[sentinel_one] Enrich events with event.{category,type,outcome}

[vinit-chauhan]

Type of change

• Bug

What does this PR do?

This PR fixes the bug related to the value of event.category and event.type fields are being statically mapped. In this PR we have mapped the values of event.category, event.type and event.outcome based on the activity performed.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

Related issues

• Closes The sentinel_one activity dataset events are miscategorized as "malware" in field event.category #3786

Screenshots

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-08-17T13:38:11.157+0000

• Duration: 17 min 5 sec

Test stats 🧪

Test	Results
Failed	0
Passed	31
Skipped	0
Total	31

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (5/5)	💚
Files	100.0% (5/5)	💚 2.825
Classes	100.0% (5/5)	💚 2.825
Methods	100.0% (71/71)	💚 10.664
Lines	97.97% (2558/2611)	👍 7.059
Conditionals	100.0% (0/0)	💚

[efd6]

I there a reason "Trojan" is not a malware classification? It appears in some of the documents that are now classed as "threat"/"indicator".

[vinit-chauhan]

Oh, yes. Will update it.

[efd6]

This could be made less verbose and made to do less work by assigning a local. Also, since we know ctx.json?.primaryDescription != null, the conditional null derefs are not needed in the later steps.

Suggested change

	else if(ctx.json?.primaryDescription != null){
	if(ctx.json?.primaryDescription?.toLowerCase().contains("logged in")){
	else if(ctx.json?.primaryDescription != null) {
	def description = ctx.json.primaryDescription.toLowerCase();
	if (description.contains("logged in")) {

with similar uses in all the following conditions.

[efd6]

Adjust the indent to match the block.

[andrewkroh]

How about an if (!eventCategory.isEmpty) { ctx.event.category = eventCategory } so that we don't end up with a null in the doc. Same for event.type.

[andrewkroh]

Should these be else if?

[andrewkroh]

Is this meant to be a catch all? Should it be part of a final else block?

[vinit-chauhan]

/test

[efd6]

Suggested change

	if (ctx.json?.threatId != null && ctx.json?.threatId != '') {
	if (ctx.json?.threatId != null && ctx.json.threatId != '') {

[efd6]

[...].contains(null) returns false unless the array list holds a null, so this can be rewritten:

Suggested change

	if (ctx.json?.data?.confidenceLevel != null && ['suspicious', 'malicious'].contains(ctx.json?.data?.confidenceLevel)) {
	if (['suspicious', 'malicious'].contains(ctx.json?.data?.confidenceLevel)) {

[efd6]

Suggested change

	} else if (threat_classification == 'Malware' || threat_classification == 'Ransomware' || threat_classification == 'Trojan' || threat_classification == 'Downloader') {
	} else if ['Malware', 'Ransomware', 'Trojan', 'Downloader'].contains(threat_classification)) {

Maybe similar for above? I have no strong opinion either way for that though.