diff --git a/SentinelOne/identity/CHANGELOG.md b/SentinelOne/identity/CHANGELOG.md new file mode 100644 index 000000000..11bddf32c --- /dev/null +++ b/SentinelOne/identity/CHANGELOG.md @@ -0,0 +1,8 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [Unreleased] diff --git a/SentinelOne/identity/_meta/fields.yml b/SentinelOne/identity/_meta/fields.yml new file mode 100644 index 000000000..36e8acf65 --- /dev/null +++ b/SentinelOne/identity/_meta/fields.yml @@ -0,0 +1,39 @@ +sentinelone.identity.attackSurfaces: + description: '' + name: sentinelone.identity.attackSurfaces + type: keyword + +sentinelone.identity.classification: + description: '' + name: sentinelone.identity.classification + type: keyword + +sentinelone.identity.confidenceLevel: + description: '' + name: sentinelone.identity.confidenceLevel + type: keyword + +sentinelone.identity.id: + description: '' + name: sentinelone.identity.id + type: keyword + +sentinelone.identity.name: + description: '' + name: sentinelone.identity.name + type: keyword + +sentinelone.identity.result: + description: '' + name: sentinelone.identity.result + type: keyword + +sentinelone.identity.status: + description: '' + name: sentinelone.identity.status + type: keyword + +sentinelone.identity.storyLineId: + description: '' + name: sentinelone.identity.storyLineId + type: keyword diff --git a/SentinelOne/identity/_meta/logo.png b/SentinelOne/identity/_meta/logo.png new file mode 100644 index 000000000..bad666434 Binary files /dev/null and b/SentinelOne/identity/_meta/logo.png differ diff --git a/SentinelOne/identity/_meta/manifest.yml b/SentinelOne/identity/_meta/manifest.yml new file mode 100644 index 000000000..e8b52a2d5 --- /dev/null +++ b/SentinelOne/identity/_meta/manifest.yml @@ -0,0 +1,11 @@ +uuid: b502e522-6996-4b12-9538-f69326b68243 +name: SentinelOne Singularity Identity [ALPHA] +slug: sentinelone-singularity-identity +automation_connector_uuid: 2d772558-821d-4663-87bd-af28bbb8415a +automation_module_uuid: ff675e74-e5c1-47c8-a571-d207fc297464 + +description: >- + SentinelOne Singularity Identity is a cybersecurity solution that provides identity protection and zero-trust security by continuously monitoring and analyzing user behaviors to detect and prevent potential threats. + +data_sources: + Application logs: activites performed on SentinelOne infrastructure are logged diff --git a/SentinelOne/identity/_meta/smart-descriptions.json b/SentinelOne/identity/_meta/smart-descriptions.json new file mode 100644 index 000000000..e09c5db80 --- /dev/null +++ b/SentinelOne/identity/_meta/smart-descriptions.json @@ -0,0 +1,46 @@ +[ + { + "value": "Alert defined {sentinelone.identity.name} with status {sentinelone.identity.status} on {process.command_line}", + "conditions": [ + { + "field": "sentinelone.identity.name" + }, + { + "field": "sentinelone.identity.status" + }, + { + "field": "process.command_line" + } + ] + }, + { + "value": "Alert defined {sentinelone.identity.name} with status {sentinelone.identity.status}", + "conditions": [ + { + "field": "sentinelone.identity.name" + }, + { + "field": "sentinelone.identity.status" + } + ] + }, + { + "value": "Alert defined {sentinelone.identity.name} on {process.command_line}", + "conditions": [ + { + "field": "sentinelone.identity.name" + }, + { + "field": "process.command_line" + } + ] + }, + { + "value": "Alert defined {sentinelone.identity.name}", + "conditions": [ + { + "field": "sentinelone.identity.name" + } + ] + } +] diff --git a/SentinelOne/identity/ingest/parser.yml b/SentinelOne/identity/ingest/parser.yml new file mode 100644 index 000000000..90577404d --- /dev/null +++ b/SentinelOne/identity/ingest/parser.yml @@ -0,0 +1,67 @@ +name: identity +pipeline: + - name: json_event + external: + name: json.parse-json + properties: + input_field: "{{original.message}}" + + - name: detected_at + filter: "{{json_event.message.detectedAt != null}}" + external: + name: date.parse + properties: + input_field: "{{json_event.message.detectedAt}}" + output_field: timestamp + + - name: started_at + filter: "{{json_event.message.firstSeenAt != null}}" + external: + name: date.parse + properties: + input_field: "{{json_event.message.firstSeenAt}}" + output_field: timestamp + + - name: last_seen_at + filter: "{{json_event.message.lastSeenAt != null}}" + external: + name: date.parse + properties: + input_field: "{{json_event.message.lastSeenAt}}" + output_field: timestamp + + - name: set_meta_fields +stages: + set_meta_fields: + actions: + - set: + event.kind: "alert" + event.category: "intrusion_detection" + event.type: "info" + observer.vendor: "SentinelOne" + observer.product: "Singularity Identity" + + "@timestamp": "{{detected_at.timestamp}}" + event.start: "{{started_at.timestamp}}" + event.end: "{{last_seen_at.timestamp}}" + + event.provider: "{{json_event.message.detectionSource.product}}" + event.reason: "{{json_event.message.description}}" + + process.command_line: "{{json_event.message.process.cmdLine}}" + process.parent.name: "{{json_event.message.process.parentName}}" + + process.executable: "{{json_event.message.process.file.path}}" + process.name: "{{json_event.message.process.file.path | basename}}" + process.hash.sha1: "{{json_event.message.process.file.sha1}}" + process.hash.sha256: "{{json_event.message.process.file.sha256}}" + process.hash.md5: "{{json_event.message.process.file.md5}}" + + sentinelone.identity.id: "{{json_event.message.id}}" + sentinelone.identity.name: "{{json_event.message.name}}" + sentinelone.identity.attackSurfaces: "{{json_event.message.attackSurfaces}}" + sentinelone.identity.status: "{{json_event.message.status}}" + sentinelone.identity.classification: "{{json_event.message.classification}}" + sentinelone.identity.confidenceLevel: "{{json_event.message.confidenceLevel}}" + sentinelone.identity.result: "{{json_event.message.result}}" + sentinelone.identity.storyLineId: "{{json_event.message.storyLineId}}" diff --git a/SentinelOne/identity/tests/test_alert_1.json b/SentinelOne/identity/tests/test_alert_1.json new file mode 100644 index 000000000..8d5dcf96a --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_1.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\n \"id\": \"ba485919-e4c1-4496-9e2f-feb320f6841a\",\n \"name\": \"Domain Controller Discovery Detected\",\n \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\",\n \"detectedAt\": \"2024-11-22T05:35:09.000Z\",\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"status\": \"NEW\",\n \"assignee\": null,\n \"classification\": \"ENUMERATION\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"firstSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"lastSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"process\": {\n \"cmdLine\": \"C:\\\\Windows\\\\system32\\\\net1 group \\\"Domain Controllers\\\" /domain\",\n \"file\": {\n \"path\": \"c:\\\\windows\\\\system32\\\\net1.exe\",\n \"sha1\": null,\n \"sha256\": \"18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398\",\n \"md5\": null\n },\n \"parentName\": null\n },\n \"result\": null,\n \"storylineId\": null\n}" + }, + "expected": { + "message": "{\n \"id\": \"ba485919-e4c1-4496-9e2f-feb320f6841a\",\n \"name\": \"Domain Controller Discovery Detected\",\n \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\",\n \"detectedAt\": \"2024-11-22T05:35:09.000Z\",\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"status\": \"NEW\",\n \"assignee\": null,\n \"classification\": \"ENUMERATION\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"firstSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"lastSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"process\": {\n \"cmdLine\": \"C:\\\\Windows\\\\system32\\\\net1 group \\\"Domain Controllers\\\" /domain\",\n \"file\": {\n \"path\": \"c:\\\\windows\\\\system32\\\\net1.exe\",\n \"sha1\": null,\n \"sha256\": \"18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398\",\n \"md5\": null\n },\n \"parentName\": null\n },\n \"result\": null,\n \"storylineId\": null\n}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T05:35:09Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T05:35:09Z", + "type": "info" + }, + "@timestamp": "2024-11-22T05:35:09Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "C:\\Windows\\system32\\net1 group \"Domain Controllers\" /domain", + "executable": "c:\\windows\\system32\\net1.exe", + "hash": { + "sha256": "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398" + }, + "name": "net1.exe" + }, + "related": { + "hash": [ + "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "ba485919-e4c1-4496-9e2f-feb320f6841a", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_10.json b/SentinelOne/identity/tests/test_alert_10.json new file mode 100644 index 000000000..deb56e2a5 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_10.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935322-7b49-71f0-89e0-f52562c26e53\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:09:48.731Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:09:48.731Z\", \"lastSeenAt\": \"2024-11-22T09:09:48.731Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935322-7b49-71f0-89e0-f52562c26e53\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:09:48.731Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:09:48.731Z\", \"lastSeenAt\": \"2024-11-22T09:09:48.731Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:09:48.731000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T09:09:48.731000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:09:48.731000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935322-7b49-71f0-89e0-f52562c26e53", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_11.json b/SentinelOne/identity/tests/test_alert_11.json new file mode 100644 index 000000000..84d64cee6 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_11.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935310-d00e-7616-81b9-fcb227ebb13d\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-d00e-7616-81b9-fcb227ebb13d\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T08:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:51Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-d00e-7616-81b9-fcb227ebb13d", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_12.json b/SentinelOne/identity/tests/test_alert_12.json new file mode 100644 index 000000000..3e75c9e78 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_12.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935310-eb28-7a57-9c27-87843b2cec61\", \"name\": \"AD Service Account Enumeration Detected\", \"description\": \"This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-eb28-7a57-9c27-87843b2cec61\", \"name\": \"AD Service Account Enumeration Detected\", \"description\": \"This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.", + "start": "2024-11-22T08:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:51Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-eb28-7a57-9c27-87843b2cec61", + "name": "AD Service Account Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_13.json b/SentinelOne/identity/tests/test_alert_13.json new file mode 100644 index 000000000..d94a9c18b --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_13.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935310-c715-72c9-bbd9-dc1ff6a7ff1e\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-c715-72c9-bbd9-dc1ff6a7ff1e\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-c715-72c9-bbd9-dc1ff6a7ff1e", + "name": "AD Domain Computer Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_14.json b/SentinelOne/identity/tests/test_alert_14.json new file mode 100644 index 000000000..f8a4295bb --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_14.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935310-cb9b-770e-96ee-632d4d21520b\", \"name\": \"AD ACL Enumeration\", \"description\": \"This event is generated when a command used to query or read the ACL's\\\\ Permission of any object in Active Directory.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-cb9b-770e-96ee-632d4d21520b\", \"name\": \"AD ACL Enumeration\", \"description\": \"This event is generated when a command used to query or read the ACL's\\\\ Permission of any object in Active Directory.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is generated when a command used to query or read the ACL's\\ Permission of any object in Active Directory.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-cb9b-770e-96ee-632d4d21520b", + "name": "AD ACL Enumeration", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_15.json b/SentinelOne/identity/tests/test_alert_15.json new file mode 100644 index 000000000..3d07d62a5 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_15.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935310-d4ba-7131-9e08-defa8b3aeb52\", \"name\": \"Domain Users Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-d4ba-7131-9e08-defa8b3aeb52\", \"name\": \"Domain Users Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-d4ba-7131-9e08-defa8b3aeb52", + "name": "Domain Users Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_2.json b/SentinelOne/identity/tests/test_alert_2.json new file mode 100644 index 000000000..0a9dc292d --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_2.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This events is raised when a LDAP search Query is detected from the endpoint.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-dc47-75de-8925-5f026bd5a705", + "name": "LDAP Search Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_3.json b/SentinelOne/identity/tests/test_alert_3.json new file mode 100644 index 000000000..cbc475032 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_3.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935359-3eda-7903-93fc-af6a0e5d0a8f\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:37.779Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:37.779Z\", \"lastSeenAt\": \"2024-11-22T10:09:37.779Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935359-3eda-7903-93fc-af6a0e5d0a8f\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:37.779Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:37.779Z\", \"lastSeenAt\": \"2024-11-22T10:09:37.779Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T10:09:37.779000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T10:09:37.779000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T10:09:37.779000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935359-3eda-7903-93fc-af6a0e5d0a8f", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_4.json b/SentinelOne/identity/tests/test_alert_4.json new file mode 100644 index 000000000..64efcfc10 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_4.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935358-ee81-7eb7-b57f-022c6f0019a9\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:17.184Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:17.184Z\", \"lastSeenAt\": \"2024-11-22T10:09:17.184Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935358-ee81-7eb7-b57f-022c6f0019a9\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:17.184Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:17.184Z\", \"lastSeenAt\": \"2024-11-22T10:09:17.184Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T10:09:17.184000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T10:09:17.184000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T10:09:17.184000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935358-ee81-7eb7-b57f-022c6f0019a9", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_5.json b/SentinelOne/identity/tests/test_alert_5.json new file mode 100644 index 000000000..6e14dbe24 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_5.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"0193534d-63c1-7497-b854-b883425af3f5\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:54:58.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:54:58.000Z\", \"lastSeenAt\": \"2024-11-22T09:54:58.000Z\", \"process\": {\"cmdLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\", \"file\": {\"path\": \"c:\\\\windows\\\\system32\\\\cmd.exe\", \"sha1\": null, \"sha256\": \"4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"0193534d-63c1-7497-b854-b883425af3f5\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:54:58.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:54:58.000Z\", \"lastSeenAt\": \"2024-11-22T09:54:58.000Z\", \"process\": {\"cmdLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\", \"file\": {\"path\": \"c:\\\\windows\\\\system32\\\\cmd.exe\", \"sha1\": null, \"sha256\": \"4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:54:58Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T09:54:58Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:54:58Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "\"C:\\Windows\\system32\\cmd.exe\"", + "executable": "c:\\windows\\system32\\cmd.exe", + "hash": { + "sha256": "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22" + }, + "name": "cmd.exe" + }, + "related": { + "hash": [ + "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "0193534d-63c1-7497-b854-b883425af3f5", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_6.json b/SentinelOne/identity/tests/test_alert_6.json new file mode 100644 index 000000000..5b987ddc2 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_6.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935347-abf7-7457-8467-e3443470e6f3\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935347-abf7-7457-8467-e3443470e6f3\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.", + "start": "2024-11-22T09:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:45:51Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935347-abf7-7457-8467-e3443470e6f3", + "name": "AD Domain Computer Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_7.json b/SentinelOne/identity/tests/test_alert_7.json new file mode 100644 index 000000000..6fc5195cb --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_7.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935347-b05a-7d28-a929-5294ee16628a\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935347-b05a-7d28-a929-5294ee16628a\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T09:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:45:51Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935347-b05a-7d28-a929-5294ee16628a", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_8.json b/SentinelOne/identity/tests/test_alert_8.json new file mode 100644 index 000000000..384a41648 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_8.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935342-d073-7ed0-8c5e-2373fc013310\", \"name\": \"Default Admin Account Usage\", \"description\": \"This event is raised for default administrator account logon anywhere in the domain.\", \"detectedAt\": \"2024-11-22T09:45:07.655Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:07.655Z\", \"lastSeenAt\": \"2024-11-22T09:45:07.655Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935342-d073-7ed0-8c5e-2373fc013310\", \"name\": \"Default Admin Account Usage\", \"description\": \"This event is raised for default administrator account logon anywhere in the domain.\", \"detectedAt\": \"2024-11-22T09:45:07.655Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:07.655Z\", \"lastSeenAt\": \"2024-11-22T09:45:07.655Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:45:07.655000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised for default administrator account logon anywhere in the domain.", + "start": "2024-11-22T09:45:07.655000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:45:07.655000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935342-d073-7ed0-8c5e-2373fc013310", + "name": "Default Admin Account Usage", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_9.json b/SentinelOne/identity/tests/test_alert_9.json new file mode 100644 index 000000000..74ab3a7f3 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_9.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935322-cc3a-76cc-890b-a1c2d1b815d4\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:10:09.467Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:10:09.467Z\", \"lastSeenAt\": \"2024-11-22T09:10:09.467Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935322-cc3a-76cc-890b-a1c2d1b815d4\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:10:09.467Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:10:09.467Z\", \"lastSeenAt\": \"2024-11-22T09:10:09.467Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:10:09.467000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T09:10:09.467000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:10:09.467000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935322-cc3a-76cc-890b-a1c2d1b815d4", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file