on SentinelOne infrastructure are logged From a284a656b8d0f342bbdb8a6e70cb8332adc31db6 Mon Sep 17 00:00:00 2001 From: vg-svitla <131353512+vg-svitla@users.noreply.github.com> Date: Thu, 28 Nov 2024 14:14:52 +0200 Subject: [PATCH 4/7] Update SentinelOne/identity/_meta/manifest.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sébastien Quioc --- SentinelOne/identity/_meta/manifest.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SentinelOne/identity/_meta/manifest.yml b/SentinelOne/identity/_meta/manifest.yml index 33be89396..1d18ad943 100644 --- a/SentinelOne/identity/_meta/manifest.yml +++ b/SentinelOne/identity/_meta/manifest.yml @@ -1,6 +1,6 @@ uuid: b502e522-6996-4b12-9538-f69326b68243 -name: identity -slug: identity +name: SentinelOne Singularity Identity +slug: sentinelone-singularity-identity description: >- SentinelOne Singularity Identity is a cybersecurity solution that provides identity protection and zero-trust security by continuously monitoring and analyzing user behaviors to detect and prevent potential threats. From b0a30f3d53175743ba460104746263e2d78444db Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Thu, 28 Nov 2024 15:28:49 +0200 Subject: [PATCH 5/7] Fix review comments --- SentinelOne/identity/ingest/parser.yml | 10 +++++----- SentinelOne/identity/tests/test_alert_1.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_11.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_12.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_13.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_14.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_15.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_16.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_5.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_6.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_7.json | 14 ++++++-------- 11 files changed, 65 insertions(+), 85 deletions(-) diff --git a/SentinelOne/identity/ingest/parser.yml b/SentinelOne/identity/ingest/parser.yml index 79cd3ec9f..90577404d 100644 --- a/SentinelOne/identity/ingest/parser.yml +++ b/SentinelOne/identity/ingest/parser.yml @@ -51,11 +51,11 @@ stages: process.command_line: "{{json_event.message.process.cmdLine}}" process.parent.name: "{{json_event.message.process.parentName}}" - file.path: "{{json_event.message.process.file.path}}" - file.name: "{{json_event.message.process.file.path | basename}}" - file.hash.sha1: "{{json_event.message.process.file.sha1}}" - file.hash.sha256: "{{json_event.message.process.file.sha256}}" - file.hash.md5: "{{json_event.message.process.file.md5}}" + process.executable: "{{json_event.message.process.file.path}}" + process.name: "{{json_event.message.process.file.path | basename}}" + process.hash.sha1: "{{json_event.message.process.file.sha1}}" + process.hash.sha256: "{{json_event.message.process.file.sha256}}" + process.hash.md5: "{{json_event.message.process.file.md5}}" sentinelone.identity.id: "{{json_event.message.id}}" sentinelone.identity.name: "{{json_event.message.name}}" diff --git a/SentinelOne/identity/tests/test_alert_1.json b/SentinelOne/identity/tests/test_alert_1.json index 1e8b5bf2b..8d5dcf96a 100644 --- a/SentinelOne/identity/tests/test_alert_1.json +++ b/SentinelOne/identity/tests/test_alert_1.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T05:35:09Z", - "file": { - "hash": { - "sha256": "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398" - }, - "name": "net1.exe", - "path": "c:\\windows\\system32\\net1.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "C:\\Windows\\system32\\net1 group \"Domain Controllers\" /domain" + "command_line": "C:\\Windows\\system32\\net1 group \"Domain Controllers\" /domain", + "executable": "c:\\windows\\system32\\net1.exe", + "hash": { + "sha256": "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398" + }, + "name": "net1.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_11.json b/SentinelOne/identity/tests/test_alert_11.json index a4d81025f..84d64cee6 100644 --- a/SentinelOne/identity/tests/test_alert_11.json +++ b/SentinelOne/identity/tests/test_alert_11.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T08:45:51Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_12.json b/SentinelOne/identity/tests/test_alert_12.json index 1618da843..3e75c9e78 100644 --- a/SentinelOne/identity/tests/test_alert_12.json +++ b/SentinelOne/identity/tests/test_alert_12.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T08:45:51Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_13.json b/SentinelOne/identity/tests/test_alert_13.json index a31ef954f..d94a9c18b 100644 --- a/SentinelOne/identity/tests/test_alert_13.json +++ b/SentinelOne/identity/tests/test_alert_13.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T08:45:50Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_14.json b/SentinelOne/identity/tests/test_alert_14.json index 7b9fc10e1..f8a4295bb 100644 --- a/SentinelOne/identity/tests/test_alert_14.json +++ b/SentinelOne/identity/tests/test_alert_14.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T08:45:50Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_15.json b/SentinelOne/identity/tests/test_alert_15.json index d8a7c1f8a..3d07d62a5 100644 --- a/SentinelOne/identity/tests/test_alert_15.json +++ b/SentinelOne/identity/tests/test_alert_15.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T08:45:50Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_16.json b/SentinelOne/identity/tests/test_alert_16.json index 8a5217a55..0a9dc292d 100644 --- a/SentinelOne/identity/tests/test_alert_16.json +++ b/SentinelOne/identity/tests/test_alert_16.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T08:45:50Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_5.json b/SentinelOne/identity/tests/test_alert_5.json index f1339df60..6e14dbe24 100644 --- a/SentinelOne/identity/tests/test_alert_5.json +++ b/SentinelOne/identity/tests/test_alert_5.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T09:54:58Z", - "file": { - "hash": { - "sha256": "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22" - }, - "name": "cmd.exe", - "path": "c:\\windows\\system32\\cmd.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "\"C:\\Windows\\system32\\cmd.exe\"" + "command_line": "\"C:\\Windows\\system32\\cmd.exe\"", + "executable": "c:\\windows\\system32\\cmd.exe", + "hash": { + "sha256": "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22" + }, + "name": "cmd.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_6.json b/SentinelOne/identity/tests/test_alert_6.json index e43c64e20..5b987ddc2 100644 --- a/SentinelOne/identity/tests/test_alert_6.json +++ b/SentinelOne/identity/tests/test_alert_6.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T09:45:51Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_7.json b/SentinelOne/identity/tests/test_alert_7.json index d4acce26a..6fc5195cb 100644 --- a/SentinelOne/identity/tests/test_alert_7.json +++ b/SentinelOne/identity/tests/test_alert_7.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T09:45:51Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ From da65007e11116a5b5a457a097df379c56cd4d66b Mon Sep 17 00:00:00 2001 From: vg-svitla <131353512+vg-svitla@users.noreply.github.com> Date: Mon, 2 Dec 2024 15:24:03 +0200 Subject: [PATCH 6/7] Update SentinelOne/identity/_meta/manifest.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sébastien Quioc --- SentinelOne/identity/_meta/manifest.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/SentinelOne/identity/_meta/manifest.yml b/SentinelOne/identity/_meta/manifest.yml index 1d18ad943..e8b52a2d5 100644 --- a/SentinelOne/identity/_meta/manifest.yml +++ b/SentinelOne/identity/_meta/manifest.yml @@ -1,6 +1,8 @@ uuid: b502e522-6996-4b12-9538-f69326b68243 -name: SentinelOne Singularity Identity +name: SentinelOne Singularity Identity [ALPHA] slug: sentinelone-singularity-identity +automation_connector_uuid: 2d772558-821d-4663-87bd-af28bbb8415a +automation_module_uuid: ff675e74-e5c1-47c8-a571-d207fc297464 description: >- SentinelOne Singularity Identity is a cybersecurity solution that provides identity protection and zero-trust security by continuously monitoring and analyzing user behaviors to detect and prevent potential threats. From c97f9cc3ebe0cc7aa224c75fb383f2bbbb3ff18e Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Mon, 2 Dec 2024 17:26:30 +0200 Subject: [PATCH 7/7] Fix comments --- SentinelOne/identity/tests/test_alert_16.json | 47 ------------------- SentinelOne/identity/tests/test_alert_2.json | 31 ++++++++++-- 2 files changed, 28 insertions(+), 50 deletions(-) delete mode 100644 SentinelOne/identity/tests/test_alert_16.json diff --git a/SentinelOne/identity/tests/test_alert_16.json b/SentinelOne/identity/tests/test_alert_16.json deleted file mode 100644 index 0a9dc292d..000000000 --- a/SentinelOne/identity/tests/test_alert_16.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "input": { - "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" - }, - "expected": { - "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", - "event": { - "category": "intrusion_detection", - "end": "2024-11-22T08:45:50Z", - "kind": "alert", - "provider": "Identity", - "reason": "This events is raised when a LDAP search Query is detected from the endpoint.", - "start": "2024-11-22T08:45:50Z", - "type": "info" - }, - "@timestamp": "2024-11-22T08:45:50Z", - "observer": { - "product": "Singularity Identity", - "vendor": "SentinelOne" - }, - "process": { - "command_line": "Sharphound.exe", - "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe" - }, - "related": { - "hash": [ - "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - ] - }, - "sentinelone": { - "identity": { - "attackSurfaces": [ - "IDENTITY" - ], - "classification": "ENUMERATION", - "confidenceLevel": "MALICIOUS", - "id": "01935310-dc47-75de-8925-5f026bd5a705", - "name": "LDAP Search Detected", - "status": "NEW" - } - } - } -} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_2.json b/SentinelOne/identity/tests/test_alert_2.json index 39420a5e0..0a9dc292d 100644 --- a/SentinelOne/identity/tests/test_alert_2.json +++ b/SentinelOne/identity/tests/test_alert_2.json @@ -1,21 +1,46 @@ { "input": { - "message": "{\n \"uuid\": \"c0d4da63-0b2b-41ea-8cfe-0eb6bf78c398\",\n \"lastMigration\": 33,\n \"name\": \"Mocked api\",\n \"endpointPrefix\": \"\",\n \"latency\": 0,\n \"port\": 3000,\n \"hostname\": \"\",\n \"folders\": [\n {\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\",\n \"name\": \"user\",\n \"children\": [\n {\n \"type\": \"route\",\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\"\n }\n ]\n }\n ],\n \"routes\": [\n {\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\",\n \"type\": \"http\",\n \"documentation\": \"Creates new user\",\n \"method\": \"post\",\n \"endpoint\": \"user\",\n \"responses\": [\n {\n \"uuid\": \"0a1cd03e-8140-42cb-a0a3-67e99f44b595\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"w34k\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"CreateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"2334411e-b9c5-425e-8bd8-470da7d11077\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\",\n \"type\": \"http\",\n \"documentation\": \"Logout\",\n \"method\": \"post\",\n \"endpoint\": \"user/logout\",\n \"responses\": [\n {\n \"uuid\": \"8e9bafc8-78e5-4685-88cd-3b90f85edb87\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\",\n \"type\": \"http\",\n \"documentation\": \"Authenticate user with credentials\",\n \"method\": \"post\",\n \"endpoint\": \"user/authenticate\",\n \"responses\": [\n {\n \"uuid\": \"91ecae5f-67e0-4264-b724-964d54d7d458\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"AuthenticateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"6e78ae1f-c46c-43fc-a96b-6718ec506d26\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\",\n \"type\": \"http\",\n \"documentation\": \"Refresh Session\",\n \"method\": \"post\",\n \"endpoint\": \"user/refresh-session\",\n \"responses\": [\n {\n \"uuid\": \"5505a95b-80d0-46cc-b388-9d5afac52102\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": true,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"7d54557c-5d32-44c1-92dc-a594615ce7d8\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\",\n \"type\": \"http\",\n \"documentation\": \"Auth required\",\n \"method\": \"all\",\n \"endpoint\": \"*\",\n \"responses\": [\n {\n \"uuid\": \"c49cf55f-b651-4a26-9c10-9806af40c0c4\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"header\",\n \"modifier\": \"funfy-auth-token\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user\",\n \"invert\": true,\n \"operator\": \"equals\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user/authenticate\",\n \"invert\": true,\n \"operator\": \"equals\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\",\n \"type\": \"http\",\n \"documentation\": \"RefreshToken is required\",\n \"method\": \"all\",\n \"endpoint\": \"user/*\",\n \"responses\": [\n {\n \"uuid\": \"e5d4e8a4-037e-4e72-b8a3-1e4b9c5da3bd\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$.refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\",\n \"type\": \"http\",\n \"documentation\": \"\",\n \"method\": \"get\",\n \"endpoint\": \"test\",\n \"responses\": [\n {\n \"uuid\": \"acc619a1-6ec7-45a6-888c-a7a860ed237b\",\n \"body\": \"{\\n \\\"message\\\": \\\"route required auth\\\"\\n}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n }\n ],\n \"rootChildren\": [\n {\n \"type\": \"route\",\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\"\n },\n {\n \"type\": \"folder\",\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\"\n }\n ],\n \"proxyMode\": false,\n \"proxyHost\": \"\",\n \"proxyRemovePrefix\": false,\n \"tlsOptions\": {\n \"enabled\": false,\n \"type\": \"CERT\",\n \"pfxPath\": \"\",\n \"certPath\": \"\",\n \"keyPath\": \"\",\n \"caPath\": \"\",\n \"passphrase\": \"\"\n },\n \"cors\": true,\n \"headers\": [\n {\n \"key\": \"Content-Type\",\n \"value\": \"application/json\"\n },\n {\n \"key\": \"Access-Control-Allow-Origin\",\n \"value\": \"*\"\n },\n {\n \"key\": \"Access-Control-Allow-Methods\",\n \"value\": \"GET,POST,PUT,PATCH,DELETE,HEAD,OPTIONS\"\n },\n {\n \"key\": \"Access-Control-Allow-Headers\",\n \"value\": \"Content-Type, Origin, Accept, Authorization, Content-Length, X-Requested-With\"\n }\n ],\n \"proxyReqHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"proxyResHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"data\": [\n {\n \"uuid\": \"38fb975d-c6f0-48d9-ae52-9e3fbc5cb654\",\n \"id\": \"8wey\",\n \"name\": \"Globals\",\n \"documentation\": \"\",\n \"value\": \"\"\n },\n {\n \"uuid\": \"2372a308-c890-479c-a18b-54abe4696967\",\n \"id\": \"zzay\",\n \"name\": \"ISODate\",\n \"documentation\": \"Datetime shared format comes from backend\",\n \"value\": \"\\\"{{now 'yyyy-MM-dd\\\\'T\\\\'HH:mm:ss\\\\'Z\\\\''}}\\\"\"\n },\n {\n \"uuid\": \"160c80f4-39c7-494d-a489-06da2e51aa87\",\n \"id\": \"g4qq\",\n \"name\": \"CreateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"email\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"c1d673ba-f7cf-4fd2-8cc8-449017a3ff17\",\n \"id\": \"ofz6\",\n \"name\": \"AuthenticateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"2844853c-c892-4671-9201-0b252711a36b\",\n \"id\": \"w34k\",\n \"name\": \"User\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"id\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"email\\\": \\\"{{faker 'internet.email'}}\\\",\\n \\\"phone\\\": \\\"{{faker 'phone.number' style='international'}}\\\",\\n \\\"createdAt\\\": \\\"{{data 'ISODate'}}\\\",\\n \\\"updatedAt\\\": \\\"{{data 'ISODate'}}\\\",\\n}\"\n },\n {\n \"uuid\": \"e698b979-5934-45f2-8612-5782a8b1e0be\",\n \"id\": \"77fk\",\n \"name\": \"Authentication\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"refreshToken\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"accessToken\\\": \\\"{{faker 'string.uuid'}}\\\"\\n}\"\n }\n ],\n \"callbacks\": []\n}" + "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" }, "expected": { - "message": "{\n \"uuid\": \"c0d4da63-0b2b-41ea-8cfe-0eb6bf78c398\",\n \"lastMigration\": 33,\n \"name\": \"Mocked api\",\n \"endpointPrefix\": \"\",\n \"latency\": 0,\n \"port\": 3000,\n \"hostname\": \"\",\n \"folders\": [\n {\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\",\n \"name\": \"user\",\n \"children\": [\n {\n \"type\": \"route\",\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\"\n }\n ]\n }\n ],\n \"routes\": [\n {\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\",\n \"type\": \"http\",\n \"documentation\": \"Creates new user\",\n \"method\": \"post\",\n \"endpoint\": \"user\",\n \"responses\": [\n {\n \"uuid\": \"0a1cd03e-8140-42cb-a0a3-67e99f44b595\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"w34k\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"CreateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"2334411e-b9c5-425e-8bd8-470da7d11077\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\",\n \"type\": \"http\",\n \"documentation\": \"Logout\",\n \"method\": \"post\",\n \"endpoint\": \"user/logout\",\n \"responses\": [\n {\n \"uuid\": \"8e9bafc8-78e5-4685-88cd-3b90f85edb87\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\",\n \"type\": \"http\",\n \"documentation\": \"Authenticate user with credentials\",\n \"method\": \"post\",\n \"endpoint\": \"user/authenticate\",\n \"responses\": [\n {\n \"uuid\": \"91ecae5f-67e0-4264-b724-964d54d7d458\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"AuthenticateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"6e78ae1f-c46c-43fc-a96b-6718ec506d26\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\",\n \"type\": \"http\",\n \"documentation\": \"Refresh Session\",\n \"method\": \"post\",\n \"endpoint\": \"user/refresh-session\",\n \"responses\": [\n {\n \"uuid\": \"5505a95b-80d0-46cc-b388-9d5afac52102\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": true,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"7d54557c-5d32-44c1-92dc-a594615ce7d8\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\",\n \"type\": \"http\",\n \"documentation\": \"Auth required\",\n \"method\": \"all\",\n \"endpoint\": \"*\",\n \"responses\": [\n {\n \"uuid\": \"c49cf55f-b651-4a26-9c10-9806af40c0c4\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"header\",\n \"modifier\": \"funfy-auth-token\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user\",\n \"invert\": true,\n \"operator\": \"equals\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user/authenticate\",\n \"invert\": true,\n \"operator\": \"equals\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\",\n \"type\": \"http\",\n \"documentation\": \"RefreshToken is required\",\n \"method\": \"all\",\n \"endpoint\": \"user/*\",\n \"responses\": [\n {\n \"uuid\": \"e5d4e8a4-037e-4e72-b8a3-1e4b9c5da3bd\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$.refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\",\n \"type\": \"http\",\n \"documentation\": \"\",\n \"method\": \"get\",\n \"endpoint\": \"test\",\n \"responses\": [\n {\n \"uuid\": \"acc619a1-6ec7-45a6-888c-a7a860ed237b\",\n \"body\": \"{\\n \\\"message\\\": \\\"route required auth\\\"\\n}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n }\n ],\n \"rootChildren\": [\n {\n \"type\": \"route\",\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\"\n },\n {\n \"type\": \"folder\",\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\"\n }\n ],\n \"proxyMode\": false,\n \"proxyHost\": \"\",\n \"proxyRemovePrefix\": false,\n \"tlsOptions\": {\n \"enabled\": false,\n \"type\": \"CERT\",\n \"pfxPath\": \"\",\n \"certPath\": \"\",\n \"keyPath\": \"\",\n \"caPath\": \"\",\n \"passphrase\": \"\"\n },\n \"cors\": true,\n \"headers\": [\n {\n \"key\": \"Content-Type\",\n \"value\": \"application/json\"\n },\n {\n \"key\": \"Access-Control-Allow-Origin\",\n \"value\": \"*\"\n },\n {\n \"key\": \"Access-Control-Allow-Methods\",\n \"value\": \"GET,POST,PUT,PATCH,DELETE,HEAD,OPTIONS\"\n },\n {\n \"key\": \"Access-Control-Allow-Headers\",\n \"value\": \"Content-Type, Origin, Accept, Authorization, Content-Length, X-Requested-With\"\n }\n ],\n \"proxyReqHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"proxyResHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"data\": [\n {\n \"uuid\": \"38fb975d-c6f0-48d9-ae52-9e3fbc5cb654\",\n \"id\": \"8wey\",\n \"name\": \"Globals\",\n \"documentation\": \"\",\n \"value\": \"\"\n },\n {\n \"uuid\": \"2372a308-c890-479c-a18b-54abe4696967\",\n \"id\": \"zzay\",\n \"name\": \"ISODate\",\n \"documentation\": \"Datetime shared format comes from backend\",\n \"value\": \"\\\"{{now 'yyyy-MM-dd\\\\'T\\\\'HH:mm:ss\\\\'Z\\\\''}}\\\"\"\n },\n {\n \"uuid\": \"160c80f4-39c7-494d-a489-06da2e51aa87\",\n \"id\": \"g4qq\",\n \"name\": \"CreateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"email\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"c1d673ba-f7cf-4fd2-8cc8-449017a3ff17\",\n \"id\": \"ofz6\",\n \"name\": \"AuthenticateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"2844853c-c892-4671-9201-0b252711a36b\",\n \"id\": \"w34k\",\n \"name\": \"User\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"id\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"email\\\": \\\"{{faker 'internet.email'}}\\\",\\n \\\"phone\\\": \\\"{{faker 'phone.number' style='international'}}\\\",\\n \\\"createdAt\\\": \\\"{{data 'ISODate'}}\\\",\\n \\\"updatedAt\\\": \\\"{{data 'ISODate'}}\\\",\\n}\"\n },\n {\n \"uuid\": \"e698b979-5934-45f2-8612-5782a8b1e0be\",\n \"id\": \"77fk\",\n \"name\": \"Authentication\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"refreshToken\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"accessToken\\\": \\\"{{faker 'string.uuid'}}\\\"\\n}\"\n }\n ],\n \"callbacks\": []\n}", + "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", "event": { "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", "kind": "alert", + "provider": "Identity", + "reason": "This events is raised when a LDAP search Query is detected from the endpoint.", + "start": "2024-11-22T08:45:50Z", "type": "info" }, + "@timestamp": "2024-11-22T08:45:50Z", "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, "sentinelone": { "identity": { - "name": "Mocked api" + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-dc47-75de-8925-5f026bd5a705", + "name": "LDAP Search Detected", + "status": "NEW" } } }