[sentinel_one] Change event.kind and adjust some relevant alert fields

packages/sentinel_one/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.2.0"
+  changes:
+    - description: Set event.kind to alert for Sentinel One Threats.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3669
 - version: "1.1.0"
   changes:
     - description: Update package to ECS 8.4.0

packages/sentinel_one/data_stream/threat/_dev/test/pipeline/test-pipeline-threat.log-expected.json

@@ -6,10 +6,11 @@
                 "version": "8.4.0"
             },
             "event": {
+                "action": "SentinelOne Cloud",
                 "category": [
                     "malware"
                 ],
-                "kind": "event",
+                "kind": "alert",
                 "original": "{\"agentDetectionInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"agentDetectionState\":null,\"agentDomain\":\"WORKGROUP\",\"agentIpV4\":\"10.0.0.1\",\"agentIpV6\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"agentLastLoggedInUpn\":null,\"agentLastLoggedInUserMail\":null,\"agentLastLoggedInUserName\":\"\",\"agentMitigationMode\":\"protect\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentRegisteredAt\":\"2022-04-06T08:26:45.515278Z\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x\",\"cloudProviders\":{},\"externalIp\":\"81.2.69.143\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\"},\"agentRealtimeInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activeThreats\":7,\"agentComputerName\":\"test-LINUX\",\"agentDecommissionedAt\":null,\"agentDomain\":\"WORKGROUP\",\"agentId\":\"1234567890123456789\",\"agentInfected\":true,\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"server\",\"agentMitigationMode\":\"detect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentOsType\":\"linux\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x.1234\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"networkInterfaces\":[{\"id\":\"1234567890123456789\",\"inet\":[\"10.0.0.1\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"00-00-5E-00-53-00\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"id\":\"1234567890123456789\",\"indicators\":[],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[{\"action\":\"unquarantine\",\"actionsCounters\":{\"failed\":0,\"notFound\":0,\"pendingReboot\":0,\"success\":1,\"total\":1},\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:54:17.198002Z\",\"latestReport\":\"/threats/mitigation-report\",\"mitigationEndedAt\":\"2022-04-06T08:54:17.101000Z\",\"mitigationStartedAt\":\"2022-04-06T08:54:17.101000Z\",\"status\":\"success\"},{\"action\":\"kill\",\"actionsCounters\":null,\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:45:55.303355Z\",\"latestReport\":null,\"mitigationEndedAt\":\"2022-04-06T08:45:55.297364Z\",\"mitigationStartedAt\":\"2022-04-06T08:45:55.297363Z\",\"status\":\"success\"}],\"threatInfo\":{\"analystVerdict\":\"undefined\",\"analystVerdictDescription\":\"Undefined\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":\"\",\"classification\":\"Trojan\",\"classificationSource\":\"Cloud\",\"cloudFilesHashVerdict\":\"black\",\"collectionId\":\"1234567890123456789\",\"confidenceLevel\":\"malicious\",\"createdAt\":\"2022-04-06T08:45:54.519988Z\",\"detectionEngines\":[{\"key\":\"sentinelone_cloud\",\"title\":\"SentinelOne Cloud\"}],\"detectionType\":\"static\",\"engines\":[\"SentinelOne Cloud\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":\"EXE\",\"fileExtensionType\":\"Executable\",\"filePath\":\"default.exe\",\"fileSize\":1234,\"fileVerificationType\":\"NotSigned\",\"identifiedAt\":\"2022-04-06T08:45:53.968000Z\",\"incidentStatus\":\"unresolved\",\"incidentStatusDescription\":\"Unresolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":false,\"maliciousProcessArguments\":null,\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"not_mitigated\",\"mitigationStatusDescription\":\"Not mitigated\",\"originatorProcess\":\"default.exe\",\"pendingActions\":false,\"processUser\":\"test user\",\"publisherName\":\"\",\"reachedEventsLimit\":false,\"rebootRequired\":false,\"sha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"sha256\":null,\"storyline\":\"D0XXXXXXXXXXAF4D\",\"threatId\":\"1234567890123456789\",\"threatName\":\"default.exe\",\"updatedAt\":\"2022-04-06T08:54:17.194122Z\"},\"whiteningOptions\":[\"hash\"]}",
                 "type": [
                     "info"
@@ -43,6 +44,9 @@
             "observer": {
                 "version": "21.x.x.1234"
             },
+            "process": {
+                "name": "default.exe"
+            },
             "related": {
                 "hash": [
                     "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d"
@@ -245,10 +249,11 @@
                 "version": "8.4.0"
             },
             "event": {
+                "action": "Documents, Scripts,On-Write ABC",
                 "category": [
                     "malware"
                 ],
-                "kind": "event",
+                "kind": "alert",
                 "original": "{\"agentDetectionInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"agentDetectionState\":null,\"agentDomain\":\"WORKGROUP\",\"agentIpV4\":\"10.0.0.1\",\"agentIpV6\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"agentLastLoggedInUpn\":null,\"agentLastLoggedInUserMail\":null,\"agentLastLoggedInUserName\":\"\",\"agentMitigationMode\":\"detect\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentRegisteredAt\":\"2022-04-06T08:26:45.515278Z\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x\",\"cloudProviders\":{},\"externalIp\":\"81.2.69.143\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\"},\"agentRealtimeInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activeThreats\":7,\"agentComputerName\":\"test-LINUX\",\"agentDecommissionedAt\":null,\"agentDomain\":\"WORKGROUP\",\"agentId\":\"1234567890123456789\",\"agentInfected\":true,\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"server\",\"agentMitigationMode\":\"detect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentOsType\":\"linux\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x.1234\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"networkInterfaces\":[{\"id\":\"1234567890123456789\",\"inet\":[\"10.0.0.1\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"00-00-5E-00-53-00\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"id\":\"1234567890123456789\",\"indicators\":[{\"category\":\"General\",\"description\":\"Detected by the Static Engine\",\"ids\":[43],\"tactics\":[]},{\"category\":\"Exploitation\",\"description\":\"Document behaves abnormally\",\"ids\":[62],\"tactics\":[{\"name\":\"Execution\",\"source\":\"DEFAULT\",\"techniques\":[{\"link\":\"https://example.com/\",\"name\":\"T1234\"},{\"link\":\"https://example.com/\",\"name\":\"T1234\"},{\"link\":\"https://example.com/\",\"name\":\"T1234\"}]},{\"name\":\"Initial Access\",\"source\":\"DEFAULT\",\"techniques\":[{\"link\":\"https://example.com/\",\"name\":\"T1234\"}]}]},{\"category\":\"Evasion\",\"description\":\"Indirect command was executed\",\"ids\":[427],\"tactics\":[{\"name\":\"Defense Evasion\",\"source\":\"DEFAULT\",\"techniques\":[{\"link\":\"https://example.com/\",\"name\":\"T1234\"},{\"link\":\"https://example.com/\",\"name\":\"T1234\"}]}]},{\"category\":\"Evasion\",\"description\":\"Office program ran macro\",\"ids\":[434],\"tactics\":[{\"name\":\"Execution\",\"source\":\"DEFAULT\",\"techniques\":[{\"link\":\"https://example.com\",\"name\":\"T1234\"}]},{\"name\":\"Initial Access\",\"source\":\"DEFAULT\",\"techniques\":[{\"link\":\"https://example.com\",\"name\":\"T1234\"}]},{\"name\":\"Execution\",\"source\":\"DEFAULT\",\"techniques\":[{\"link\":\"https://example.com\",\"name\":\"T1234\"}]}]},{\"category\":\"Evasion\",\"description\":\"Process wrote to a hidden file section\",\"ids\":[169],\"tactics\":[{\"name\":\"Defense Evasion\",\"source\":\"DEFAULT\",\"techniques\":[{\"link\":\"https://example.com\",\"name\":\"T1234\"}]}]},{\"category\":\"Evasion\",\"description\":\"Suspicious registry key was created\",\"ids\":[171],\"tactics\":[{\"name\":\"Defense Evasion\",\"source\":\"DEFAULT\",\"techniques\":[{\"link\":\"https://example.com\",\"name\":\"T1234\"}]}]}],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[],\"threatInfo\":{\"analystVerdict\":\"undefined\",\"analystVerdictDescription\":\"Undefined\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":\"\",\"classification\":\"Malware\",\"classificationSource\":\"Static\",\"cloudFilesHashVerdict\":\"black\",\"collectionId\":\"1234567890123456789\",\"confidenceLevel\":\"malicious\",\"createdAt\":\"2022-04-06T08:57:34.744922Z\",\"detectionEngines\":[{\"key\":\"pre_execution\",\"title\":\"On-Write Static AI\"},{\"key\":\"data_files\",\"title\":\"Documents, Scripts\"}],\"detectionType\":\"dynamic\",\"engines\":[\"Documents, Scripts\",\"On-Write ABC\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":\"TXT\",\"fileExtensionType\":\"Document\",\"filePath\":\"test/path/user\",\"fileSize\":238592,\"fileVerificationType\":\"NotSigned\",\"identifiedAt\":\"2022-04-06T08:57:34.444000Z\",\"incidentStatus\":\"unresolved\",\"incidentStatusDescription\":\"Unresolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":false,\"maliciousProcessArguments\":\"test/path/user\",\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"not_mitigated\",\"mitigationStatusDescription\":\"Not mitigated\",\"originatorProcess\":\"default.EXE\",\"pendingActions\":false,\"processUser\":\"test_user\",\"publisherName\":\"\",\"reachedEventsLimit\":false,\"rebootRequired\":false,\"sha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"sha256\":null,\"storyline\":\"7XXXXXXXXXDD5A41\",\"threatId\":\"123456789\",\"threatName\":\"Threats\",\"updatedAt\":\"2022-04-06T08:57:37.672873Z\"},\"whiteningOptions\":[\"hash\",\"path\",\"file_type\"]}",
                 "type": [
                     "info"
@@ -282,6 +287,9 @@
             "observer": {
                 "version": "21.x.x.1234"
             },
+            "process": {
+                "name": "default.EXE"
+            },
             "related": {
                 "hash": [
                     "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d"

packages/sentinel_one/data_stream/threat/elasticsearch/ingest_pipeline/default.yml

@@ -6,7 +6,7 @@ processors:
       value: '8.4.0'
   - set:
       field: event.kind
-      value: event
+      value: alert
   - set:
       field: event.category
       value: [malware]
@@ -34,6 +34,15 @@ processors:
       formats:
           - ISO8601
       ignore_failure: true
+  - join:
+      field: json.threatInfo.engines
+      target_field: event.action
+      separator: ','
+      ignore_failure: true
+  - set:
+      field: process.name
+      copy_from: json.threatInfo.originatorProcess
+      ignore_empty_value: true
   - rename:
       field: json.agentDetectionInfo.accountId 
       target_field: sentinel_one.threat.detection.account.id
@@ -84,6 +93,11 @@ processors:
       field: json.agentDetectionInfo.agentLastLoggedInUserName   
       target_field: user.name
       ignore_missing: true
+  - set:
+      if: ctx.user?.name == null
+      field: user.name
+      copy_from: json.threatInfo.processUser
+      ignore_empty_value: true
   - append:
       field: related.user
       value: '{{{user.name}}}'

packages/sentinel_one/data_stream/threat/fields/ecs.yml

@@ -30,6 +30,8 @@
   name: message
 - external: ecs
   name: observer.version
+- external: ecs
+  name: process.name
 - external: ecs
   name: related.hash
 - external: ecs

packages/sentinel_one/docs/README.md

@@ -1516,6 +1516,8 @@ An example event for `threat` looks as following:
 | log.offset | Log offset | long |
 | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
 | observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
 | related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
 | related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
 | related.ip | All of the IPs seen on your event. | ip |

packages/sentinel_one/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: sentinel_one
 title: SentinelOne
-version: "1.1.0"
+version: "1.2.0"
 license: basic
 description: Collect logs from SentinelOne with Elastic Agent.
 type: integration