diff --git a/SentinelOne/identity/_meta/fields.yml b/SentinelOne/identity/_meta/fields.yml index 36e8acf65..f31575843 100644 --- a/SentinelOne/identity/_meta/fields.yml +++ b/SentinelOne/identity/_meta/fields.yml @@ -1,3 +1,13 @@ +sentinelone.identity.analystVerdict: + description: '' + name: sentinelone.identity.analystVerdict + type: keyword + +sentinelone.identity.analyticsCategory: + description: '' + name: sentinelone.identity.analyticsCategory + type: keyword + sentinelone.identity.attackSurfaces: description: '' name: sentinelone.identity.attackSurfaces @@ -28,6 +38,16 @@ sentinelone.identity.result: name: sentinelone.identity.result type: keyword +sentinelone.identity.siteId: + description: '' + name: sentinelone.identity.siteId + type: keyword + +sentinelone.identity.siteName: + description: '' + name: sentinelone.identity.siteName + type: keyword + sentinelone.identity.status: description: '' name: sentinelone.identity.status diff --git a/SentinelOne/identity/ingest/parser.yml b/SentinelOne/identity/ingest/parser.yml index 90577404d..38cf9fddf 100644 --- a/SentinelOne/identity/ingest/parser.yml +++ b/SentinelOne/identity/ingest/parser.yml @@ -57,6 +57,11 @@ stages: process.hash.sha256: "{{json_event.message.process.file.sha256}}" process.hash.md5: "{{json_event.message.process.file.md5}}" + agent.id: "{{json_event.message.asset.agentUuid}}" + agent.version: "{{json_event.message.asset.agentVersion}}" + host.os.family: "{{json_event.message.asset.osType}}" + host.os.version: "{{json_event.message.asset.osVersion}}" + sentinelone.identity.id: "{{json_event.message.id}}" sentinelone.identity.name: "{{json_event.message.name}}" sentinelone.identity.attackSurfaces: "{{json_event.message.attackSurfaces}}" @@ -65,3 +70,26 @@ stages: sentinelone.identity.confidenceLevel: "{{json_event.message.confidenceLevel}}" sentinelone.identity.result: "{{json_event.message.result}}" sentinelone.identity.storyLineId: "{{json_event.message.storyLineId}}" + sentinelone.identity.analystVerdict: "{{json_event.message.analystVerdict}}" + sentinelone.identity.analyticsCategory: "{{json_event.message.analytics.category}}" + + - set: + threat.tactic.id: "[{% for attack in json_event.message.rawData.finding_info.attacks %}{% for tactic in attack['tactics'] %}'{{tactic.uid}}',{% endfor %}{% endfor %}]" + threat.tactic.name: "[{% for attack in json_event.message.rawData.finding_info.attacks %}{% for tactic in attack['tactics'] %}'{{tactic.name}}',{% endfor %}{% endfor %}]" + filter: "{{json_event.message.get('rawData', {}).get('finding_info', {}).get('attacks', []) | length > 0}}" + + - set: + host.name: "{{json_event.message.rawData.resources[0].name}}" + organization.id: "{{json_event.message.rawData.resources[0].s1_metadata.account_id}}" + organization.name: "{{json_event.message.rawData.resources[0].s1_metadata.account_name}}" + sentinelone.identity.siteId: "{{json_event.message.rawData.resources[0].s1_metadata.site_id}}" + sentinelone.identity.siteName: "{{json_event.message.rawData.resources[0].s1_metadata.site_name}}" + filter: "{{json_event.message.get('rawData', {}).get('resources', []) | length > 0}}" + + - set: + destination.domain: "{{json_event.message.rawData.evidences[0].dst_endpoint.hostname}}" + destination.ip: "{{json_event.message.rawData.evidences[0].dst_endpoint.ip}}" + source.domain: "{{json_event.message.rawData.evidences[0].src_endpoint.hostname}}" + source.ip: "{{json_event.message.rawData.evidences[0].src_endpoint.ip}}" + user.name: "{{json_event.message.rawData.evidences[0].actor.user.name}}" + filter: "{{json_event.message.get('rawData', {}).get('evidences', []) | length > 0}}" diff --git a/SentinelOne/identity/tests/test_alert_1_detailed.json b/SentinelOne/identity/tests/test_alert_1_detailed.json new file mode 100644 index 000000000..aaa2524e4 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_1_detailed.json @@ -0,0 +1,90 @@ +{ + "input": { + "message": "{\n \"analystVerdict\": \"UNDEFINED\",\n \"analytics\": {\n \"category\": \"ADSecure-DC\"\n },\n \"asset\": {\n \"agentUuid\": \"123123123123123\",\n \"agentVersion\": \"AgentVersion1\",\n \"category\": \"Server\",\n \"name\": \"VM0001.LAB\",\n \"osType\": \"UNKNOWN\",\n \"osVersion\": \"1.1\",\n \"subcategory\": \"Other Server\",\n \"type\": \"UNKNOWN\"\n },\n \"assignee\": null,\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"classification\": \"UNKNOWN\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"description\": \"This event is generated when a DCSync attack is detected.\",\n \"detectedAt\": \"2024-12-11T13:11:48.487Z\",\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"firstSeenAt\": \"2024-12-11T13:11:48.487Z\",\n \"id\": \"19b5cab4-9fdc-49f9-9641-dae9ed9b1c3b\",\n \"lastSeenAt\": \"2024-12-11T13:11:48.487Z\",\n \"name\": \"DCSync Attack Detected\",\n \"process\": null,\n \"rawData\": {\n \"activity_id\": 2,\n \"activity_name\": \"Update\",\n \"attack_surface_ids\": [\n 4\n ],\n \"category_uid\": 2,\n \"class_uid\": 99602001,\n \"confidence_id\": 3,\n \"evidences\": [\n {\n \"actor\": {\n \"user\": {\n\"name\":\"test_user\", \"domain\": \"LAB\"\n }\n },\n \"dst_endpoint\": {\n \"hostname\": \"VM0001\",\n \"ip\": \"5.6.7.8\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\"\n },\n \"src_endpoint\": {\n \"hostname\":\"tes.test\", \"ip\": \"1.2.3.4\"\n }\n }\n ],\n \"finding_info\": {\n \"analytic\": {\n \"category\": \"ADSecure-DC\",\n \"type_id\": 1,\n \"uid\": \"ADSecure-DC\"\n },\n \"attacks\": [\n {\n \"tactics\": [\n {\n \"name\": \"Credential Access\",\n \"uid\": \"TA006\"\n }\n ],\n \"technique\": {\n \"name\": \"OS Credential Dumping\",\n \"uid\": \"T1003\"\n },\n \"version\": \"ATT&CK v11\"\n }\n ],\n \"desc\": \"This event is generated when a DCSync attack is detected.\",\n \"first_seen_time\": \"1733922708487\",\n \"internal_uid\": \"d2dfca23-c7c7-409d-840c-cc0702ef7eb7\",\n \"kill_chain\": [\n {\n \"phase_id\": 2\n }\n ],\n \"last_seen_time\": \"1733922708487\",\n \"related_events\": [\n {\n \"message\": \"An authorized session has been detected with a certain privilege which could be result of an privilege escalation.\",\n \"severity_id\": 5,\n \"time\": \"1733922708487\",\n \"type\": \"Authorize Session: Other\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\"\n }\n ],\n \"title\": \"DCSync Attack Detected\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\"\n },\n \"message\": \"This event is generated when a DCSync attack is detected.\",\n \"metadata\": {\n \"extension\": {\n \"name\": \"s1\",\n \"uid\": \"996\",\n \"version\": \"0.1.0\"\n },\n \"product\": {\n \"name\": \"Identity\",\n \"vendor_name\": \"SentinelOne\"\n },\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\",\n \"version\": \"1.1.0-dev\"\n },\n \"raw_data\": \"5001802:Attacker IP=1.2.3.4 Source Port=49970 Target IP=5.6.7.8 Target Port=49155 Severity=14 Domain=LAB userName=john.doe dc_host=VM00001 CA_STATUS=ALERT client_id=xxxxxxx-xxxxxx-xxxx-xxxxxxx subscriberId:6666\",\n \"resources\": [\n {\n \"internal_uid\": \"11111111111111111111111111\",\n \"name\": \"VM0001.LAB\",\n \"s1_metadata\": {\n \"account_id\": \"123123123123123123\",\n \"account_name\": \"EXAMPLE CORP\",\n \"group_id\": \"1234567890\",\n \"group_name\": \"Default Group\",\n \"mgmt_id\": 123123,\n \"scope_id\": \"1234567890\",\n \"scope_level\": \"Group\",\n \"site_id\": \"1234567890\",\n \"site_name\": \"Sekoia.io\"\n },\n \"type\": \"server::other_server::windows_server\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\",\n \"version\": \"Microsoft Windows Server 2012 R2 Standard 64-bit\"\n }\n ],\n \"s1_classification_id\": 0,\n \"severity_id\": 5,\n \"status_id\": 1,\n \"time\": \"1733922708487\",\n \"type_name\": \"\",\n \"type_uid\": \"9960200101\",\n \"unmapped\": {},\n \"verdict_detail_id\": 0,\n \"verdict_id\": 0\n },\n \"result\": null,\n \"status\": \"NEW\",\n \"storylineId\": null\n}" + }, + "expected": { + "message": "{\n \"analystVerdict\": \"UNDEFINED\",\n \"analytics\": {\n \"category\": \"ADSecure-DC\"\n },\n \"asset\": {\n \"agentUuid\": \"123123123123123\",\n \"agentVersion\": \"AgentVersion1\",\n \"category\": \"Server\",\n \"name\": \"VM0001.LAB\",\n \"osType\": \"UNKNOWN\",\n \"osVersion\": \"1.1\",\n \"subcategory\": \"Other Server\",\n \"type\": \"UNKNOWN\"\n },\n \"assignee\": null,\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"classification\": \"UNKNOWN\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"description\": \"This event is generated when a DCSync attack is detected.\",\n \"detectedAt\": \"2024-12-11T13:11:48.487Z\",\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"firstSeenAt\": \"2024-12-11T13:11:48.487Z\",\n \"id\": \"19b5cab4-9fdc-49f9-9641-dae9ed9b1c3b\",\n \"lastSeenAt\": \"2024-12-11T13:11:48.487Z\",\n \"name\": \"DCSync Attack Detected\",\n \"process\": null,\n \"rawData\": {\n \"activity_id\": 2,\n \"activity_name\": \"Update\",\n \"attack_surface_ids\": [\n 4\n ],\n \"category_uid\": 2,\n \"class_uid\": 99602001,\n \"confidence_id\": 3,\n \"evidences\": [\n {\n \"actor\": {\n \"user\": {\n\"name\":\"test_user\", \"domain\": \"LAB\"\n }\n },\n \"dst_endpoint\": {\n \"hostname\": \"VM0001\",\n \"ip\": \"5.6.7.8\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\"\n },\n \"src_endpoint\": {\n \"hostname\":\"tes.test\", \"ip\": \"1.2.3.4\"\n }\n }\n ],\n \"finding_info\": {\n \"analytic\": {\n \"category\": \"ADSecure-DC\",\n \"type_id\": 1,\n \"uid\": \"ADSecure-DC\"\n },\n \"attacks\": [\n {\n \"tactics\": [\n {\n \"name\": \"Credential Access\",\n \"uid\": \"TA006\"\n }\n ],\n \"technique\": {\n \"name\": \"OS Credential Dumping\",\n \"uid\": \"T1003\"\n },\n \"version\": \"ATT&CK v11\"\n }\n ],\n \"desc\": \"This event is generated when a DCSync attack is detected.\",\n \"first_seen_time\": \"1733922708487\",\n \"internal_uid\": \"d2dfca23-c7c7-409d-840c-cc0702ef7eb7\",\n \"kill_chain\": [\n {\n \"phase_id\": 2\n }\n ],\n \"last_seen_time\": \"1733922708487\",\n \"related_events\": [\n {\n \"message\": \"An authorized session has been detected with a certain privilege which could be result of an privilege escalation.\",\n \"severity_id\": 5,\n \"time\": \"1733922708487\",\n \"type\": \"Authorize Session: Other\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\"\n }\n ],\n \"title\": \"DCSync Attack Detected\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\"\n },\n \"message\": \"This event is generated when a DCSync attack is detected.\",\n \"metadata\": {\n \"extension\": {\n \"name\": \"s1\",\n \"uid\": \"996\",\n \"version\": \"0.1.0\"\n },\n \"product\": {\n \"name\": \"Identity\",\n \"vendor_name\": \"SentinelOne\"\n },\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\",\n \"version\": \"1.1.0-dev\"\n },\n \"raw_data\": \"5001802:Attacker IP=1.2.3.4 Source Port=49970 Target IP=5.6.7.8 Target Port=49155 Severity=14 Domain=LAB userName=john.doe dc_host=VM00001 CA_STATUS=ALERT client_id=xxxxxxx-xxxxxx-xxxx-xxxxxxx subscriberId:6666\",\n \"resources\": [\n {\n \"internal_uid\": \"11111111111111111111111111\",\n \"name\": \"VM0001.LAB\",\n \"s1_metadata\": {\n \"account_id\": \"123123123123123123\",\n \"account_name\": \"EXAMPLE CORP\",\n \"group_id\": \"1234567890\",\n \"group_name\": \"Default Group\",\n \"mgmt_id\": 123123,\n \"scope_id\": \"1234567890\",\n \"scope_level\": \"Group\",\n \"site_id\": \"1234567890\",\n \"site_name\": \"Sekoia.io\"\n },\n \"type\": \"server::other_server::windows_server\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\",\n \"version\": \"Microsoft Windows Server 2012 R2 Standard 64-bit\"\n }\n ],\n \"s1_classification_id\": 0,\n \"severity_id\": 5,\n \"status_id\": 1,\n \"time\": \"1733922708487\",\n \"type_name\": \"\",\n \"type_uid\": \"9960200101\",\n \"unmapped\": {},\n \"verdict_detail_id\": 0,\n \"verdict_id\": 0\n },\n \"result\": null,\n \"status\": \"NEW\",\n \"storylineId\": null\n}", + "event": { + "category": "intrusion_detection", + "end": "2024-12-11T13:11:48.487000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is generated when a DCSync attack is detected.", + "start": "2024-12-11T13:11:48.487000Z", + "type": "info" + }, + "@timestamp": "2024-12-11T13:11:48.487000Z", + "agent": { + "id": "123123123123123", + "version": "AgentVersion1" + }, + "destination": { + "address": "VM0001", + "domain": "VM0001", + "ip": "5.6.7.8" + }, + "host": { + "name": "VM0001.LAB", + "os": { + "family": "UNKNOWN", + "version": "1.1" + } + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "organization": { + "id": "123123123123123123", + "name": "EXAMPLE CORP" + }, + "related": { + "hosts": [ + "VM0001", + "tes.test" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "test_user" + ] + }, + "sentinelone": { + "identity": { + "analystVerdict": "UNDEFINED", + "analyticsCategory": "ADSecure-DC", + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "19b5cab4-9fdc-49f9-9641-dae9ed9b1c3b", + "name": "DCSync Attack Detected", + "siteId": "1234567890", + "siteName": "Sekoia.io", + "status": "NEW" + } + }, + "source": { + "address": "tes.test", + "domain": "tes.test", + "ip": "1.2.3.4", + "subdomain": "tes" + }, + "threat": { + "tactic": { + "id": [ + "TA006" + ], + "name": [ + "Credential Access" + ] + } + }, + "user": { + "name": "test_user" + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_2_detailed.json b/SentinelOne/identity/tests/test_alert_2_detailed.json new file mode 100644 index 000000000..fed8c7e68 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_2_detailed.json @@ -0,0 +1,58 @@ +{ + "input": { + "message": "{\n \"analystVerdict\": \"UNDEFINED\",\n \"analytics\": {\n \"category\": \"ThreatPath\"\n },\n \"asset\": {\n \"agentUuid\": null,\n \"agentVersion\": null,\n \"category\": \"Workstation\",\n \"name\": \"Unknown\",\n \"osType\": \"UNKNOWN\",\n \"osVersion\": \"\",\n \"subcategory\": \"Other Workstation\",\n \"type\": \"UNKNOWN\"\n },\n \"assignee\": null,\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"classification\": \"UNKNOWN\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"description\": \"This event is triggered when a new Privilege Account has been detected in the Active Directory.\",\n \"detectedAt\": \"2024-12-24T05:47:33.726Z\",\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"firstSeenAt\": \"2024-12-24T05:47:33.726Z\",\n \"id\": \"0193f734-d130-773a-815c-fbfe892a2635\",\n \"lastSeenAt\": \"2024-12-24T05:47:33.726Z\",\n \"name\": \"New AD Privilege Accounts Detected\",\n \"process\": null,\n \"rawData\": {\n \"activity_id\": 2,\n \"activity_name\": \"Update\",\n \"attack_surface_ids\": [\n 4\n ],\n \"category_uid\": 2,\n \"class_uid\": 99602001,\n \"confidence_id\": 3,\n \"evidences\": [\n {\n \"actor\": {\n \"user\": {}\n },\n \"dst_endpoint\": {},\n \"src_endpoint\": {}\n }\n ],\n \"finding_info\": {\n \"analytic\": {\n \"category\": \"ThreatPath\",\n \"type_id\": 1,\n \"uid\": \"ThreatPath\"\n },\n \"attacks\": [\n {\n \"tactics\": [\n {\n \"id\": \"xxx-xxx-xxxx\", \"name\": \"Credential Access\",\n \"uid\": \"TA006\"\n }\n ],\n \"technique\": {\n \"name\": \"Exploitation for Credential Access\",\n \"uid\": \"T1212\"\n },\n \"version\": \"ATT&CK v11\"\n }\n ],\n \"desc\": \"This event is triggered when a new Privilege Account has been detected in the Active Directory.\",\n \"first_seen_time\": \"1735026290990\",\n \"internal_uid\": \"316e8d31-9bc5-49b6-a0e2-49f9795bf9e9\",\n \"kill_chain\": [\n {\n \"phase_id\": 0\n }\n ],\n \"last_seen_time\": \"1735026290990\",\n \"title\": \"New AD Privilege Accounts Detected\",\n \"uid\": \"316e8d31-9bc5-49b6-a0e2-49f9795bf9e9\"\n },\n \"message\": \"This event is triggered when a new Privilege Account has been detected in the Active Directory.\",\n \"metadata\": {\n \"extension\": {\n \"name\": \"s1\",\n \"uid\": \"996\",\n \"version\": \"0.1.0\"\n },\n \"product\": {\n \"name\": \"Identity\",\n \"vendor_name\": \"SentinelOne\"\n },\n \"uid\": \"316e8d31-9bc5-49b6-a0e2-49f9795bf9e9\",\n \"version\": \"1.1.0-dev\"\n },\n \"raw_data\": \"5006406:AD Privilege Accounts credentials(S1-Local-Admin) detected in domain:LAB, ip:vm00001.lab at timestamp:1733309067716 of severity:8 subscriberId:6666\",\n \"resources\": [\n {\n \"internal_uid\": \"11111111111111111111111111\",\n \"name\": \"VM0001.LAB\",\n \"s1_metadata\": {\n \"account_id\": \"617755838952421242\",\n \"account_name\": \"EXAMPLE CORP\",\n \"group_id\": \"1107851598374945694\",\n \"group_name\": \"Default Group\",\n \"mgmt_id\": 86061,\n \"scope_id\": \"1107851598374945694\",\n \"scope_level\": \"Group\",\n \"site_id\": \"1107851598374945694\",\n \"site_name\": \"Sekoia.io\"\n },\n \"type\": \"server::other_server::windows_server\",\n \"uid\": \"70629f7d-e514-4a71-b88d-28a466d0fa02VM0001\",\n \"version\": \"Microsoft Windows Server 2012 R2 Standard 64-bit\"\n }\n ],\n \"s1_classification_id\": 0,\n \"severity_id\": 3,\n \"status_id\": 1,\n \"time\": \"1735026290990\",\n \"type_name\": \"\",\n \"type_uid\": \"9960200101\",\n \"unmapped\": {},\n \"verdict_detail_id\": 0,\n \"verdict_id\": 0\n },\n \"result\": null,\n \"status\": \"NEW\",\n \"storylineId\": null}" + }, + "expected": { + "message": "{\n \"analystVerdict\": \"UNDEFINED\",\n \"analytics\": {\n \"category\": \"ThreatPath\"\n },\n \"asset\": {\n \"agentUuid\": null,\n \"agentVersion\": null,\n \"category\": \"Workstation\",\n \"name\": \"Unknown\",\n \"osType\": \"UNKNOWN\",\n \"osVersion\": \"\",\n \"subcategory\": \"Other Workstation\",\n \"type\": \"UNKNOWN\"\n },\n \"assignee\": null,\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"classification\": \"UNKNOWN\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"description\": \"This event is triggered when a new Privilege Account has been detected in the Active Directory.\",\n \"detectedAt\": \"2024-12-24T05:47:33.726Z\",\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"firstSeenAt\": \"2024-12-24T05:47:33.726Z\",\n \"id\": \"0193f734-d130-773a-815c-fbfe892a2635\",\n \"lastSeenAt\": \"2024-12-24T05:47:33.726Z\",\n \"name\": \"New AD Privilege Accounts Detected\",\n \"process\": null,\n \"rawData\": {\n \"activity_id\": 2,\n \"activity_name\": \"Update\",\n \"attack_surface_ids\": [\n 4\n ],\n \"category_uid\": 2,\n \"class_uid\": 99602001,\n \"confidence_id\": 3,\n \"evidences\": [\n {\n \"actor\": {\n \"user\": {}\n },\n \"dst_endpoint\": {},\n \"src_endpoint\": {}\n }\n ],\n \"finding_info\": {\n \"analytic\": {\n \"category\": \"ThreatPath\",\n \"type_id\": 1,\n \"uid\": \"ThreatPath\"\n },\n \"attacks\": [\n {\n \"tactics\": [\n {\n \"id\": \"xxx-xxx-xxxx\", \"name\": \"Credential Access\",\n \"uid\": \"TA006\"\n }\n ],\n \"technique\": {\n \"name\": \"Exploitation for Credential Access\",\n \"uid\": \"T1212\"\n },\n \"version\": \"ATT&CK v11\"\n }\n ],\n \"desc\": \"This event is triggered when a new Privilege Account has been detected in the Active Directory.\",\n \"first_seen_time\": \"1735026290990\",\n \"internal_uid\": \"316e8d31-9bc5-49b6-a0e2-49f9795bf9e9\",\n \"kill_chain\": [\n {\n \"phase_id\": 0\n }\n ],\n \"last_seen_time\": \"1735026290990\",\n \"title\": \"New AD Privilege Accounts Detected\",\n \"uid\": \"316e8d31-9bc5-49b6-a0e2-49f9795bf9e9\"\n },\n \"message\": \"This event is triggered when a new Privilege Account has been detected in the Active Directory.\",\n \"metadata\": {\n \"extension\": {\n \"name\": \"s1\",\n \"uid\": \"996\",\n \"version\": \"0.1.0\"\n },\n \"product\": {\n \"name\": \"Identity\",\n \"vendor_name\": \"SentinelOne\"\n },\n \"uid\": \"316e8d31-9bc5-49b6-a0e2-49f9795bf9e9\",\n \"version\": \"1.1.0-dev\"\n },\n \"raw_data\": \"5006406:AD Privilege Accounts credentials(S1-Local-Admin) detected in domain:LAB, ip:vm00001.lab at timestamp:1733309067716 of severity:8 subscriberId:6666\",\n \"resources\": [\n {\n \"internal_uid\": \"11111111111111111111111111\",\n \"name\": \"VM0001.LAB\",\n \"s1_metadata\": {\n \"account_id\": \"617755838952421242\",\n \"account_name\": \"EXAMPLE CORP\",\n \"group_id\": \"1107851598374945694\",\n \"group_name\": \"Default Group\",\n \"mgmt_id\": 86061,\n \"scope_id\": \"1107851598374945694\",\n \"scope_level\": \"Group\",\n \"site_id\": \"1107851598374945694\",\n \"site_name\": \"Sekoia.io\"\n },\n \"type\": \"server::other_server::windows_server\",\n \"uid\": \"70629f7d-e514-4a71-b88d-28a466d0fa02VM0001\",\n \"version\": \"Microsoft Windows Server 2012 R2 Standard 64-bit\"\n }\n ],\n \"s1_classification_id\": 0,\n \"severity_id\": 3,\n \"status_id\": 1,\n \"time\": \"1735026290990\",\n \"type_name\": \"\",\n \"type_uid\": \"9960200101\",\n \"unmapped\": {},\n \"verdict_detail_id\": 0,\n \"verdict_id\": 0\n },\n \"result\": null,\n \"status\": \"NEW\",\n \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-12-24T05:47:33.726000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is triggered when a new Privilege Account has been detected in the Active Directory.", + "start": "2024-12-24T05:47:33.726000Z", + "type": "info" + }, + "@timestamp": "2024-12-24T05:47:33.726000Z", + "host": { + "name": "VM0001.LAB", + "os": { + "family": "UNKNOWN" + } + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "organization": { + "id": "617755838952421242", + "name": "EXAMPLE CORP" + }, + "sentinelone": { + "identity": { + "analystVerdict": "UNDEFINED", + "analyticsCategory": "ThreatPath", + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "0193f734-d130-773a-815c-fbfe892a2635", + "name": "New AD Privilege Accounts Detected", + "siteId": "1107851598374945694", + "siteName": "Sekoia.io", + "status": "NEW" + } + }, + "threat": { + "tactic": { + "id": [ + "TA006" + ], + "name": [ + "Credential Access" + ] + } + } + } +} \ No newline at end of file