Sentinel EDR¶
About¶
SentinelOne’s ActiveEDR is powered by patented Storyline technology that reduces threat dwell time by making EDR detection, investigation, and response operations far easier and far reaching with massive data retention horizons to 365+ days. The net result is easy and fast attack mitigation, long term EDR visibility, and recovery with minimal friction and minimal interruption.
Product Details¶
Vendor URL: Sentinel EDR
Product Type: EDR
Product Tier: Tier I
Integration Method: Syslog
Integration URL: Sentinel EDR - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: Near 100%
Data Label: SENTINEL_EDR
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| activityType | metadata.product_event_type |
| cat | additional.fields |
| deviceAddress | observer.ip |
| deviceHostFqdn | observer.hostname |
| eventDesc | metadata.description |
| eventDesc | security_result.summary |
| fileHash | target.file.sha256 |
| fileHash | target.file.md5 |
| fileHash | target.file.sha1 |
| fileName | target.process.file.full_path |
| ip | principal.nat_ip |
| noteText | security_result.summary |
| originatorName | target.hostname |
| originatorVersion | principal.asset.software.version |
| sourceDnsDomain | principal.administrative_domain |
| sourceHostName | principal.hostname |
| sourceIpAddress | principal.ip |
| sourceMacAddresses | principal.mac |
| sourceOsType | principal.platform |
| sourceUserId | principal.user.userid |
| sourceUserName | principal.user.user_display_name |
| suser | principal.user.user_display_name |
| threatClassification | security_result.threat_id |
| threatDetectingEngine | security_result.category_details |
| threatMitigationStatus | security_result.threat_status |
| threatConfidenceLevel | security_result.confidence_details |
| threatMitigatedPreemptively | security_result.action_details |
| threatMitigationStatusLabel | security_result.severity_details |
| threatMitigationStatusID | security_result.priority_details |
| userEmail | target.user.userid |
Product Event Types¶
| Event | UDM Event Classification | Security Category | alerting enabled |
|---|---|---|---|
| 17 = Computer subscribed and joined the group | STATUS_UNCATEGORIZED | ||
| 19 = Threat detected | PROCESS_LAUNCH | ||
| 2001 = Threat killed | PROCESS_TERMINATION | ||
| 2004 = Threat quarantined successfully | PROCESS_UNCATEGORIZED | ||
| 3100 = New agent package available | GENERIC_EVENT | ||
| 33 = New Console Logout Activity | USER_LOGOUT | ||
| 4002 = New suspicious threat detected | STATUS_UNCATEGORIZED | ||
| 4008 = Threat status changed | STATUS_UNCATEGORIZED | ||
| 43 = Agent was updated | STATUS_UPDATE | ||
| 47 = Machine decom | GENERIC_EVENT | ||
| 5021 = Management user updated site | USER_RESOURCE_UPDATE_CONTENT | ||
| 5126 = USB Drive disconnected | GENERIC_EVENT | ||
| 71 = Management user initiated full disk scan | SCAN_HOST | ||
| 90 = Agent initiated full disk scan | SCAN_HOST | ||
| 92 = Completed full disk scan | SCAN_HOST | ||
| all undefined events | GENERIC_EVENT | ||
| New Active Threat | SOFTWARE_MALICIOUS | TRUE | |
| New Blocked Threat | SOFTWARE_MALICIOUS | TRUE | |
| New Suspicious Threat | SOFTWARE_MALICIOUS | TRUE |
Log Sample¶
<14>2021-07-30 11:16:51,872 sentinel - CEF:2|SentinelOne|Mgmt|suser=username|fileName=SourceTree.exe|oldValue=Undefined|newValue=False positive|rt=2021-07-30 11:16:44.395144|deviceAddress=10.22.1.71|deviceHostFqdn=fqdn|deviceHostName=fqdn|notificationScope=SITE|siteId=siteid|siteName=Default site|accountId=accountid|accountName=Company|vendor=SentinelOne|eventID=2030|eventDesc=Analyst verdict changed|eventSeverity=1|originatorName=originator|originatorVersion=4.5.2.136|sourceAgentLastActivityTimestamp=2021-07-30 11:16:12.962792|sourceAgentRegisterTimestamp=2021-05-11 22:33:22.166754|sourceNetworkState=connected|sourceOsRevision=17134|sourceOsType=windows|sourceAgentUuid=uuid|sourceFqdn=fqdn|sourceThreatCount=0|sourceMgmtPrecievedAddress=10.10.10.1|sourceDnsDomain=DOMAIN|sourceHostName=hostname|sourceUserName=first.last|sourceUserId=sid|sourceAgentId=agent|sourceGroupId=group|sourceGroupName=Default Group|sourceIpAddresses=['10.3.205.127', 'fe80::19dc:cd68:a2fc:4b23']|sourceMacAddresses=['00:50:56:b6:a5:e2']|threatClassification=Generic.Heuristic|threatClassificationSource=Cloud|threatDetectingEngine=windows.executables|threatClassifier=LOGIC|threatMitigationStatus=marked_as_benign|threatConfidenceLevel=suspicious|threatMitigatedPreemptively=False|threatMitigationStatusLabel=suspicious_resolved|threatMitigationStatusID=5|threatCommandLineArguments=|threatID=threatid|threatStoryline=threatstory|threatDetectionTime=2021-07-30 07:59:31.846392|threatIndicatorsList=[88, 293]|threatProcessUser=DOMAIN\first.last|fileHashSha256=None|fileHashMd5=None|cat=THREATMANAGEMENT|activityID=actid|activityType=2030
Sample Parsing¶
metadata.event_timestamp = "2021-07-30T11:16:51Z"
metadata.event_type = "GENERIC_EVENT"
metadata.product_name = "Sentinel One"
metadata.product_event_type = "2030"
metadata.description = "Analyst verdict changed"
metadata.ingested_timestamp = "2021-07-30T11:18:25.287966Z"
additional.Category = "THREATMANAGEMENT"
principal.hostname = "hostname"
principal.user.userid = "sid"
principal.user.user_display_name = "first.last"
principal.platform = "WINDOWS"
principal.ip = "10.3.205.127"
principal.mac = "00:50:56:b6:a5:e2"
principal.administrative_domain = "DOMAIN"
principal.asset.software.version = "4.5.2.136"
target.process.file.full_path = " SourceTree.exe"
observer.hostname = "fqdn"
observer.ip = "10.22.171.71"
security_result.category_details = "windows.executables"
security_result.summary = "Analyst verdict changed"
security_result.threat_id = "Generic.Heuristic"
security_result.threat_status = "FALSE_POSITIVE"
Parser Alerting¶
Alerting criteria is listed in the Product Event Types table above.
Rules¶
Coming Soon