diff --git a/packages/sentinel_one/_dev/benchmark/rally/application_risk-benchmark.yml b/packages/sentinel_one/_dev/benchmark/rally/application_risk-benchmark.yml new file mode 100644 index 00000000000..76f370bf3a3 --- /dev/null +++ b/packages/sentinel_one/_dev/benchmark/rally/application_risk-benchmark.yml @@ -0,0 +1,14 @@ +--- +description: Benchmark 100000 sentinel_one.application_risk events ingested +data_stream: + name: application_risk +corpora: + generator: + total_events: 100000 + template: + type: gotext + path: ./applicationrisk-benchmark/template.ndjson + config: + path: ./applicationrisk-benchmark/config.yml + fields: + path: ./applicationrisk-benchmark/fields.yml diff --git a/packages/sentinel_one/_dev/benchmark/rally/applicationrisk-benchmark/config.yml b/packages/sentinel_one/_dev/benchmark/rally/applicationrisk-benchmark/config.yml new file mode 100644 index 00000000000..2eef35b03ae --- /dev/null +++ b/packages/sentinel_one/_dev/benchmark/rally/applicationrisk-benchmark/config.yml @@ -0,0 +1,88 @@ +fields: + - name: application + cardinality: 1000 + - name: applicationName + cardinality: 10000 + - name: applicationVendor + cardinality: 10 + - name: applicationVersion + cardinality: 10 + - name: baseScore + range: + min: 1 + max: 10 + fuzziness: 0.01 + - name: cveId + cardinality: 1000 + - name: cvssVersion + cardinality: 100 + - name: daysDetected + range: + min: 0 + max: 10000 + cardinality: 1000 + - name: endpointId + range: + min: 100000000000000000 + max: 999999999999999999 + cardinality: 10000 + enum: + - desktop + - laptop + - server + - unknown + - name: endpointName + cardinality: 1000 + - name: endpointType + - name: exploitCodeMaturity + cardinality: 1000 + - name: id + range: + min: 100000000000000000 + max: 999999999999999999 + cardinality: 10000 + - name: lastScanResult + cardinality: 10 + - name: markType + cardinality: 1000 + - name: markedBy + cardinality: 1000 + - name: mitigationStatus + cardinality: 1000 + - name: mitigationStatusChangeTime + cardinality: 1000 + - name: mitigationStatusChangedBy + cardinality: 1000 + - name: mitigationStatusReason + cardinality: 1000 + - name: nvdBaseScore + range: + min: 1 + max: 10 + fuzziness: 0.01 + - name: nvdCvssVersion + cardinality: 1000 + - name: osType + enum: + - linux + - windows + - macos + - windows_legacy + - name: reason + cardinality: 1000 + - name: remediationLevel + cardinality: 1000 + - name: reportConfidence + cardinality: 1000 + - name: riskScore + range: + min: 1 + max: 10 + fuzziness: 0.01 + - name: severity + enum: + - HIGH + - MEDIUM + - LOW + - name: status + cardinality: 10 diff --git a/packages/sentinel_one/_dev/benchmark/rally/applicationrisk-benchmark/fields.yml b/packages/sentinel_one/_dev/benchmark/rally/applicationrisk-benchmark/fields.yml new file mode 100644 index 00000000000..32d9cd41a48 --- /dev/null +++ b/packages/sentinel_one/_dev/benchmark/rally/applicationrisk-benchmark/fields.yml @@ -0,0 +1,58 @@ +- name: application + type: keyword +- name: applicationName + type: keyword +- name: applicationVendor + type: keyword +- name: applicationVersion + type: keyword +- name: baseScore + type: float +- name: cveId + type: keyword +- name: cvssVersion + type: keyword +- name: daysDetected + type: long +- name: endpointId + type: keyword +- name: endpointName + type: keyword +- name: endpointType + type: keyword +- name: exploitCodeMaturity + type: keyword +- name: id + type: keyword +- name: lastScanResult + type: keyword +- name: markType + type: keyword +- name: markedBy + type: keyword +- name: mitigationStatus + type: keyword +- name: mitigationStatusChangeTime + type: date +- name: mitigationStatusChangedBy + type: keyword +- name: mitigationStatusReason + type: keyword +- name: nvdBaseScore + type: double +- name: nvdCvssVersion + type: keyword +- name: osType + type: keyword +- name: reason + type: keyword +- name: remediationLevel + type: keyword +- name: reportConfidence + type: keyword +- name: riskScore + type: double +- name: severity + type: keyword +- name: status + type: keyword diff --git a/packages/sentinel_one/_dev/benchmark/rally/applicationrisk-benchmark/template.ndjson b/packages/sentinel_one/_dev/benchmark/rally/applicationrisk-benchmark/template.ndjson new file mode 100644 index 00000000000..cc12a02a76d --- /dev/null +++ b/packages/sentinel_one/_dev/benchmark/rally/applicationrisk-benchmark/template.ndjson @@ -0,0 +1,91 @@ +{{- $application := generate "application" }} +{{- $applicationName := generate "applicationName" }} +{{- $applicationVendor := generate "applicationVendor" }} +{{- $applicationVersion := generate "applicationVersion" }} +{{- $baseScore := generate "baseScore" }} +{{- $cveId := generate "cveId" }} +{{- $cvssVersion := generate "cvssVersion" }} +{{- $daysDetected := generate "daysDetected" }} +{{- $endpointId := generate "endpointId" }} +{{- $endpointName := generate "endpointName" }} +{{- $endpointType := generate "endpointType" }} +{{- $exploitCodeMaturity := generate "exploitCodeMaturity" }} +{{- $id := generate "id" }} +{{- $lastScanResult := generate "lastScanResult" }} +{{- $markType := generate "markType" }} +{{- $markedBy := generate "markedBy" }} +{{- $mitigationStatus := generate "mitigationStatus" }} +{{- $mitigationStatusChangedBy := generate "mitigationStatusChangedBy" }} +{{- $mitigationStatusReason := generate "mitigationStatusReason" }} +{{- $nvdBaseScore := generate "nvdBaseScore" }} +{{- $nvdCvssVersion := generate "nvdCvssVersion" }} +{{- $osType := generate "osType" }} +{{- $reason := generate "reason" }} +{{- $remediationLevel := generate "remediationLevel" }} +{{- $reportConfidence := generate "reportConfidence" }} +{{- $riskScore := generate "riskScore" }} +{{- $severity := generate "severity" }} +{{- $status := generate "status" }} +{{- /* +{ + "application": "{{ $application }}", + "applicationName": "{{ $applicationName }}", + "applicationVendor": "{{ $applicationVendor }}", + "applicationVersion": "{{ $applicationVersion }}", + "baseScore": "{{ $baseScore }}", + "cveId": "{{ $cveId }}", + "cvssVersion": "{{ $cvssVersion }}", + "daysDetected": "{{ $daysDetected }}", + "endpointId": "{{ $endpointId }}", + "endpointName": "{{ $endpointName }}", + "endpointType": "{{ $endpointType }}", + "exploitCodeMaturity": "{{ $exploitCodeMaturity }}", + "id": "{{ $id }}", + "lastScanResult": "{{ $lastScanResult }}", + "markType": "{{ $markType }}", + "markedBy": "{{ $markedBy }}", + "mitigationStatus": "{{ $mitigationStatus }}", + "mitigationStatusChangedBy": "{{ $mitigationStatusChangedBy }}", + "mitigationStatusReason": "{{ $mitigationStatusReason }}", + "nvdBaseScore": "{{ $nvdBaseScore }}", + "nvdCvssVersion": "{{ $nvdCvssVersion }}", + "osType": "{{ $osType }}", + "reason": "{{ $reason }}", + "remediationLevel": "{{ $remediationLevel }}", + "reportConfidence": "{{ $reportConfidence }}", + "riskScore": "{{ $riskScore }}", + "severity": "{{ $severity }}", + "status": "{{ $status }}" +} +*/ -}} +{ + "agent": { + "ephemeral_id": "cdaaaabb-be7e-432f-816b-bda019fd7c15", + "id": "da6cb4c8-c84c-4c5f-97c7-f8586a098af4", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "sentinel_one.application_risk", + "namespace": "93724", + "type": "logs" + }, + "elastic_agent": { + "id": "da6cb4c8-c84c-4c5f-97c7-f8586a098af4", + "snapshot": false, + "version": "8.18.0" + }, + "message": "{\"application\": \"{{ $application }}\", \"applicationName\": \"{{ $applicationName }}\", \"applicationVendor\": \"{{ $applicationVendor }}\", \"applicationVersion\": \"{{ $applicationVersion }}\", \"baseScore\": \"{{ $baseScore }}\", \"cveId\": \"{{ $cveId }}\", \"cvssVersion\": \"{{ $cvssVersion }}\", \"daysDetected\": \"{{ $daysDetected }}\", \"endpointId\": \"{{ $endpointId }}\", \"endpointName\": \"{{ $endpointName }}\", \"endpointType\": \"{{ $endpointType }}\", \"exploitCodeMaturity\": \"{{ $exploitCodeMaturity }}\", \"id\": \"{{ $id }}\", \"lastScanResult\": \"{{ $lastScanResult }}\", \"markType\": \"{{ $markType }}\", \"markedBy\": \"{{ $markedBy }}\", \"mitigationStatus\": \"{{ $mitigationStatus }}\", \"mitigationStatusChangedBy\": \"{{ $mitigationStatusChangedBy }}\", \"mitigationStatusReason\": \"{{ $mitigationStatusReason }}\", \"nvdBaseScore\": \"{{ $nvdBaseScore }}\", \"nvdCvssVersion\": \"{{ $nvdCvssVersion }}\", \"osType\": \"{{ $osType }}\", \"reason\": \"{{ $reason }}\", \"remediationLevel\": \"{{ $remediationLevel }}\", \"reportConfidence\": \"{{ $reportConfidence }}\", \"riskScore\": \"{{ $riskScore }}\", \"severity\": \"{{ $severity }}\", \"status\": \"{{ $status }}\"}", + "event": { + "dataset": "sentinel_one.application_risk" + }, + "input": { + "type": "cel" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "sentinel_one-application_risk" + ] +} diff --git a/packages/sentinel_one/_dev/build/docs/README.md b/packages/sentinel_one/_dev/build/docs/README.md index 4daee91687c..77c3db52635 100644 --- a/packages/sentinel_one/_dev/build/docs/README.md +++ b/packages/sentinel_one/_dev/build/docs/README.md @@ -73,6 +73,14 @@ This is the `application` dataset. {{fields "application"}} +### application risk + +This is the `application risk` dataset. + +{{event "application_risk"}} + +{{fields "application_risk"}} + ### group This is the `group` dataset. @@ -87,4 +95,4 @@ This is the `threat` dataset. {{event "threat"}} -{{fields "threat"}} \ No newline at end of file +{{fields "threat"}} diff --git a/packages/sentinel_one/_dev/deploy/docker/files/config.yml b/packages/sentinel_one/_dev/deploy/docker/files/config.yml index 415c58e9439..dd45e3a5654 100644 --- a/packages/sentinel_one/_dev/deploy/docker/files/config.yml +++ b/packages/sentinel_one/_dev/deploy/docker/files/config.yml @@ -352,3 +352,200 @@ rules: } } `}} + - path: /web/api/v2.1/application-management/risks + methods: ['GET'] + query_params: + limit: 2 + cursor: null + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "application": "7-Zip 22.01", + "applicationName": "7-Zip", + "applicationVendor": "Igor Pavlov", + "applicationVersion": "22.01", + "baseScore": "7.00", + "cveId": "CVE-2025-0411", + "cvssVersion": "3.1", + "daysDetected": 59, + "detectionDate": "2025-06-02T04:46:51.710569Z", + "endpointId": "2162143406517023959", + "endpointName": "test_endpoint", + "endpointType": "desktop", + "id": "2228104980801805822", + "lastScanDate": "2025-07-29T19:25:47Z", + "lastScanResult": "Succeeded", + "markType": "", + "markedBy": null, + "markedDate": null, + "osType": "windows", + "publishedDate": "2025-01-20T07:04:04Z", + "reason": null, + "severity": "HIGH", + "status": "Detected" + }, + { + "application": "7-Zip 22.01", + "applicationName": "7-Zip", + "applicationVendor": "Igor Pavlov", + "applicationVersion": "22.01", + "baseScore": "7.80", + "cveId": "CVE-2024-11477", + "cvssVersion": "3.1", + "daysDetected": 59, + "detectionDate": "2025-06-02T04:46:51.710578Z", + "endpointId": "2162143406517023959", + "endpointName": "example_endpoint", + "endpointType": "desktop", + "id": "2228104981028298282", + "lastScanDate": "2025-07-29T19:25:47Z", + "lastScanResult": "Succeeded", + "markType": "", + "markedBy": null, + "markedDate": null, + "osType": "windows", + "publishedDate": "2024-11-21T06:42:16Z", + "reason": null, + "severity": "HIGH", + "status": "Detected" + } + ], + "pagination": { + "nextCursor": "page2", + "totalItems": 5 + } + } + `}} + - path: /web/api/v2.1/application-management/risks + methods: ['GET'] + query_params: + limit: 2 + cursor: page2 + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "application": "Microsoft Edge 112.0.1722.68", + "applicationName": "Microsoft Edge", + "applicationVendor": "Microsoft Corporation", + "applicationVersion": "112.0.1722.68", + "baseScore": "4.30", + "cveId": "CVE-2024-29057", + "cvssVersion": "3.1", + "daysDetected": 59, + "detectionDate": "2025-06-02T04:46:51.710587Z", + "endpointId": "2162143406517023959", + "endpointName": "DESKTOP-example", + "endpointType": "desktop", + "id": "2228104981036686896", + "lastScanDate": "2025-07-29T19:25:47Z", + "lastScanResult": "Succeeded", + "markType": "", + "markedBy": null, + "markedDate": null, + "osType": "windows", + "publishedDate": "2024-03-22T22:15:00Z", + "reason": null, + "severity": "MEDIUM", + "status": "Detected" + }, + { + "application": "Microsoft Edge 112.0.1722.68", + "applicationName": "Microsoft Edge", + "applicationVendor": "Microsoft Corporation", + "applicationVersion": "112.0.1722.68", + "baseScore": "6.10", + "cveId": "CVE-2024-38156", + "cvssVersion": "3.1", + "daysDetected": 59, + "detectionDate": "2025-06-02T04:46:51.710591Z", + "endpointId": "2162143406517023959", + "endpointName": "DESKTOP-test", + "endpointType": "desktop", + "id": "2228104981070241336", + "lastScanDate": "2025-07-29T19:25:47Z", + "lastScanResult": "Succeeded", + "markType": "", + "markedBy": null, + "markedDate": null, + "osType": "windows", + "publishedDate": "2024-07-18T05:39:23Z", + "reason": null, + "severity": "MEDIUM", + "status": "Detected" + } + ], + "pagination": { + "nextCursor": "page3", + "totalItems": 5 + } + } + `}} + - path: /web/api/v2.1/application-management/risks + methods: ['GET'] + query_params: + limit: 2 + cursor: page3 + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "application": "Microsoft Edge 112.0.1722.68", + "applicationName": "Microsoft Edge", + "applicationVendor": "Microsoft Corporation", + "applicationVersion": "112.0.1722.68", + "baseScore": "6.50", + "cveId": "CVE-2024-38222", + "cvssVersion": "3.1", + "daysDetected": 59, + "detectionDate": "2025-06-02T04:46:51.710593Z", + "endpointId": "2162143406517023959", + "endpointName": "DESKTOP-R1E2DQ2", + "endpointType": "desktop", + "id": "2228104981095407166", + "lastScanDate": "2025-07-29T19:25:47Z", + "lastScanResult": "Succeeded", + "markType": "", + "markedBy": null, + "markedDate": null, + "osType": "windows", + "publishedDate": "2024-08-13T18:27:28Z", + "reason": null, + "severity": "MEDIUM", + "status": "Detected" + } + ], + "pagination": { + "nextCursor": null, + "totalItems": 5 + } + } + `}} diff --git a/packages/sentinel_one/changelog.yml b/packages/sentinel_one/changelog.yml index 2c54269c209..4d9d4cbd97c 100644 --- a/packages/sentinel_one/changelog.yml +++ b/packages/sentinel_one/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.38.0" + changes: + - description: Add support for application risk data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/14910 - version: "1.37.0" changes: - description: Add support for application data stream. diff --git a/packages/sentinel_one/data_stream/activity/_dev/test/policy/test-all.expected b/packages/sentinel_one/data_stream/activity/_dev/test/policy/test-all.expected index 56804f338e6..5eb0522116d 100644 --- a/packages/sentinel_one/data_stream/activity/_dev/test/policy/test-all.expected +++ b/packages/sentinel_one/data_stream/activity/_dev/test/policy/test-all.expected @@ -12,7 +12,6 @@ inputs: value: '[[.last_event.createdAt]]' data_stream: dataset: sentinel_one.activity - type: logs interval: 30s processors: - add_fields: diff --git a/packages/sentinel_one/data_stream/activity/_dev/test/policy/test-default.expected b/packages/sentinel_one/data_stream/activity/_dev/test/policy/test-default.expected index dc30875f4e2..4d111fe108b 100644 --- a/packages/sentinel_one/data_stream/activity/_dev/test/policy/test-default.expected +++ b/packages/sentinel_one/data_stream/activity/_dev/test/policy/test-default.expected @@ -12,7 +12,6 @@ inputs: value: '[[.last_event.createdAt]]' data_stream: dataset: sentinel_one.activity - type: logs interval: 30s publisher_pipeline.disable_host: true request.method: GET diff --git a/packages/sentinel_one/data_stream/agent/_dev/test/policy/test-all.expected b/packages/sentinel_one/data_stream/agent/_dev/test/policy/test-all.expected index 6bdd653e681..01a34ffbb3c 100644 --- a/packages/sentinel_one/data_stream/agent/_dev/test/policy/test-all.expected +++ b/packages/sentinel_one/data_stream/agent/_dev/test/policy/test-all.expected @@ -12,7 +12,6 @@ inputs: value: '[[.last_event.updatedAt]]' data_stream: dataset: sentinel_one.agent - type: logs interval: 30s processors: - add_fields: diff --git a/packages/sentinel_one/data_stream/agent/_dev/test/policy/test-default.expected b/packages/sentinel_one/data_stream/agent/_dev/test/policy/test-default.expected index 672ec98cef5..e746921b302 100644 --- a/packages/sentinel_one/data_stream/agent/_dev/test/policy/test-default.expected +++ b/packages/sentinel_one/data_stream/agent/_dev/test/policy/test-default.expected @@ -12,7 +12,6 @@ inputs: value: '[[.last_event.updatedAt]]' data_stream: dataset: sentinel_one.agent - type: logs interval: 30s publisher_pipeline.disable_host: true request.method: GET diff --git a/packages/sentinel_one/data_stream/alert/_dev/test/policy/test-all.expected b/packages/sentinel_one/data_stream/alert/_dev/test/policy/test-all.expected index fb4afd41ef8..29cebb8e610 100644 --- a/packages/sentinel_one/data_stream/alert/_dev/test/policy/test-all.expected +++ b/packages/sentinel_one/data_stream/alert/_dev/test/policy/test-all.expected @@ -12,7 +12,6 @@ inputs: value: '[[.last_event.alertInfo.createdAt]]' data_stream: dataset: sentinel_one.alert - type: logs interval: 30s processors: - add_fields: diff --git a/packages/sentinel_one/data_stream/alert/_dev/test/policy/test-default.expected b/packages/sentinel_one/data_stream/alert/_dev/test/policy/test-default.expected index 7ac30ae8b76..746d2cd968c 100644 --- a/packages/sentinel_one/data_stream/alert/_dev/test/policy/test-default.expected +++ b/packages/sentinel_one/data_stream/alert/_dev/test/policy/test-default.expected @@ -12,7 +12,6 @@ inputs: value: '[[.last_event.alertInfo.createdAt]]' data_stream: dataset: sentinel_one.alert - type: logs interval: 30s publisher_pipeline.disable_host: true request.method: GET diff --git a/packages/sentinel_one/data_stream/application/_dev/test/policy/test-all.expected b/packages/sentinel_one/data_stream/application/_dev/test/policy/test-all.expected index 1daf8b8b164..8762fa8a2bd 100644 --- a/packages/sentinel_one/data_stream/application/_dev/test/policy/test-all.expected +++ b/packages/sentinel_one/data_stream/application/_dev/test/policy/test-all.expected @@ -9,7 +9,6 @@ inputs: - config_version: 2 data_stream: dataset: sentinel_one.application - type: logs interval: 30s processors: - add_fields: diff --git a/packages/sentinel_one/data_stream/application/_dev/test/policy/test-default.expected b/packages/sentinel_one/data_stream/application/_dev/test/policy/test-default.expected index 0598338d348..49575a11936 100644 --- a/packages/sentinel_one/data_stream/application/_dev/test/policy/test-default.expected +++ b/packages/sentinel_one/data_stream/application/_dev/test/policy/test-default.expected @@ -9,7 +9,6 @@ inputs: - config_version: 2 data_stream: dataset: sentinel_one.application - type: logs interval: 24h program: |- ( diff --git a/packages/sentinel_one/data_stream/application/manifest.yml b/packages/sentinel_one/data_stream/application/manifest.yml index 50d618c52c7..d14335283c2 100644 --- a/packages/sentinel_one/data_stream/application/manifest.yml +++ b/packages/sentinel_one/data_stream/application/manifest.yml @@ -1,5 +1,6 @@ title: Collect Application logs from SentinelOne type: logs +ilm_policy: logs-sentinel_one.application-default_policy streams: - input: cel title: Application logs diff --git a/packages/sentinel_one/data_stream/application_risk/_dev/benchmark/pipeline/application-risk-sample.log b/packages/sentinel_one/data_stream/application_risk/_dev/benchmark/pipeline/application-risk-sample.log new file mode 100644 index 00000000000..af4f8c05050 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/_dev/benchmark/pipeline/application-risk-sample.log @@ -0,0 +1,10 @@ +{"application":"7-Zip 22.01","applicationName":"7-Zip","applicationVendor":"Igor Pavlov","applicationVersion":"22.01","baseScore":"7.00","cveId":"CVE-2025-0411","cvssVersion":"3.1","daysDetected":59,"detectionDate":"2025-06-02T04:46:51.710569Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104980801805822","lastScanDate":"2025-07-29T19:25:47Z","lastScanResult":"Succeeded","markType":"","markedBy":"abc_host","markedDate":"2025-01-20T07:04:04Z","osType":"windows","publishedDate":"2025-01-20T07:04:04Z","reason":"xyz","severity":"HIGH","status":"Detected"} +{"application":"Microsoft Edge 112.0.1722.68","applicationName":"Microsoft Edge","applicationVendor":"Microsoft Corporation","applicationVersion":"112.0.1722.68","baseScore":"4.30","cveId":"CVE-2024-29057","cvssVersion":"3.1","daysDetected":59,"detectionDate":"2025-06-02T04:46:51.710587Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981036686896","lastScanDate":"2025-07-29T19:25:47Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-03-22T22:15:00Z","reason":null,"severity":"MEDIUM","status":"Detected"} +{"application":"Microsoft Edge WebView2 Runtime 112.0.1722.64","applicationName":"Microsoft Edge WebView2 Runtime","applicationVendor":"Microsoft Corporation","applicationVersion":"112.0.1722.64","baseScore":"4.70","cveId":"CVE-2024-26247","cvssVersion":"3.1","daysDetected":59,"detectionDate":"2025-06-02T04:46:51.710624Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981154127438","lastScanDate":"2025-07-29T19:25:47Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-03-22T22:15:00Z","reason":null,"severity":"MEDIUM","status":"Detected"} +{"application":"VMware Tools 10.3.10.12406962","applicationName":"VMware Tools","applicationVendor":"VMware, Inc.","applicationVersion":"10.3.10.12406962","baseScore":"7.10","cveId":"CVE-2022-22977","cvssVersion":"3.1","daysDetected":59,"detectionDate":"2025-06-02T04:46:51.710668Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981196070492","lastScanDate":"2025-07-29T19:25:47Z","lastScanResult":"Succeeded","markType":"abcd","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2022-05-24T19:15:00Z","reason":null,"severity":"HIGH","status":"Detected"} +{"application":"PuTTY release 0.77.0.0","applicationName":"PuTTY release","applicationVendor":"Simon Tatham","applicationVersion":"0.77.0.0","baseScore":"5.90","cveId":"CVE-2024-31497","cvssVersion":"3.1","daysDetected":10,"detectionDate":"2025-07-21T18:00:44.231765Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2264018562208952766","lastScanDate":"2025-07-29T19:25:47Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-04-15T20:15:00Z","reason":null,"severity":"MEDIUM","status":"Detected"} +{"application":"7-Zip 22.01","applicationName":"7-Zip","applicationVendor":"Igor Pavlov","applicationVersion":"22.01","baseScore":"7.80","cveId":"CVE-2024-11477","cvssVersion":"3.1","daysDetected":72,"detectionDate":"2025-06-02T04:46:51.710578Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981028298282","lastScanDate":"2025-08-11T18:02:20Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-11-21T06:42:16Z","reason":null,"severity":"HIGH","status":"Detected"} +{"application":"Microsoft Edge 112.0.1722.68","applicationName":"Microsoft Edge","applicationVendor":"Microsoft Corporation","applicationVersion":"112.0.1722.68","baseScore":"6.10","cveId":"CVE-2024-38156","cvssVersion":"3.1","daysDetected":72,"detectionDate":"2025-06-02T04:46:51.710591Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981070241336","lastScanDate":"2025-08-11T18:02:20Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-07-18T05:39:23Z","reason":null,"severity":"MEDIUM","status":"Detected"} +{"application":"Microsoft Edge 112.0.1722.68","applicationName":"Microsoft Edge","applicationVendor":"Microsoft Corporation","applicationVersion":"112.0.1722.68","baseScore":"6.50","cveId":"CVE-2024-38222","cvssVersion":"3.1","daysDetected":72,"detectionDate":"2025-06-02T04:46:51.710593Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981095407166","lastScanDate":"2025-08-11T18:02:20Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-08-13T18:27:28Z","reason":null,"severity":"MEDIUM","status":"Detected"} +{"application":"Microsoft Edge 112.0.1722.68","applicationName":"Microsoft Edge","applicationVendor":"Microsoft Corporation","applicationVersion":"112.0.1722.68","baseScore":"9.60","cveId":"CVE-2024-7971","cvssVersion":"3.1","daysDetected":72,"detectionDate":"2025-06-02T04:46:51.710604Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981128961604","lastScanDate":"2025-08-11T18:02:20Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-08-21T21:15:00Z","reason":null,"severity":"CRITICAL","status":"Detected"} +{"application":"Microsoft Edge 112.0.1722.68","applicationName":"Microsoft Edge","applicationVendor":"Microsoft Corporation","applicationVersion":"112.0.1722.68","baseScore":"4.70","cveId":"CVE-2024-38082","cvssVersion":"3.1","daysDetected":72,"detectionDate":"2025-06-02T04:46:51.710607Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981137350215","lastScanDate":"2025-08-11T18:02:20Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-06-20T20:15:00Z","reason":null,"severity":"MEDIUM","status":"Detected"} diff --git a/packages/sentinel_one/data_stream/application_risk/_dev/benchmark/pipeline/config.yml b/packages/sentinel_one/data_stream/application_risk/_dev/benchmark/pipeline/config.yml new file mode 100644 index 00000000000..30a2b50cf64 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/_dev/benchmark/pipeline/config.yml @@ -0,0 +1 @@ +num_docs: 10000 diff --git a/packages/sentinel_one/data_stream/application_risk/_dev/test/pipeline/test-application-risk.log b/packages/sentinel_one/data_stream/application_risk/_dev/test/pipeline/test-application-risk.log new file mode 100644 index 00000000000..af4f8c05050 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/_dev/test/pipeline/test-application-risk.log @@ -0,0 +1,10 @@ +{"application":"7-Zip 22.01","applicationName":"7-Zip","applicationVendor":"Igor Pavlov","applicationVersion":"22.01","baseScore":"7.00","cveId":"CVE-2025-0411","cvssVersion":"3.1","daysDetected":59,"detectionDate":"2025-06-02T04:46:51.710569Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104980801805822","lastScanDate":"2025-07-29T19:25:47Z","lastScanResult":"Succeeded","markType":"","markedBy":"abc_host","markedDate":"2025-01-20T07:04:04Z","osType":"windows","publishedDate":"2025-01-20T07:04:04Z","reason":"xyz","severity":"HIGH","status":"Detected"} +{"application":"Microsoft Edge 112.0.1722.68","applicationName":"Microsoft Edge","applicationVendor":"Microsoft Corporation","applicationVersion":"112.0.1722.68","baseScore":"4.30","cveId":"CVE-2024-29057","cvssVersion":"3.1","daysDetected":59,"detectionDate":"2025-06-02T04:46:51.710587Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981036686896","lastScanDate":"2025-07-29T19:25:47Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-03-22T22:15:00Z","reason":null,"severity":"MEDIUM","status":"Detected"} +{"application":"Microsoft Edge WebView2 Runtime 112.0.1722.64","applicationName":"Microsoft Edge WebView2 Runtime","applicationVendor":"Microsoft Corporation","applicationVersion":"112.0.1722.64","baseScore":"4.70","cveId":"CVE-2024-26247","cvssVersion":"3.1","daysDetected":59,"detectionDate":"2025-06-02T04:46:51.710624Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981154127438","lastScanDate":"2025-07-29T19:25:47Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-03-22T22:15:00Z","reason":null,"severity":"MEDIUM","status":"Detected"} +{"application":"VMware Tools 10.3.10.12406962","applicationName":"VMware Tools","applicationVendor":"VMware, Inc.","applicationVersion":"10.3.10.12406962","baseScore":"7.10","cveId":"CVE-2022-22977","cvssVersion":"3.1","daysDetected":59,"detectionDate":"2025-06-02T04:46:51.710668Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981196070492","lastScanDate":"2025-07-29T19:25:47Z","lastScanResult":"Succeeded","markType":"abcd","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2022-05-24T19:15:00Z","reason":null,"severity":"HIGH","status":"Detected"} +{"application":"PuTTY release 0.77.0.0","applicationName":"PuTTY release","applicationVendor":"Simon Tatham","applicationVersion":"0.77.0.0","baseScore":"5.90","cveId":"CVE-2024-31497","cvssVersion":"3.1","daysDetected":10,"detectionDate":"2025-07-21T18:00:44.231765Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2264018562208952766","lastScanDate":"2025-07-29T19:25:47Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-04-15T20:15:00Z","reason":null,"severity":"MEDIUM","status":"Detected"} +{"application":"7-Zip 22.01","applicationName":"7-Zip","applicationVendor":"Igor Pavlov","applicationVersion":"22.01","baseScore":"7.80","cveId":"CVE-2024-11477","cvssVersion":"3.1","daysDetected":72,"detectionDate":"2025-06-02T04:46:51.710578Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981028298282","lastScanDate":"2025-08-11T18:02:20Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-11-21T06:42:16Z","reason":null,"severity":"HIGH","status":"Detected"} +{"application":"Microsoft Edge 112.0.1722.68","applicationName":"Microsoft Edge","applicationVendor":"Microsoft Corporation","applicationVersion":"112.0.1722.68","baseScore":"6.10","cveId":"CVE-2024-38156","cvssVersion":"3.1","daysDetected":72,"detectionDate":"2025-06-02T04:46:51.710591Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981070241336","lastScanDate":"2025-08-11T18:02:20Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-07-18T05:39:23Z","reason":null,"severity":"MEDIUM","status":"Detected"} +{"application":"Microsoft Edge 112.0.1722.68","applicationName":"Microsoft Edge","applicationVendor":"Microsoft Corporation","applicationVersion":"112.0.1722.68","baseScore":"6.50","cveId":"CVE-2024-38222","cvssVersion":"3.1","daysDetected":72,"detectionDate":"2025-06-02T04:46:51.710593Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981095407166","lastScanDate":"2025-08-11T18:02:20Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-08-13T18:27:28Z","reason":null,"severity":"MEDIUM","status":"Detected"} +{"application":"Microsoft Edge 112.0.1722.68","applicationName":"Microsoft Edge","applicationVendor":"Microsoft Corporation","applicationVersion":"112.0.1722.68","baseScore":"9.60","cveId":"CVE-2024-7971","cvssVersion":"3.1","daysDetected":72,"detectionDate":"2025-06-02T04:46:51.710604Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981128961604","lastScanDate":"2025-08-11T18:02:20Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-08-21T21:15:00Z","reason":null,"severity":"CRITICAL","status":"Detected"} +{"application":"Microsoft Edge 112.0.1722.68","applicationName":"Microsoft Edge","applicationVendor":"Microsoft Corporation","applicationVersion":"112.0.1722.68","baseScore":"4.70","cveId":"CVE-2024-38082","cvssVersion":"3.1","daysDetected":72,"detectionDate":"2025-06-02T04:46:51.710607Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981137350215","lastScanDate":"2025-08-11T18:02:20Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-06-20T20:15:00Z","reason":null,"severity":"MEDIUM","status":"Detected"} diff --git a/packages/sentinel_one/data_stream/application_risk/_dev/test/pipeline/test-application-risk.log-expected.json b/packages/sentinel_one/data_stream/application_risk/_dev/test/pipeline/test-application-risk.log-expected.json new file mode 100644 index 00000000000..de7155c065e --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/_dev/test/pipeline/test-application-risk.log-expected.json @@ -0,0 +1,730 @@ +{ + "expected": [ + { + "@timestamp": "2025-07-29T19:25:47.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-06-02T04:46:51.710Z", + "id": "2228104980801805822", + "kind": "state", + "original": "{\"application\":\"7-Zip 22.01\",\"applicationName\":\"7-Zip\",\"applicationVendor\":\"Igor Pavlov\",\"applicationVersion\":\"22.01\",\"baseScore\":\"7.00\",\"cveId\":\"CVE-2025-0411\",\"cvssVersion\":\"3.1\",\"daysDetected\":59,\"detectionDate\":\"2025-06-02T04:46:51.710569Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"DESKTOP-R1E2DQ2\",\"endpointType\":\"desktop\",\"id\":\"2228104980801805822\",\"lastScanDate\":\"2025-07-29T19:25:47Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":\"abc_host\",\"markedDate\":\"2025-01-20T07:04:04Z\",\"osType\":\"windows\",\"publishedDate\":\"2025-01-20T07:04:04Z\",\"reason\":\"xyz\",\"severity\":\"HIGH\",\"status\":\"Detected\"}", + "outcome": "success", + "reason": "xyz", + "severity": 73, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "name": "abc_host", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "package": { + "name": "7-Zip", + "version": "22.01" + }, + "resource": { + "id": "2162143406517023959", + "name": "DESKTOP-R1E2DQ2" + }, + "sentinel_one": { + "application_risk": { + "application": "7-Zip 22.01", + "application_name": "7-Zip", + "application_vendor": "Igor Pavlov", + "application_version": "22.01", + "base_score": 7.0, + "cve_id": "CVE-2025-0411", + "cvss_version": "3.1", + "days_detected": 59, + "detection_date": "2025-06-02T04:46:51.710Z", + "endpoint_id": "2162143406517023959", + "endpoint_name": "DESKTOP-R1E2DQ2", + "endpoint_type": "desktop", + "id": "2228104980801805822", + "last_scan_date": "2025-07-29T19:25:47.000Z", + "last_scan_result": "Succeeded", + "marked_by": "abc_host", + "marked_date": "2025-01-20T07:04:04.000Z", + "os_type": "windows", + "published_date": "2025-01-20T07:04:04.000Z", + "reason": "xyz", + "severity": "HIGH", + "status": "Detected" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "cve": "CVE-2025-0411", + "id": "CVE-2025-0411", + "package": { + "published_date": "2025-01-20T07:04:04.000Z" + }, + "score": { + "base": 7.0, + "version": "3.1" + } + } + }, + { + "@timestamp": "2025-07-29T19:25:47.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-06-02T04:46:51.710Z", + "id": "2228104981036686896", + "kind": "state", + "original": "{\"application\":\"Microsoft Edge 112.0.1722.68\",\"applicationName\":\"Microsoft Edge\",\"applicationVendor\":\"Microsoft Corporation\",\"applicationVersion\":\"112.0.1722.68\",\"baseScore\":\"4.30\",\"cveId\":\"CVE-2024-29057\",\"cvssVersion\":\"3.1\",\"daysDetected\":59,\"detectionDate\":\"2025-06-02T04:46:51.710587Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"DESKTOP-R1E2DQ2\",\"endpointType\":\"desktop\",\"id\":\"2228104981036686896\",\"lastScanDate\":\"2025-07-29T19:25:47Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2024-03-22T22:15:00Z\",\"reason\":null,\"severity\":\"MEDIUM\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 47, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "package": { + "name": "Microsoft Edge", + "version": "112.0.1722.68" + }, + "resource": { + "id": "2162143406517023959", + "name": "DESKTOP-R1E2DQ2" + }, + "sentinel_one": { + "application_risk": { + "application": "Microsoft Edge 112.0.1722.68", + "application_name": "Microsoft Edge", + "application_vendor": "Microsoft Corporation", + "application_version": "112.0.1722.68", + "base_score": 4.3, + "cve_id": "CVE-2024-29057", + "cvss_version": "3.1", + "days_detected": 59, + "detection_date": "2025-06-02T04:46:51.710Z", + "endpoint_id": "2162143406517023959", + "endpoint_name": "DESKTOP-R1E2DQ2", + "endpoint_type": "desktop", + "id": "2228104981036686896", + "last_scan_date": "2025-07-29T19:25:47.000Z", + "last_scan_result": "Succeeded", + "os_type": "windows", + "published_date": "2024-03-22T22:15:00.000Z", + "severity": "MEDIUM", + "status": "Detected" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "cve": "CVE-2024-29057", + "id": "CVE-2024-29057", + "package": { + "published_date": "2024-03-22T22:15:00.000Z" + }, + "score": { + "base": 4.3, + "version": "3.1" + } + } + }, + { + "@timestamp": "2025-07-29T19:25:47.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-06-02T04:46:51.710Z", + "id": "2228104981154127438", + "kind": "state", + "original": "{\"application\":\"Microsoft Edge WebView2 Runtime 112.0.1722.64\",\"applicationName\":\"Microsoft Edge WebView2 Runtime\",\"applicationVendor\":\"Microsoft Corporation\",\"applicationVersion\":\"112.0.1722.64\",\"baseScore\":\"4.70\",\"cveId\":\"CVE-2024-26247\",\"cvssVersion\":\"3.1\",\"daysDetected\":59,\"detectionDate\":\"2025-06-02T04:46:51.710624Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"DESKTOP-R1E2DQ2\",\"endpointType\":\"desktop\",\"id\":\"2228104981154127438\",\"lastScanDate\":\"2025-07-29T19:25:47Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2024-03-22T22:15:00Z\",\"reason\":null,\"severity\":\"MEDIUM\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 47, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "package": { + "name": "Microsoft Edge WebView2 Runtime", + "version": "112.0.1722.64" + }, + "resource": { + "id": "2162143406517023959", + "name": "DESKTOP-R1E2DQ2" + }, + "sentinel_one": { + "application_risk": { + "application": "Microsoft Edge WebView2 Runtime 112.0.1722.64", + "application_name": "Microsoft Edge WebView2 Runtime", + "application_vendor": "Microsoft Corporation", + "application_version": "112.0.1722.64", + "base_score": 4.7, + "cve_id": "CVE-2024-26247", + "cvss_version": "3.1", + "days_detected": 59, + "detection_date": "2025-06-02T04:46:51.710Z", + "endpoint_id": "2162143406517023959", + "endpoint_name": "DESKTOP-R1E2DQ2", + "endpoint_type": "desktop", + "id": "2228104981154127438", + "last_scan_date": "2025-07-29T19:25:47.000Z", + "last_scan_result": "Succeeded", + "os_type": "windows", + "published_date": "2024-03-22T22:15:00.000Z", + "severity": "MEDIUM", + "status": "Detected" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "cve": "CVE-2024-26247", + "id": "CVE-2024-26247", + "package": { + "published_date": "2024-03-22T22:15:00.000Z" + }, + "score": { + "base": 4.7, + "version": "3.1" + } + } + }, + { + "@timestamp": "2025-07-29T19:25:47.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-06-02T04:46:51.710Z", + "id": "2228104981196070492", + "kind": "state", + "original": "{\"application\":\"VMware Tools 10.3.10.12406962\",\"applicationName\":\"VMware Tools\",\"applicationVendor\":\"VMware, Inc.\",\"applicationVersion\":\"10.3.10.12406962\",\"baseScore\":\"7.10\",\"cveId\":\"CVE-2022-22977\",\"cvssVersion\":\"3.1\",\"daysDetected\":59,\"detectionDate\":\"2025-06-02T04:46:51.710668Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"DESKTOP-R1E2DQ2\",\"endpointType\":\"desktop\",\"id\":\"2228104981196070492\",\"lastScanDate\":\"2025-07-29T19:25:47Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"abcd\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2022-05-24T19:15:00Z\",\"reason\":null,\"severity\":\"HIGH\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 73, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "package": { + "name": "VMware Tools", + "version": "10.3.10.12406962" + }, + "resource": { + "id": "2162143406517023959", + "name": "DESKTOP-R1E2DQ2" + }, + "sentinel_one": { + "application_risk": { + "application": "VMware Tools 10.3.10.12406962", + "application_name": "VMware Tools", + "application_vendor": "VMware, Inc.", + "application_version": "10.3.10.12406962", + "base_score": 7.1, + "cve_id": "CVE-2022-22977", + "cvss_version": "3.1", + "days_detected": 59, + "detection_date": "2025-06-02T04:46:51.710Z", + "endpoint_id": "2162143406517023959", + "endpoint_name": "DESKTOP-R1E2DQ2", + "endpoint_type": "desktop", + "id": "2228104981196070492", + "last_scan_date": "2025-07-29T19:25:47.000Z", + "last_scan_result": "Succeeded", + "mark_type": "abcd", + "os_type": "windows", + "published_date": "2022-05-24T19:15:00.000Z", + "severity": "HIGH", + "status": "Detected" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "cve": "CVE-2022-22977", + "id": "CVE-2022-22977", + "package": { + "published_date": "2022-05-24T19:15:00.000Z" + }, + "score": { + "base": 7.1, + "version": "3.1" + } + } + }, + { + "@timestamp": "2025-07-29T19:25:47.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-07-21T18:00:44.231Z", + "id": "2264018562208952766", + "kind": "state", + "original": "{\"application\":\"PuTTY release 0.77.0.0\",\"applicationName\":\"PuTTY release\",\"applicationVendor\":\"Simon Tatham\",\"applicationVersion\":\"0.77.0.0\",\"baseScore\":\"5.90\",\"cveId\":\"CVE-2024-31497\",\"cvssVersion\":\"3.1\",\"daysDetected\":10,\"detectionDate\":\"2025-07-21T18:00:44.231765Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"DESKTOP-R1E2DQ2\",\"endpointType\":\"desktop\",\"id\":\"2264018562208952766\",\"lastScanDate\":\"2025-07-29T19:25:47Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2024-04-15T20:15:00Z\",\"reason\":null,\"severity\":\"MEDIUM\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 47, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "package": { + "name": "PuTTY release", + "version": "0.77.0.0" + }, + "resource": { + "id": "2162143406517023959", + "name": "DESKTOP-R1E2DQ2" + }, + "sentinel_one": { + "application_risk": { + "application": "PuTTY release 0.77.0.0", + "application_name": "PuTTY release", + "application_vendor": "Simon Tatham", + "application_version": "0.77.0.0", + "base_score": 5.9, + "cve_id": "CVE-2024-31497", + "cvss_version": "3.1", + "days_detected": 10, + "detection_date": "2025-07-21T18:00:44.231Z", + "endpoint_id": "2162143406517023959", + "endpoint_name": "DESKTOP-R1E2DQ2", + "endpoint_type": "desktop", + "id": "2264018562208952766", + "last_scan_date": "2025-07-29T19:25:47.000Z", + "last_scan_result": "Succeeded", + "os_type": "windows", + "published_date": "2024-04-15T20:15:00.000Z", + "severity": "MEDIUM", + "status": "Detected" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "cve": "CVE-2024-31497", + "id": "CVE-2024-31497", + "package": { + "published_date": "2024-04-15T20:15:00.000Z" + }, + "score": { + "base": 5.9, + "version": "3.1" + } + } + }, + { + "@timestamp": "2025-08-11T18:02:20.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-06-02T04:46:51.710Z", + "id": "2228104981028298282", + "kind": "state", + "original": "{\"application\":\"7-Zip 22.01\",\"applicationName\":\"7-Zip\",\"applicationVendor\":\"Igor Pavlov\",\"applicationVersion\":\"22.01\",\"baseScore\":\"7.80\",\"cveId\":\"CVE-2024-11477\",\"cvssVersion\":\"3.1\",\"daysDetected\":72,\"detectionDate\":\"2025-06-02T04:46:51.710578Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"DESKTOP-R1E2DQ2\",\"endpointType\":\"desktop\",\"id\":\"2228104981028298282\",\"lastScanDate\":\"2025-08-11T18:02:20Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2024-11-21T06:42:16Z\",\"reason\":null,\"severity\":\"HIGH\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 73, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "package": { + "name": "7-Zip", + "version": "22.01" + }, + "resource": { + "id": "2162143406517023959", + "name": "DESKTOP-R1E2DQ2" + }, + "sentinel_one": { + "application_risk": { + "application": "7-Zip 22.01", + "application_name": "7-Zip", + "application_vendor": "Igor Pavlov", + "application_version": "22.01", + "base_score": 7.8, + "cve_id": "CVE-2024-11477", + "cvss_version": "3.1", + "days_detected": 72, + "detection_date": "2025-06-02T04:46:51.710Z", + "endpoint_id": "2162143406517023959", + "endpoint_name": "DESKTOP-R1E2DQ2", + "endpoint_type": "desktop", + "id": "2228104981028298282", + "last_scan_date": "2025-08-11T18:02:20.000Z", + "last_scan_result": "Succeeded", + "os_type": "windows", + "published_date": "2024-11-21T06:42:16.000Z", + "severity": "HIGH", + "status": "Detected" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "cve": "CVE-2024-11477", + "id": "CVE-2024-11477", + "package": { + "published_date": "2024-11-21T06:42:16.000Z" + }, + "score": { + "base": 7.8, + "version": "3.1" + } + } + }, + { + "@timestamp": "2025-08-11T18:02:20.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-06-02T04:46:51.710Z", + "id": "2228104981070241336", + "kind": "state", + "original": "{\"application\":\"Microsoft Edge 112.0.1722.68\",\"applicationName\":\"Microsoft Edge\",\"applicationVendor\":\"Microsoft Corporation\",\"applicationVersion\":\"112.0.1722.68\",\"baseScore\":\"6.10\",\"cveId\":\"CVE-2024-38156\",\"cvssVersion\":\"3.1\",\"daysDetected\":72,\"detectionDate\":\"2025-06-02T04:46:51.710591Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"DESKTOP-R1E2DQ2\",\"endpointType\":\"desktop\",\"id\":\"2228104981070241336\",\"lastScanDate\":\"2025-08-11T18:02:20Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2024-07-18T05:39:23Z\",\"reason\":null,\"severity\":\"MEDIUM\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 47, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "package": { + "name": "Microsoft Edge", + "version": "112.0.1722.68" + }, + "resource": { + "id": "2162143406517023959", + "name": "DESKTOP-R1E2DQ2" + }, + "sentinel_one": { + "application_risk": { + "application": "Microsoft Edge 112.0.1722.68", + "application_name": "Microsoft Edge", + "application_vendor": "Microsoft Corporation", + "application_version": "112.0.1722.68", + "base_score": 6.1, + "cve_id": "CVE-2024-38156", + "cvss_version": "3.1", + "days_detected": 72, + "detection_date": "2025-06-02T04:46:51.710Z", + "endpoint_id": "2162143406517023959", + "endpoint_name": "DESKTOP-R1E2DQ2", + "endpoint_type": "desktop", + "id": "2228104981070241336", + "last_scan_date": "2025-08-11T18:02:20.000Z", + "last_scan_result": "Succeeded", + "os_type": "windows", + "published_date": "2024-07-18T05:39:23.000Z", + "severity": "MEDIUM", + "status": "Detected" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "cve": "CVE-2024-38156", + "id": "CVE-2024-38156", + "package": { + "published_date": "2024-07-18T05:39:23.000Z" + }, + "score": { + "base": 6.1, + "version": "3.1" + } + } + }, + { + "@timestamp": "2025-08-11T18:02:20.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-06-02T04:46:51.710Z", + "id": "2228104981095407166", + "kind": "state", + "original": "{\"application\":\"Microsoft Edge 112.0.1722.68\",\"applicationName\":\"Microsoft Edge\",\"applicationVendor\":\"Microsoft Corporation\",\"applicationVersion\":\"112.0.1722.68\",\"baseScore\":\"6.50\",\"cveId\":\"CVE-2024-38222\",\"cvssVersion\":\"3.1\",\"daysDetected\":72,\"detectionDate\":\"2025-06-02T04:46:51.710593Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"DESKTOP-R1E2DQ2\",\"endpointType\":\"desktop\",\"id\":\"2228104981095407166\",\"lastScanDate\":\"2025-08-11T18:02:20Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2024-08-13T18:27:28Z\",\"reason\":null,\"severity\":\"MEDIUM\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 47, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "package": { + "name": "Microsoft Edge", + "version": "112.0.1722.68" + }, + "resource": { + "id": "2162143406517023959", + "name": "DESKTOP-R1E2DQ2" + }, + "sentinel_one": { + "application_risk": { + "application": "Microsoft Edge 112.0.1722.68", + "application_name": "Microsoft Edge", + "application_vendor": "Microsoft Corporation", + "application_version": "112.0.1722.68", + "base_score": 6.5, + "cve_id": "CVE-2024-38222", + "cvss_version": "3.1", + "days_detected": 72, + "detection_date": "2025-06-02T04:46:51.710Z", + "endpoint_id": "2162143406517023959", + "endpoint_name": "DESKTOP-R1E2DQ2", + "endpoint_type": "desktop", + "id": "2228104981095407166", + "last_scan_date": "2025-08-11T18:02:20.000Z", + "last_scan_result": "Succeeded", + "os_type": "windows", + "published_date": "2024-08-13T18:27:28.000Z", + "severity": "MEDIUM", + "status": "Detected" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "cve": "CVE-2024-38222", + "id": "CVE-2024-38222", + "package": { + "published_date": "2024-08-13T18:27:28.000Z" + }, + "score": { + "base": 6.5, + "version": "3.1" + } + } + }, + { + "@timestamp": "2025-08-11T18:02:20.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-06-02T04:46:51.710Z", + "id": "2228104981128961604", + "kind": "state", + "original": "{\"application\":\"Microsoft Edge 112.0.1722.68\",\"applicationName\":\"Microsoft Edge\",\"applicationVendor\":\"Microsoft Corporation\",\"applicationVersion\":\"112.0.1722.68\",\"baseScore\":\"9.60\",\"cveId\":\"CVE-2024-7971\",\"cvssVersion\":\"3.1\",\"daysDetected\":72,\"detectionDate\":\"2025-06-02T04:46:51.710604Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"DESKTOP-R1E2DQ2\",\"endpointType\":\"desktop\",\"id\":\"2228104981128961604\",\"lastScanDate\":\"2025-08-11T18:02:20Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2024-08-21T21:15:00Z\",\"reason\":null,\"severity\":\"CRITICAL\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 99, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "package": { + "name": "Microsoft Edge", + "version": "112.0.1722.68" + }, + "resource": { + "id": "2162143406517023959", + "name": "DESKTOP-R1E2DQ2" + }, + "sentinel_one": { + "application_risk": { + "application": "Microsoft Edge 112.0.1722.68", + "application_name": "Microsoft Edge", + "application_vendor": "Microsoft Corporation", + "application_version": "112.0.1722.68", + "base_score": 9.6, + "cve_id": "CVE-2024-7971", + "cvss_version": "3.1", + "days_detected": 72, + "detection_date": "2025-06-02T04:46:51.710Z", + "endpoint_id": "2162143406517023959", + "endpoint_name": "DESKTOP-R1E2DQ2", + "endpoint_type": "desktop", + "id": "2228104981128961604", + "last_scan_date": "2025-08-11T18:02:20.000Z", + "last_scan_result": "Succeeded", + "os_type": "windows", + "published_date": "2024-08-21T21:15:00.000Z", + "severity": "CRITICAL", + "status": "Detected" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "cve": "CVE-2024-7971", + "id": "CVE-2024-7971", + "package": { + "published_date": "2024-08-21T21:15:00.000Z" + }, + "score": { + "base": 9.6, + "version": "3.1" + } + } + }, + { + "@timestamp": "2025-08-11T18:02:20.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-06-02T04:46:51.710Z", + "id": "2228104981137350215", + "kind": "state", + "original": "{\"application\":\"Microsoft Edge 112.0.1722.68\",\"applicationName\":\"Microsoft Edge\",\"applicationVendor\":\"Microsoft Corporation\",\"applicationVersion\":\"112.0.1722.68\",\"baseScore\":\"4.70\",\"cveId\":\"CVE-2024-38082\",\"cvssVersion\":\"3.1\",\"daysDetected\":72,\"detectionDate\":\"2025-06-02T04:46:51.710607Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"DESKTOP-R1E2DQ2\",\"endpointType\":\"desktop\",\"id\":\"2228104981137350215\",\"lastScanDate\":\"2025-08-11T18:02:20Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2024-06-20T20:15:00Z\",\"reason\":null,\"severity\":\"MEDIUM\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 47, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "package": { + "name": "Microsoft Edge", + "version": "112.0.1722.68" + }, + "resource": { + "id": "2162143406517023959", + "name": "DESKTOP-R1E2DQ2" + }, + "sentinel_one": { + "application_risk": { + "application": "Microsoft Edge 112.0.1722.68", + "application_name": "Microsoft Edge", + "application_vendor": "Microsoft Corporation", + "application_version": "112.0.1722.68", + "base_score": 4.7, + "cve_id": "CVE-2024-38082", + "cvss_version": "3.1", + "days_detected": 72, + "detection_date": "2025-06-02T04:46:51.710Z", + "endpoint_id": "2162143406517023959", + "endpoint_name": "DESKTOP-R1E2DQ2", + "endpoint_type": "desktop", + "id": "2228104981137350215", + "last_scan_date": "2025-08-11T18:02:20.000Z", + "last_scan_result": "Succeeded", + "os_type": "windows", + "published_date": "2024-06-20T20:15:00.000Z", + "severity": "MEDIUM", + "status": "Detected" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "cve": "CVE-2024-38082", + "id": "CVE-2024-38082", + "package": { + "published_date": "2024-06-20T20:15:00.000Z" + }, + "score": { + "base": 4.7, + "version": "3.1" + } + } + } + ] +} diff --git a/packages/sentinel_one/data_stream/application_risk/_dev/test/pipeline/test-common-config.yml b/packages/sentinel_one/data_stream/application_risk/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..37e8fa225fd --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_duplicate_custom_fields diff --git a/packages/sentinel_one/data_stream/application_risk/_dev/test/policy/test-all.expected b/packages/sentinel_one/data_stream/application_risk/_dev/test/policy/test-all.expected new file mode 100644 index 00000000000..76522c4ff3a --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/_dev/test/policy/test-all.expected @@ -0,0 +1,182 @@ +inputs: + - data_stream: + namespace: ep + meta: + package: + name: sentinel_one + name: test-all-sentinel_one + streams: + - config_version: 2 + data_stream: + dataset: sentinel_one.application_risk + interval: 30s + processors: + - add_fields: + fields: + id: "574734885120952459" + name: myproject + target: project + - add_tags: + tags: + - web + - production + target: environment + program: | + request("GET", + state.url.trim_right("/") + "/web/api/v2.1/application-management/risks?" + { + ?"cursor": state.?next.page.optMap(v, [v]), + ?"siteids": state.?site_ids.orValue(null) != null ? optional.of([string(state.site_ids)]) : optional.none(), + "limit": [string(state.batch_size)], + }.format_query() + ).with({ + "Header":{ + "Authorization": ["ApiToken " + state.api_token] + }, + }).do_request().as(resp, resp.StatusCode == 200 ? + resp.Body.decode_json().as(body, { + "events": body.data.map(e, { + "message": e.encode_json(), + }), + "api_token": state.api_token, + "batch_size": state.batch_size, + ?"site_ids": state.?site_ids.orValue(null) != null ? optional.of(state.site_ids) : optional.none(), + "next": { + ?"page": body.?pagination.?nextCursor.orValue(null) != null ? optional.of(body.pagination.nextCursor) : optional.none(), + }, + "want_more": body.?pagination.?nextCursor.orValue(null) != null, + }) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET " + state.url.trim_right("/") + "/web/api/v2.1/application-management/risks: " + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' + ), + }, + }, + "want_more": false, + } + ) + publisher_pipeline.disable_host: true + redact: + fields: + - api_token + resource.proxy_url: https://user:P%40ssword%23@0.0.0.0:0000 + resource.ssl: + certificate: | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- + certificate_authorities: + - | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- + cipher_suites: + - ECDHE-ECDSA-AES-128-CBC-SHA + - ECDHE-ECDSA-AES-256-GCM-SHA384 + curve_types: + - P-256 + enabled: true + key: | + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI + sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP + Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F + KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2 + MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z + HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ + nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx + Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0 + eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/ + Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM + epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve + Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn + BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8 + VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU + zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5 + GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA + 5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7 + TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF + hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li + e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze + Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T + kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+ + kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav + NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K + 0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc + nygO9KTJuUiBrLr0AHEnqko= + -----END PRIVATE KEY----- + supported_protocols: + - TLSv1.2 + resource.timeout: 10s + resource.tracer: + enabled: true + filename: ../../logs/cel/http-request-trace-*.ndjson + maxbackups: 5 + resource.url: http://host.tld + state: + api_token: ${SECRET_0} + batch_size: 100 + site_ids: null + tags: + - preserve_original_event + - preserve_duplicate_custom_fields + - forwarded + - sentinel_one-application_risk + - test-policy + type: cel + use_output: default +output_permissions: + default: + _elastic_agent_checks: + cluster: + - monitor + _elastic_agent_monitoring: + indices: [] + uuid-for-permissions-on-related-indices: + indices: + - names: + - logs-sentinel_one.application_risk-ep + privileges: + - auto_configure + - create_doc +secret_references: + - {} diff --git a/packages/sentinel_one/data_stream/application_risk/_dev/test/policy/test-all.yml b/packages/sentinel_one/data_stream/application_risk/_dev/test/policy/test-all.yml new file mode 100644 index 00000000000..e968483e480 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/_dev/test/policy/test-all.yml @@ -0,0 +1,104 @@ +vars: + url: http://host.tld + api_token: test_api_token + proxy_url: https://user:P%40ssword%23@0.0.0.0:0000 + ssl: | + enabled: true + supported_protocols: + - TLSv1.2 + cipher_suites: + - ECDHE-ECDSA-AES-128-CBC-SHA + - ECDHE-ECDSA-AES-256-GCM-SHA384 + curve_types: + - P-256 + certificate_authorities: + - | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- + certificate: | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- + key: | + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI + sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP + Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F + KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2 + MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z + HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ + nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx + Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0 + eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/ + Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM + epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve + Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn + BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8 + VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU + zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5 + GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA + 5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7 + TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF + hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li + e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze + Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T + kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+ + kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav + NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K + 0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc + nygO9KTJuUiBrLr0AHEnqko= + -----END PRIVATE KEY----- +data_stream: + vars: + interval: 30s + batch_size: 100 + tags: + - forwarded + - sentinel_one-application_risk + - test-policy + enable_request_tracer: true + preserve_original_event: true + preserve_duplicate_custom_fields: true + http_client_timeout: 10s + processors: | + - add_fields: + target: project + fields: + name: myproject + id: '574734885120952459' + - add_tags: + tags: [web, production] + target: "environment" diff --git a/packages/sentinel_one/data_stream/application_risk/_dev/test/policy/test-default.expected b/packages/sentinel_one/data_stream/application_risk/_dev/test/policy/test-default.expected new file mode 100644 index 00000000000..db7ae94e38d --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/_dev/test/policy/test-default.expected @@ -0,0 +1,89 @@ +inputs: + - data_stream: + namespace: ep + meta: + package: + name: sentinel_one + name: test-default-sentinel_one + streams: + - config_version: 2 + data_stream: + dataset: sentinel_one.application_risk + interval: 24h + program: | + request("GET", + state.url.trim_right("/") + "/web/api/v2.1/application-management/risks?" + { + ?"cursor": state.?next.page.optMap(v, [v]), + ?"siteids": state.?site_ids.orValue(null) != null ? optional.of([string(state.site_ids)]) : optional.none(), + "limit": [string(state.batch_size)], + }.format_query() + ).with({ + "Header":{ + "Authorization": ["ApiToken " + state.api_token] + }, + }).do_request().as(resp, resp.StatusCode == 200 ? + resp.Body.decode_json().as(body, { + "events": body.data.map(e, { + "message": e.encode_json(), + }), + "api_token": state.api_token, + "batch_size": state.batch_size, + ?"site_ids": state.?site_ids.orValue(null) != null ? optional.of(state.site_ids) : optional.none(), + "next": { + ?"page": body.?pagination.?nextCursor.orValue(null) != null ? optional.of(body.pagination.nextCursor) : optional.none(), + }, + "want_more": body.?pagination.?nextCursor.orValue(null) != null, + }) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET " + state.url.trim_right("/") + "/web/api/v2.1/application-management/risks: " + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' + ), + }, + }, + "want_more": false, + } + ) + publisher_pipeline.disable_host: true + redact: + fields: + - api_token + resource.ssl: null + resource.timeout: 30s + resource.tracer: + enabled: false + filename: ../../logs/cel/http-request-trace-*.ndjson + maxbackups: 5 + resource.url: http://host.tld + state: + api_token: ${SECRET_0} + batch_size: 1000 + site_ids: null + tags: + - forwarded + - sentinel_one-application_risk + type: cel + use_output: default +output_permissions: + default: + _elastic_agent_checks: + cluster: + - monitor + _elastic_agent_monitoring: + indices: [] + uuid-for-permissions-on-related-indices: + indices: + - names: + - logs-sentinel_one.application_risk-ep + privileges: + - auto_configure + - create_doc +secret_references: + - {} diff --git a/packages/sentinel_one/data_stream/application_risk/_dev/test/policy/test-default.yml b/packages/sentinel_one/data_stream/application_risk/_dev/test/policy/test-default.yml new file mode 100644 index 00000000000..ff45a4e1f3c --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/_dev/test/policy/test-default.yml @@ -0,0 +1,13 @@ +vars: + url: http://host.tld + api_token: test_api_token +data_stream: + vars: + interval: 24h + batch_size: 1000 + enable_request_tracer: false + preserve_original_event: false + http_client_timeout: 30s + tags: + - forwarded + - sentinel_one-application_risk diff --git a/packages/sentinel_one/data_stream/application_risk/_dev/test/system/test-default-config.yml b/packages/sentinel_one/data_stream/application_risk/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..4f89c5aae02 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/_dev/test/system/test-default-config.yml @@ -0,0 +1,12 @@ +input: cel +service: sentinel_one +vars: + url: http://{{Hostname}}:{{Port}} + api_token: xxxx +data_stream: + vars: + batch_size: 2 + preserve_original_event: true + enable_request_tracer: true +assert: + hit_count: 5 diff --git a/packages/sentinel_one/data_stream/application_risk/agent/stream/cel.yml.hbs b/packages/sentinel_one/data_stream/application_risk/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..fc119f9c683 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/agent/stream/cel.yml.hbs @@ -0,0 +1,81 @@ +config_version: 2 +interval: {{interval}} +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} +state: + batch_size: {{batch_size}} + api_token: {{api_token}} + site_ids: {{site_ids}} +redact: + fields: + - api_token +program: | + request("GET", + state.url.trim_right("/") + "/web/api/v2.1/application-management/risks?" + { + ?"cursor": state.?next.page.optMap(v, [v]), + ?"siteids": state.?site_ids.orValue(null) != null ? optional.of([string(state.site_ids)]) : optional.none(), + "limit": [string(state.batch_size)], + }.format_query() + ).with({ + "Header":{ + "Authorization": ["ApiToken " + state.api_token] + }, + }).do_request().as(resp, resp.StatusCode == 200 ? + resp.Body.decode_json().as(body, { + "events": body.data.map(e, { + "message": e.encode_json(), + }), + "api_token": state.api_token, + "batch_size": state.batch_size, + ?"site_ids": state.?site_ids.orValue(null) != null ? optional.of(state.site_ids) : optional.none(), + "next": { + ?"page": body.?pagination.?nextCursor.orValue(null) != null ? optional.of(body.pagination.nextCursor) : optional.none(), + }, + "want_more": body.?pagination.?nextCursor.orValue(null) != null, + }) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET " + state.url.trim_right("/") + "/web/api/v2.1/application-management/risks: " + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' + ), + }, + }, + "want_more": false, + } + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/sentinel_one/data_stream/application_risk/elasticsearch/ilm/default_policy.json b/packages/sentinel_one/data_stream/application_risk/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..7996af84e22 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/elasticsearch/ilm/default_policy.json @@ -0,0 +1,20 @@ +{ + "policy": { + "phases": { + "hot": { + "actions": { + "rollover": { + "max_age": "30d", + "max_primary_shard_size": "50gb" + } + } + }, + "delete": { + "min_age": "30d", + "actions": { + "delete": {} + } + } + } + } +} diff --git a/packages/sentinel_one/data_stream/application_risk/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/data_stream/application_risk/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..104d3750fd2 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,448 @@ +--- +description: Pipeline for processing application_risk logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 8.11.0 + - terminate: + tag: data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null + description: error message set and no data to process. + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - json: + field: event.original + tag: json_event_original + target_field: json + - set: + field: event.kind + tag: set_event_kind + value: state + - append: + field: event.type + tag: append_info_into_event_type + value: info + - append: + field: event.category + tag: append_vulnerability_into_event_category + value: vulnerability + - rename: + field: json.application + tag: rename_application + target_field: sentinel_one.application_risk.application + ignore_missing: true + - rename: + field: json.applicationName + tag: rename_applicationName + target_field: sentinel_one.application_risk.application_name + ignore_missing: true + - set: + field: package.name + tag: set_package_name_from_application_risk_application_name + copy_from: sentinel_one.application_risk.application_name + ignore_empty_value: true + - rename: + field: json.applicationVendor + tag: rename_applicationVendor + target_field: sentinel_one.application_risk.application_vendor + ignore_missing: true + - rename: + field: json.applicationVersion + tag: rename_applicationVersion + target_field: sentinel_one.application_risk.application_version + ignore_missing: true + - set: + field: package.version + tag: set_package_version_from_application_risk_application_version + copy_from: sentinel_one.application_risk.application_version + ignore_empty_value: true + - convert: + field: json.baseScore + tag: convert_baseScore_to_double + target_field: sentinel_one.application_risk.base_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: vulnerability.score.base + tag: set_vulnerability_score_base_from_application_risk_base_score + copy_from: sentinel_one.application_risk.base_score + ignore_empty_value: true + - rename: + field: json.cveId + tag: rename_cveId + target_field: sentinel_one.application_risk.cve_id + ignore_missing: true + - set: + field: vulnerability.id + tag: set_vulnerability_id_from_application_risk_cve_id + copy_from: sentinel_one.application_risk.cve_id + ignore_empty_value: true + - set: + field: vulnerability.cve + tag: set_vulnerability_cve_from_application_risk_cve_id + copy_from: sentinel_one.application_risk.cve_id + ignore_empty_value: true + - rename: + field: json.cvssVersion + tag: rename_cvssVersion + target_field: sentinel_one.application_risk.cvss_version + ignore_missing: true + - set: + field: vulnerability.score.version + tag: set_vulnerability_score_version_from_application_risk_cvss_version + copy_from: sentinel_one.application_risk.cvss_version + ignore_empty_value: true + - convert: + field: json.daysDetected + tag: convert_daysDetected_to_long + target_field: sentinel_one.application_risk.days_detected + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.detectionDate + tag: date_detectionDate + target_field: sentinel_one.application_risk.detection_date + formats: + - strict_date_optional_time_nanos + if: ctx.json?.detectionDate != null && ctx.json.detectionDate != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.endpointId + tag: convert_endpointId_to_string + target_field: sentinel_one.application_risk.endpoint_id + type: string + ignore_missing: true + - set: + field: host.id + tag: set_host_id_from_application_risk_endpoint_id + copy_from: sentinel_one.application_risk.endpoint_id + ignore_empty_value: true + - set: + field: resource.id + tag: set_resource_id_from_application_risk_endpoint_id + copy_from: sentinel_one.application_risk.endpoint_id + ignore_empty_value: true + - rename: + field: json.endpointName + tag: rename_endpointName + target_field: sentinel_one.application_risk.endpoint_name + ignore_missing: true + - set: + field: resource.name + tag: set_resource_name_from_application_risk_endpoint_name + copy_from: sentinel_one.application_risk.endpoint_name + ignore_empty_value: true + - rename: + field: json.endpointType + tag: rename_endpointType + target_field: sentinel_one.application_risk.endpoint_type + ignore_missing: true + - set: + field: host.type + tag: set_host_type_from_application_risk_endpoint_type + copy_from: sentinel_one.application_risk.endpoint_type + ignore_empty_value: true + - rename: + field: json.exploitCodeMaturity + tag: rename_exploitCodeMaturity + target_field: sentinel_one.application_risk.exploit_code_maturity + ignore_missing: true + - convert: + field: json.id + tag: convert_id_to_string + target_field: sentinel_one.application_risk.id + type: string + ignore_missing: true + - set: + field: event.id + tag: set_event_id_from_application_risk_id + copy_from: sentinel_one.application_risk.id + ignore_empty_value: true + - date: + field: json.lastScanDate + tag: date_lastScanDate + target_field: sentinel_one.application_risk.last_scan_date + formats: + - date_optional_time + if: ctx.json?.lastScanDate != null && ctx.json.lastScanDate != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + tag: set_timestamp_from_last_scan_date + copy_from: sentinel_one.application_risk.last_scan_date + ignore_empty_value: true + - rename: + field: json.lastScanResult + tag: rename_lastScanResult + target_field: sentinel_one.application_risk.last_scan_result + ignore_missing: true + - set: + field: event.outcome + value: success + if: ctx.sentinel_one?.application_risk?.last_scan_result?.equalsIgnoreCase('Succeeded') == true + - set: + field: event.outcome + value: failure + if: ctx.sentinel_one?.application_risk?.last_scan_result?.equalsIgnoreCase('Failed') == true + - set: + field: event.outcome + value: unknown + override: false + - rename: + field: json.markType + tag: rename_markType + target_field: sentinel_one.application_risk.mark_type + ignore_missing: true + - rename: + field: json.markedBy + tag: rename_markedBy + target_field: sentinel_one.application_risk.marked_by + ignore_missing: true + - set: + field: host.name + tag: set_host_name_from_application_risk_marked_by + copy_from: sentinel_one.application_risk.marked_by + ignore_empty_value: true + - date: + field: json.markedDate + tag: date_markedDate + target_field: sentinel_one.application_risk.marked_date + formats: + - date_optional_time + if: ctx.json?.markedDate != null && ctx.json.markedDate != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.mitigationStatus + tag: rename_mitigationStatus + target_field: sentinel_one.application_risk.mitigation_status + ignore_missing: true + - date: + field: json.mitigationStatusChangeTime + tag: date_mitigationStatusChangeTime + target_field: sentinel_one.application_risk.mitigation_status_change_time + formats: + - ISO8601 + - date_optional_time + if: ctx.json?.mitigationStatusChangeTime != null && ctx.json.mitigationStatusChangeTime != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.mitigationStatusChangedBy + tag: rename_mitigationStatusChangedBy + target_field: sentinel_one.application_risk.mitigation_status_changed_by + ignore_missing: true + - rename: + field: json.mitigationStatusReason + tag: rename_mitigationStatusReason + target_field: sentinel_one.application_risk.mitigation_status_reason + ignore_missing: true + - convert: + field: json.nvdBaseScore + tag: convert_nvdBaseScore_to_float + target_field: sentinel_one.application_risk.nvd_base_score + type: float + ignore_missing: true + if: ctx.json?.nvdBaseScore != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.nvdCvssVersion + tag: rename_nvdCvssVersion + target_field: sentinel_one.application_risk.nvd_cvss_version + ignore_missing: true + - rename: + field: json.osType + tag: rename_osType + target_field: sentinel_one.application_risk.os_type + ignore_missing: true + - set: + field: host.os.type + tag: set_host_os_type_from_application_risk_os_type + copy_from: sentinel_one.application_risk.os_type + if: >- + ctx.sentinel_one?.application_risk?.os_type == 'windows' + || ctx.sentinel_one?.application_risk?.os_type == 'linux' + || ctx.sentinel_one?.application_risk?.os_type == 'macos' + ignore_empty_value: true + - date: + field: json.publishedDate + tag: date_publishedDate + target_field: sentinel_one.application_risk.published_date + formats: + - date_optional_time + if: ctx.json?.publishedDate != null && ctx.json.publishedDate != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: vulnerability.package.published_date + tag: set_vulnerability_package_publisheddate_from_application_published_date + copy_from: sentinel_one.application_risk.published_date + ignore_empty_value: true + - set: + field: event.created + tag: set_event_created + copy_from: sentinel_one.application_risk.detection_date + ignore_empty_value: true + - rename: + field: json.reason + tag: rename_reason + target_field: sentinel_one.application_risk.reason + ignore_missing: true + - set: + field: event.reason + tag: set_event_reason_from_application_risk_reason + copy_from: sentinel_one.application_risk.reason + ignore_empty_value: true + - rename: + field: json.remediationLevel + tag: rename_remediationLevel + target_field: sentinel_one.application_risk.remediation_level + ignore_missing: true + - rename: + field: json.reportConfidence + tag: rename_reportConfidence + target_field: sentinel_one.application_risk.report_confidence + ignore_missing: true + - convert: + field: json.riskScore + tag: convert_riskScore_to_double + target_field: sentinel_one.application_risk.risk_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.severity + tag: rename_severity + target_field: sentinel_one.application_risk.severity + ignore_missing: true + - script: + description: Set event severity based on severity. + if: ctx.sentinel_one?.application_risk?.severity != null + lang: painless + params: + low: 21 + medium: 47 + high: 73 + critical: 99 + source: |- + ctx.event = ctx.event ?: [:]; + ctx.event.severity = params.get(ctx.sentinel_one.application_risk.severity.toLowerCase()); + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.status + tag: rename_status + target_field: sentinel_one.application_risk.status + ignore_missing: true + - remove: + field: + - sentinel_one.application_risk.application_name + - sentinel_one.application_risk.application_version + - sentinel_one.application_risk.base_score + - sentinel_one.application_risk.cve_id + - sentinel_one.application_risk.cvss_version + - sentinel_one.application_risk.endpoint_id + - sentinel_one.application_risk.endpoint_name + - sentinel_one.application_risk.endpoint_type + - sentinel_one.application_risk.id + - sentinel_one.application_risk.os_type + - sentinel_one.application_risk.published_date + - sentinel_one.application_risk.reason + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + - remove: + field: json + tag: remove_json + ignore_missing: true + - script: + tag: script_to_drop_null_values + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: |- + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + - set: + field: event.kind + tag: set_pipeline_error_into_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/sentinel_one/data_stream/application_risk/fields/base-fields.yml b/packages/sentinel_one/data_stream/application_risk/fields/base-fields.yml new file mode 100644 index 00000000000..370b308b61d --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs +- name: "@timestamp" + external: ecs +- name: event.module + type: constant_keyword + external: ecs + value: sentinel_one +- name: event.dataset + type: constant_keyword + external: ecs + value: sentinel_one.application_risk diff --git a/packages/sentinel_one/data_stream/application_risk/fields/beats.yml b/packages/sentinel_one/data_stream/application_risk/fields/beats.yml new file mode 100644 index 00000000000..d5fd38748ba --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/sentinel_one/data_stream/application_risk/fields/ecs.yml b/packages/sentinel_one/data_stream/application_risk/fields/ecs.yml new file mode 100644 index 00000000000..81da2d50621 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/fields/ecs.yml @@ -0,0 +1,4 @@ +- name: observer.vendor + external: ecs + type: constant_keyword + value: SentinelOne diff --git a/packages/sentinel_one/data_stream/application_risk/fields/fields.yml b/packages/sentinel_one/data_stream/application_risk/fields/fields.yml new file mode 100644 index 00000000000..33aaaa985b9 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/fields/fields.yml @@ -0,0 +1,98 @@ +- name: sentinel_one + type: group + fields: + - name: application_risk + type: group + fields: + - name: application + type: keyword + description: Composed application name. + - name: application_name + type: keyword + description: Application name. + - name: application_vendor + type: keyword + description: Application vendor. + - name: application_version + type: keyword + description: Application version. + - name: base_score + type: float + - name: cve_id + type: keyword + description: CVE Id. + - name: cvss_version + type: keyword + description: Cvss version. + - name: days_detected + type: long + description: Days detected. + - name: detection_date + type: date + description: Detection date. + - name: endpoint_id + type: keyword + description: Endpoint id. + - name: endpoint_name + type: keyword + description: Endpoint name. + - name: endpoint_type + type: keyword + description: Endpoint type. + - name: exploit_code_maturity + type: keyword + - name: id + type: keyword + description: Id. + - name: last_scan_date + type: date + description: Last scan date. + - name: last_scan_result + type: keyword + description: Last scan result. + - name: mark_type + type: keyword + description: Mark type. + - name: marked_by + type: keyword + description: Marked by. + - name: marked_date + type: date + description: Marked date. + - name: mitigation_status + type: keyword + description: Risk mitigation status. + - name: mitigation_status_change_time + type: date + description: Mitigation status change time. + - name: mitigation_status_changed_by + type: keyword + description: Mitigation status changer. + - name: mitigation_status_reason + type: keyword + description: Mitigation status reason. + - name: nvd_base_score + type: double + - name: nvd_cvss_version + type: keyword + - name: os_type + type: keyword + description: OS type. + - name: published_date + type: date + description: Published date. + - name: reason + type: keyword + description: Reason. + - name: remediation_level + type: keyword + - name: report_confidence + type: keyword + - name: risk_score + type: double + - name: severity + type: keyword + description: Severity. + - name: status + type: keyword + description: Risk status. diff --git a/packages/sentinel_one/data_stream/application_risk/fields/is-transform-source-true.yml b/packages/sentinel_one/data_stream/application_risk/fields/is-transform-source-true.yml new file mode 100644 index 00000000000..fd4766eacd5 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/fields/is-transform-source-true.yml @@ -0,0 +1,4 @@ +- name: labels.is_transform_source + type: constant_keyword + description: Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering. + value: "true" diff --git a/packages/sentinel_one/data_stream/application_risk/fields/resource.yml b/packages/sentinel_one/data_stream/application_risk/fields/resource.yml new file mode 100644 index 00000000000..dcbad49936b --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/fields/resource.yml @@ -0,0 +1,9 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + description: The ID of the vulnerable resource. + - name: name + type: keyword + description: The name of the vulnerable resource. diff --git a/packages/sentinel_one/data_stream/application_risk/fields/vulnerability.yml b/packages/sentinel_one/data_stream/application_risk/fields/vulnerability.yml new file mode 100644 index 00000000000..0ecdd74143f --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/fields/vulnerability.yml @@ -0,0 +1,12 @@ +- name: vulnerability + type: group + fields: + - name: cve + type: keyword + description: The CVE id of the vulnerability. + - name: package + type: group + fields: + - name: published_date + type: date + description: When the vulnerability was published. diff --git a/packages/sentinel_one/data_stream/application_risk/lifecycle.yml b/packages/sentinel_one/data_stream/application_risk/lifecycle.yml new file mode 100644 index 00000000000..b56a81e81d7 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/lifecycle.yml @@ -0,0 +1 @@ +data_retention: "30d" diff --git a/packages/sentinel_one/data_stream/application_risk/manifest.yml b/packages/sentinel_one/data_stream/application_risk/manifest.yml new file mode 100644 index 00000000000..ce0d11194a9 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/manifest.yml @@ -0,0 +1,82 @@ +title: "Application Risk" +type: logs +ilm_policy: logs-sentinel_one.application_risk-default_policy +streams: + - input: cel + title: Application Risk + description: Collecting application risk via API. + template_path: cel.yml.hbs + enabled: false + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the Sentinel One API. Supported units for this parameter are h/m/s. + default: 24h + multi: false + required: true + show_user: true + - name: batch_size + type: integer + title: Batch Size + multi: false + required: true + show_user: false + description: Batch size for the response of the Sentinel One API. The maximum supported page size value is 1000. + default: 1000 + - name: site_ids + type: text + title: Site IDs + multi: false + required: false + show_user: false + description: Comma separated list of Site IDs to filter by. Example - "225494730938493804,225494730938493915". + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: enable_request_tracer + type: bool + title: Enable request tracing + default: false + multi: false + required: false + show_user: false + description: >- + The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - sentinel_one-application_risk + - name: preserve_original_event + required: false + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: false + show_user: false + title: Preserve duplicate custom fields + description: Preserve sentinel_one.application_risk fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. diff --git a/packages/sentinel_one/data_stream/application_risk/sample_event.json b/packages/sentinel_one/data_stream/application_risk/sample_event.json new file mode 100644 index 00000000000..7da5cb657a4 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/sample_event.json @@ -0,0 +1,86 @@ +{ + "@timestamp": "2025-07-29T19:25:47.000Z", + "agent": { + "ephemeral_id": "172fb5e6-5307-4cbb-a7ce-611175d266cc", + "id": "fee16666-9913-4393-8c3d-3aca209ebb85", + "name": "elastic-agent-32563", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "sentinel_one.application_risk", + "namespace": "61830", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "fee16666-9913-4393-8c3d-3aca209ebb85", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "vulnerability" + ], + "created": "2025-06-02T04:46:51.710Z", + "dataset": "sentinel_one.application_risk", + "id": "2228104980801805822", + "ingested": "2025-08-28T10:34:51Z", + "kind": "state", + "original": "{\"application\":\"7-Zip 22.01\",\"applicationName\":\"7-Zip\",\"applicationVendor\":\"Igor Pavlov\",\"applicationVersion\":\"22.01\",\"baseScore\":\"7.00\",\"cveId\":\"CVE-2025-0411\",\"cvssVersion\":\"3.1\",\"daysDetected\":59,\"detectionDate\":\"2025-06-02T04:46:51.710569Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"test_endpoint\",\"endpointType\":\"desktop\",\"id\":\"2228104980801805822\",\"lastScanDate\":\"2025-07-29T19:25:47Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2025-01-20T07:04:04Z\",\"reason\":null,\"severity\":\"HIGH\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 73, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "input": { + "type": "cel" + }, + "package": { + "name": "7-Zip", + "version": "22.01" + }, + "resource": { + "id": "2162143406517023959", + "name": "test_endpoint" + }, + "sentinel_one": { + "application_risk": { + "application": "7-Zip 22.01", + "application_vendor": "Igor Pavlov", + "days_detected": 59, + "detection_date": "2025-06-02T04:46:51.710Z", + "last_scan_date": "2025-07-29T19:25:47.000Z", + "last_scan_result": "Succeeded", + "severity": "HIGH", + "status": "Detected" + } + }, + "tags": [ + "preserve_original_event", + "forwarded", + "sentinel_one-application_risk" + ], + "vulnerability": { + "cve": "CVE-2025-0411", + "id": "CVE-2025-0411", + "package": { + "published_date": "2025-01-20T07:04:04.000Z" + }, + "score": { + "base": 7, + "version": "3.1" + } + } +} diff --git a/packages/sentinel_one/data_stream/group/_dev/test/policy/test-all.expected b/packages/sentinel_one/data_stream/group/_dev/test/policy/test-all.expected index c7fa52caa76..dd9dd2ce2ce 100644 --- a/packages/sentinel_one/data_stream/group/_dev/test/policy/test-all.expected +++ b/packages/sentinel_one/data_stream/group/_dev/test/policy/test-all.expected @@ -12,7 +12,6 @@ inputs: value: '[[.last_event.updatedAt]]' data_stream: dataset: sentinel_one.group - type: logs interval: 30s processors: - add_fields: diff --git a/packages/sentinel_one/data_stream/group/_dev/test/policy/test-default.expected b/packages/sentinel_one/data_stream/group/_dev/test/policy/test-default.expected index 2ea96a82612..b75be0deda1 100644 --- a/packages/sentinel_one/data_stream/group/_dev/test/policy/test-default.expected +++ b/packages/sentinel_one/data_stream/group/_dev/test/policy/test-default.expected @@ -12,7 +12,6 @@ inputs: value: '[[.last_event.updatedAt]]' data_stream: dataset: sentinel_one.group - type: logs interval: 30s publisher_pipeline.disable_host: true request.method: GET diff --git a/packages/sentinel_one/data_stream/threat/_dev/test/policy/test-all.expected b/packages/sentinel_one/data_stream/threat/_dev/test/policy/test-all.expected index 8103a2845a2..6437649f816 100644 --- a/packages/sentinel_one/data_stream/threat/_dev/test/policy/test-all.expected +++ b/packages/sentinel_one/data_stream/threat/_dev/test/policy/test-all.expected @@ -12,7 +12,6 @@ inputs: value: '[[.last_event.threatInfo.updatedAt]]' data_stream: dataset: sentinel_one.threat - type: logs interval: 30s processors: - add_fields: diff --git a/packages/sentinel_one/data_stream/threat/_dev/test/policy/test-default.expected b/packages/sentinel_one/data_stream/threat/_dev/test/policy/test-default.expected index 7554c04765c..8e37dba71b6 100644 --- a/packages/sentinel_one/data_stream/threat/_dev/test/policy/test-default.expected +++ b/packages/sentinel_one/data_stream/threat/_dev/test/policy/test-default.expected @@ -12,7 +12,6 @@ inputs: value: '[[.last_event.threatInfo.updatedAt]]' data_stream: dataset: sentinel_one.threat - type: logs interval: 30s publisher_pipeline.disable_host: true request.method: GET diff --git a/packages/sentinel_one/docs/README.md b/packages/sentinel_one/docs/README.md index 2382d8b5cb9..b91d9947388 100644 --- a/packages/sentinel_one/docs/README.md +++ b/packages/sentinel_one/docs/README.md @@ -1014,6 +1014,154 @@ An example event for `application` looks as following: | sentinel_one.application.version | | keyword | +### application risk + +This is the `application risk` dataset. + +An example event for `application_risk` looks as following: + +```json +{ + "@timestamp": "2025-07-29T19:25:47.000Z", + "agent": { + "ephemeral_id": "172fb5e6-5307-4cbb-a7ce-611175d266cc", + "id": "fee16666-9913-4393-8c3d-3aca209ebb85", + "name": "elastic-agent-32563", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "sentinel_one.application_risk", + "namespace": "61830", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "fee16666-9913-4393-8c3d-3aca209ebb85", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "vulnerability" + ], + "created": "2025-06-02T04:46:51.710Z", + "dataset": "sentinel_one.application_risk", + "id": "2228104980801805822", + "ingested": "2025-08-28T10:34:51Z", + "kind": "state", + "original": "{\"application\":\"7-Zip 22.01\",\"applicationName\":\"7-Zip\",\"applicationVendor\":\"Igor Pavlov\",\"applicationVersion\":\"22.01\",\"baseScore\":\"7.00\",\"cveId\":\"CVE-2025-0411\",\"cvssVersion\":\"3.1\",\"daysDetected\":59,\"detectionDate\":\"2025-06-02T04:46:51.710569Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"test_endpoint\",\"endpointType\":\"desktop\",\"id\":\"2228104980801805822\",\"lastScanDate\":\"2025-07-29T19:25:47Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2025-01-20T07:04:04Z\",\"reason\":null,\"severity\":\"HIGH\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 73, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "input": { + "type": "cel" + }, + "package": { + "name": "7-Zip", + "version": "22.01" + }, + "resource": { + "id": "2162143406517023959", + "name": "test_endpoint" + }, + "sentinel_one": { + "application_risk": { + "application": "7-Zip 22.01", + "application_vendor": "Igor Pavlov", + "days_detected": 59, + "detection_date": "2025-06-02T04:46:51.710Z", + "last_scan_date": "2025-07-29T19:25:47.000Z", + "last_scan_result": "Succeeded", + "severity": "HIGH", + "status": "Detected" + } + }, + "tags": [ + "preserve_original_event", + "forwarded", + "sentinel_one-application_risk" + ], + "vulnerability": { + "cve": "CVE-2025-0411", + "id": "CVE-2025-0411", + "package": { + "published_date": "2025-01-20T07:04:04.000Z" + }, + "score": { + "base": 7, + "version": "3.1" + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | +| input.type | Type of Filebeat input. | keyword | +| labels.is_transform_source | Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering. | constant_keyword | +| log.offset | Log offset. | long | +| observer.vendor | Vendor name of the observer. | constant_keyword | +| resource.id | The ID of the vulnerable resource. | keyword | +| resource.name | The name of the vulnerable resource. | keyword | +| sentinel_one.application_risk.application | Composed application name. | keyword | +| sentinel_one.application_risk.application_name | Application name. | keyword | +| sentinel_one.application_risk.application_vendor | Application vendor. | keyword | +| sentinel_one.application_risk.application_version | Application version. | keyword | +| sentinel_one.application_risk.base_score | | float | +| sentinel_one.application_risk.cve_id | CVE Id. | keyword | +| sentinel_one.application_risk.cvss_version | Cvss version. | keyword | +| sentinel_one.application_risk.days_detected | Days detected. | long | +| sentinel_one.application_risk.detection_date | Detection date. | date | +| sentinel_one.application_risk.endpoint_id | Endpoint id. | keyword | +| sentinel_one.application_risk.endpoint_name | Endpoint name. | keyword | +| sentinel_one.application_risk.endpoint_type | Endpoint type. | keyword | +| sentinel_one.application_risk.exploit_code_maturity | | keyword | +| sentinel_one.application_risk.id | Id. | keyword | +| sentinel_one.application_risk.last_scan_date | Last scan date. | date | +| sentinel_one.application_risk.last_scan_result | Last scan result. | keyword | +| sentinel_one.application_risk.mark_type | Mark type. | keyword | +| sentinel_one.application_risk.marked_by | Marked by. | keyword | +| sentinel_one.application_risk.marked_date | Marked date. | date | +| sentinel_one.application_risk.mitigation_status | Risk mitigation status. | keyword | +| sentinel_one.application_risk.mitigation_status_change_time | Mitigation status change time. | date | +| sentinel_one.application_risk.mitigation_status_changed_by | Mitigation status changer. | keyword | +| sentinel_one.application_risk.mitigation_status_reason | Mitigation status reason. | keyword | +| sentinel_one.application_risk.nvd_base_score | | double | +| sentinel_one.application_risk.nvd_cvss_version | | keyword | +| sentinel_one.application_risk.os_type | OS type. | keyword | +| sentinel_one.application_risk.published_date | Published date. | date | +| sentinel_one.application_risk.reason | Reason. | keyword | +| sentinel_one.application_risk.remediation_level | | keyword | +| sentinel_one.application_risk.report_confidence | | keyword | +| sentinel_one.application_risk.risk_score | | double | +| sentinel_one.application_risk.severity | Severity. | keyword | +| sentinel_one.application_risk.status | Risk status. | keyword | +| vulnerability.cve | The CVE id of the vulnerability. | keyword | +| vulnerability.package.published_date | When the vulnerability was published. | date | + + ### group This is the `group` dataset. @@ -1554,3 +1702,4 @@ An example event for `threat` looks as following: | sentinel_one.threat.storyline | Storyline identifier from agent. | keyword | | sentinel_one.threat.threat_id | Threat id. | keyword | | sentinel_one.threat.whitening_option | Whitening options. | keyword | + diff --git a/packages/sentinel_one/img/sentinel-one-application-risk-dashboard.png b/packages/sentinel_one/img/sentinel-one-application-risk-dashboard.png new file mode 100644 index 00000000000..14e4ca4813a Binary files /dev/null and b/packages/sentinel_one/img/sentinel-one-application-risk-dashboard.png differ diff --git a/packages/sentinel_one/kibana/dashboard/sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5.json b/packages/sentinel_one/kibana/dashboard/sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5.json new file mode 100644 index 00000000000..7ea70818dcd --- /dev/null +++ b/packages/sentinel_one/kibana/dashboard/sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5.json @@ -0,0 +1,882 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "37453bed-8c5d-4440-b59f-6139886d0c30": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "sentinel_one.application_risk.severity", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Severity" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "sentinel_one.application_risk" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "sentinel_one.application_risk" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n[Sentinel One Activity Dashboard](#/dashboard/sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538)\n\n[Sentinel One Agent Dashboard](#/dashboard/sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538)\n\n[Sentinel One Alert Dashboard](#/dashboard/sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538)\n\n[Sentinel One Application Dashboard]()\n\n**Sentinel One Application Risk Dashboard**\n\n[Sentinel One Group Dashboard](#/dashboard/sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538)\n\n[Sentinel One Threat Dashboard](#/dashboard/sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538)\n\n**Overview**\n\nThis dashboard provides a clear overview of application risk data from the SentinelOne integration. It includes total vulnerability metrics, highlights the number of high and critical vulnerabilities, and visualizes application vulnerabilities by severity through a pie chart. A bar chart shows the distribution of applications based on their vulnerability count, while a table lists the top vulnerabilities for deeper insight.\n\n\n\n[**Integrations Page**](/app/integrations/detail/sentinel_one/overview)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 31, + "i": "1bc96a69-6907-4a25-9000-f1d476808080", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "1bc96a69-6907-4a25-9000-f1d476808080", + "title": "Table of Content", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5549cb09-0755-4170-848a-a514a3f21ca1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3610de1c-66cf-4e73-b443-ae863c9aadf3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5549cb09-0755-4170-848a-a514a3f21ca1": { + "columnOrder": [ + "b1e6aec6-468b-4ff1-bb1f-07628982cdea" + ], + "columns": { + "b1e6aec6-468b-4ff1-bb1f-07628982cdea": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "High and Critical Vulnerability", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "vulnerability.cve" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "sentinel_one.application_risk.severity", + "index": "3610de1c-66cf-4e73-b443-ae863c9aadf3", + "key": "sentinel_one.application_risk.severity", + "negate": false, + "params": [ + "CRITICAL", + "HIGH" + ], + "type": "phrases", + "value": [ + "CRITICAL", + "HIGH" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "sentinel_one.application_risk.severity": "CRITICAL" + } + }, + { + "match_phrase": { + "sentinel_one.application_risk.severity": "HIGH" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "5549cb09-0755-4170-848a-a514a3f21ca1", + "layerType": "data", + "metricAccessor": "b1e6aec6-468b-4ff1-bb1f-07628982cdea" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "sentinel_one.application_risk.severity", + "index": "logs-*", + "key": "sentinel_one.application_risk.severity", + "negate": false, + "params": [ + "CRITICAL", + "HIGH" + ], + "type": "phrases", + "value": [ + "CRITICAL", + "HIGH" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "sentinel_one.application_risk.severity": "CRITICAL" + } + }, + { + "match_phrase": { + "sentinel_one.application_risk.severity": "HIGH" + } + } + ] + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 7, + "i": "c971af22-203d-47d5-9386-5da727ac74b8", + "w": 15, + "x": 10, + "y": 7 + }, + "panelIndex": "c971af22-203d-47d5-9386-5da727ac74b8", + "title": "High and Critical Vulnerability [Logs SentinelOne]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8291048e-6365-408f-8ba9-95919847f231", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "8291048e-6365-408f-8ba9-95919847f231": { + "columnOrder": [ + "bca95e37-a4e9-4b88-a874-6ed7e38625a9" + ], + "columns": { + "bca95e37-a4e9-4b88-a874-6ed7e38625a9": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Vulnerability ", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "vulnerability.cve" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "8291048e-6365-408f-8ba9-95919847f231", + "layerType": "data", + "metricAccessor": "bca95e37-a4e9-4b88-a874-6ed7e38625a9" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 7, + "i": "746b8ad1-636e-4d63-8c15-962ad7300974", + "w": 15, + "x": 10, + "y": 0 + }, + "panelIndex": "746b8ad1-636e-4d63-8c15-962ad7300974", + "title": "Total Vulnerability [Logs SentinelOne]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e18d30d0-f39a-4d0f-8044-0fcbd1862198", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "e18d30d0-f39a-4d0f-8044-0fcbd1862198": { + "columnOrder": [ + "a65560c9-9ba1-4cf8-8ac3-1e77a0205d3d", + "b2ef418a-35c1-4b3e-83af-0b0088daa386" + ], + "columns": { + "a65560c9-9ba1-4cf8-8ac3-1e77a0205d3d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "CVE", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b2ef418a-35c1-4b3e-83af-0b0088daa386", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "vulnerability.cve" + }, + "b2ef418a-35c1-4b3e-83af-0b0088daa386": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "a65560c9-9ba1-4cf8-8ac3-1e77a0205d3d", + "isTransposed": false + }, + { + "columnId": "b2ef418a-35c1-4b3e-83af-0b0088daa386", + "isTransposed": false + } + ], + "layerId": "e18d30d0-f39a-4d0f-8044-0fcbd1862198", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 17, + "i": "a317ce8c-e92a-4b6e-9887-0bb678a25cf8", + "w": 10, + "x": 38, + "y": 14 + }, + "panelIndex": "a317ce8c-e92a-4b6e-9887-0bb678a25cf8", + "title": "Top Vulnerability [Logs SentinelOne]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d6a2a1d4-7970-4e71-87ff-b30c10342bad", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d6a2a1d4-7970-4e71-87ff-b30c10342bad": { + "columnOrder": [ + "8f4d13ea-7b9d-454d-a232-9153f204c997", + "377930e7-3d92-42e9-b573-12dc2fdb0373" + ], + "columns": { + "377930e7-3d92-42e9-b573-12dc2fdb0373": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Vulnerability", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "vulnerability.cve" + }, + "8f4d13ea-7b9d-454d-a232-9153f204c997": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Application", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "377930e7-3d92-42e9-b573-12dc2fdb0373", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "sentinel_one.application_risk.application" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "377930e7-3d92-42e9-b573-12dc2fdb0373" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "d6a2a1d4-7970-4e71-87ff-b30c10342bad", + "layerType": "data", + "seriesType": "bar_horizontal", + "xAccessor": "8f4d13ea-7b9d-454d-a232-9153f204c997" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_percentage_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 17, + "i": "a02957bb-1603-4f3e-8bb9-35244d6690a7", + "w": 28, + "x": 10, + "y": 14 + }, + "panelIndex": "a02957bb-1603-4f3e-8bb9-35244d6690a7", + "title": "Application by Vulnerability [Logs SentinelOne]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-aec928f6-a0eb-4995-85b6-844d1c00c34a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "aec928f6-a0eb-4995-85b6-844d1c00c34a": { + "columnOrder": [ + "7bbcca58-f52c-4afd-98e6-12eee067a032", + "468a40e6-8917-4f74-ba2e-a9e4bfd2dab4" + ], + "columns": { + "468a40e6-8917-4f74-ba2e-a9e4bfd2dab4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "CVE", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "vulnerability.cve" + }, + "7bbcca58-f52c-4afd-98e6-12eee067a032": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Risk Severity", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "468a40e6-8917-4f74-ba2e-a9e4bfd2dab4", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "sentinel_one.application_risk.severity" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "aec928f6-a0eb-4995-85b6-844d1c00c34a", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "468a40e6-8917-4f74-ba2e-a9e4bfd2dab4" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "7bbcca58-f52c-4afd-98e6-12eee067a032" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "b301c7d1-65fb-4e9c-bd88-149976cbfaa6", + "w": 23, + "x": 25, + "y": 0 + }, + "panelIndex": "b301c7d1-65fb-4e9c-bd88-149976cbfaa6", + "title": "Application Vulnerability by Severity [Logs Sentinel]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs SentinelOne] Application Risk", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-08-05T13:18:10.722Z", + "id": "sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c971af22-203d-47d5-9386-5da727ac74b8:indexpattern-datasource-layer-5549cb09-0755-4170-848a-a514a3f21ca1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c971af22-203d-47d5-9386-5da727ac74b8:3610de1c-66cf-4e73-b443-ae863c9aadf3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "746b8ad1-636e-4d63-8c15-962ad7300974:indexpattern-datasource-layer-8291048e-6365-408f-8ba9-95919847f231", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a317ce8c-e92a-4b6e-9887-0bb678a25cf8:indexpattern-datasource-layer-e18d30d0-f39a-4d0f-8044-0fcbd1862198", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a02957bb-1603-4f3e-8bb9-35244d6690a7:indexpattern-datasource-layer-d6a2a1d4-7970-4e71-87ff-b30c10342bad", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b301c7d1-65fb-4e9c-bd88-149976cbfaa6:indexpattern-datasource-layer-aec928f6-a0eb-4995-85b6-844d1c00c34a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_37453bed-8c5d-4440-b59f-6139886d0c30:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "sentinel_one-security-solution-default", + "name": "tag-ref-sentinel_one-security-solution-default", + "type": "tag" + }, + { + "id": "sentinel_one-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0" +} \ No newline at end of file diff --git a/packages/sentinel_one/kibana/tag/sentinel_one-security-solution-default.json b/packages/sentinel_one/kibana/tag/sentinel_one-security-solution-default.json index 89ee62ea186..de43ab7e2a2 100644 --- a/packages/sentinel_one/kibana/tag/sentinel_one-security-solution-default.json +++ b/packages/sentinel_one/kibana/tag/sentinel_one-security-solution-default.json @@ -1,13 +1,12 @@ { "attributes": { - "color": "#00BFB3", + "color": "#F583B7", "description": "Tag defined in package-spec", "name": "Security Solution" }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-05-09T10:41:46.010Z", + "created_at": "2025-08-05T11:48:23.245Z", "id": "sentinel_one-security-solution-default", - "managed": true, "references": [], "type": "tag", "typeMigrationVersion": "8.0.0" diff --git a/packages/sentinel_one/manifest.yml b/packages/sentinel_one/manifest.yml index 938bbf6c2a4..a618faed30a 100644 --- a/packages/sentinel_one/manifest.yml +++ b/packages/sentinel_one/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.4.0" name: sentinel_one title: SentinelOne -version: "1.37.0" +version: "1.38.0" description: Collect logs from SentinelOne with Elastic Agent. type: integration categories: @@ -9,12 +9,16 @@ categories: - edr_xdr conditions: kibana: - version: "^8.18.0 || ^9.0.0" + version: ^8.18.7 || ^8.19.4 || ^9.0.7 || ^9.1.4 screenshots: - src: /img/sentinel-one-screenshot.png title: SentinelOne Threat Dashboard Screenshot size: 600x600 type: image/png + - src: /img/sentinel-one-application-risk-dashboard.png + title: SentinelOne Application Risk Dashboard + size: 600x600 + type: image/png - src: /img/sentinel-one-application-dashboard.png title: SentinelOne Application Dashboard Screenshot size: 600x600