sentinel_one: Add support for application risk data stream and ilm policy to application data stream.

Added support for ingesting data through the SentinelOne application risk data stream.
This includes necessary configuration updates and input adjustments to enable collection and parsing of
application risk–related events, ensuring accurate ingestion and processing of risk insights
from supported sources.
Also added ilm policy to the application data stream.

Tested on the live samples collected through the SentinelOne API.

Author: mohitjha-elastic

packages/sentinel_one/_dev/benchmark/rally/application_risk-benchmark.yml

@@ -0,0 +1,14 @@
+---
+description: Benchmark 100000 sentinel_one.application_risk events ingested
+data_stream:
+   name: application_risk
+corpora:
+   generator:
+      total_events: 100000
+      template:
+         type: gotext
+         path: ./applicationrisk-benchmark/template.ndjson
+      config:
+         path: ./applicationrisk-benchmark/config.yml
+      fields:
+         path: ./applicationrisk-benchmark/fields.yml

packages/sentinel_one/_dev/benchmark/rally/applicationrisk-benchmark/config.yml

@@ -0,0 +1,88 @@
+fields:
+  - name: application
+    cardinality: 1000
+  - name: applicationName
+    cardinality: 10000
+  - name: applicationVendor
+    cardinality: 10
+  - name: applicationVersion
+    cardinality: 10
+  - name: baseScore
+    range:
+      min: 1
+      max: 10
+    fuzziness: 0.01
+  - name: cveId
+    cardinality: 1000
+  - name: cvssVersion
+    cardinality: 100
+  - name: daysDetected
+    range:
+      min: 0
+      max: 10000
+    cardinality: 1000
+  - name: endpointId
+    range:
+      min: 100000000000000000
+      max: 999999999999999999
+    cardinality: 10000
+    enum:
+      - desktop
+      - laptop
+      - server
+      - unknown
+  - name: endpointName
+    cardinality: 1000
+  - name: endpointType
+  - name: exploitCodeMaturity
+    cardinality: 1000
+  - name: id
+    range:
+      min: 100000000000000000
+      max: 999999999999999999
+    cardinality: 10000
+  - name: lastScanResult
+    cardinality: 10
+  - name: markType
+    cardinality: 1000
+  - name: markedBy
+    cardinality: 1000
+  - name: mitigationStatus
+    cardinality: 1000
+  - name: mitigationStatusChangeTime
+    cardinality: 1000
+  - name: mitigationStatusChangedBy
+    cardinality: 1000
+  - name: mitigationStatusReason
+    cardinality: 1000
+  - name: nvdBaseScore
+    range:
+      min: 1
+      max: 10
+    fuzziness: 0.01
+  - name: nvdCvssVersion
+    cardinality: 1000
+  - name: osType
+    enum:
+      - linux
+      - windows
+      - macos
+      - windows_legacy
+  - name: reason
+    cardinality: 1000
+  - name: remediationLevel
+    cardinality: 1000
+  - name: reportConfidence
+    cardinality: 1000
+  - name: riskScore
+    range:
+      min: 1
+      max: 10
+    fuzziness: 0.01
+  - name: severity
+    enum:
+      - HIGH
+      - MEDIUM
+      - LOW
+  - name: status
+    cardinality: 10

packages/sentinel_one/_dev/benchmark/rally/applicationrisk-benchmark/fields.yml

@@ -0,0 +1,58 @@
+- name: application
+  type: keyword
+- name: applicationName
+  type: keyword
+- name: applicationVendor
+  type: keyword
+- name: applicationVersion
+  type: keyword
+- name: baseScore
+  type: float
+- name: cveId
+  type: keyword
+- name: cvssVersion
+  type: keyword
+- name: daysDetected
+  type: long
+- name: endpointId
+  type: keyword
+- name: endpointName
+  type: keyword
+- name: endpointType
+  type: keyword
+- name: exploitCodeMaturity
+  type: keyword
+- name: id
+  type: keyword
+- name: lastScanResult
+  type: keyword
+- name: markType
+  type: keyword
+- name: markedBy
+  type: keyword
+- name: mitigationStatus
+  type: keyword
+- name: mitigationStatusChangeTime
+  type: date
+- name: mitigationStatusChangedBy
+  type: keyword
+- name: mitigationStatusReason
+  type: keyword
+- name: nvdBaseScore
+  type: double
+- name: nvdCvssVersion
+  type: keyword
+- name: osType
+  type: keyword
+- name: reason
+  type: keyword
+- name: remediationLevel
+  type: keyword
+- name: reportConfidence
+  type: keyword
+- name: riskScore
+  type: double
+- name: severity
+  type: keyword
+- name: status
+  type: keyword

packages/sentinel_one/_dev/benchmark/rally/applicationrisk-benchmark/template.ndjson

@@ -0,0 +1,91 @@
+{{- $application := generate "application" }}
+{{- $applicationName := generate "applicationName" }}
+{{- $applicationVendor := generate "applicationVendor" }}
+{{- $applicationVersion := generate "applicationVersion" }}
+{{- $baseScore := generate "baseScore" }}
+{{- $cveId := generate "cveId" }}
+{{- $cvssVersion := generate "cvssVersion" }}
+{{- $daysDetected := generate "daysDetected" }}
+{{- $endpointId := generate "endpointId" }}
+{{- $endpointName := generate "endpointName" }}
+{{- $endpointType := generate "endpointType" }}
+{{- $exploitCodeMaturity := generate "exploitCodeMaturity" }}
+{{- $id := generate "id" }}
+{{- $lastScanResult := generate "lastScanResult" }}
+{{- $markType := generate "markType" }}
+{{- $markedBy := generate "markedBy" }}
+{{- $mitigationStatus := generate "mitigationStatus" }}
+{{- $mitigationStatusChangedBy := generate "mitigationStatusChangedBy" }}
+{{- $mitigationStatusReason := generate "mitigationStatusReason" }}
+{{- $nvdBaseScore := generate "nvdBaseScore" }}
+{{- $nvdCvssVersion := generate "nvdCvssVersion" }}
+{{- $osType := generate "osType" }}
+{{- $reason := generate "reason" }}
+{{- $remediationLevel := generate "remediationLevel" }}
+{{- $reportConfidence := generate "reportConfidence" }}
+{{- $riskScore := generate "riskScore" }}
+{{- $severity := generate "severity" }}
+{{- $status := generate "status" }}
+{{- /*
+{
+    "application": "{{ $application }}",
+    "applicationName": "{{ $applicationName }}",
+    "applicationVendor": "{{ $applicationVendor }}",
+    "applicationVersion": "{{ $applicationVersion }}",
+    "baseScore": "{{ $baseScore }}",
+    "cveId": "{{ $cveId }}",
+    "cvssVersion": "{{ $cvssVersion }}",
+    "daysDetected": "{{ $daysDetected }}",
+    "endpointId": "{{ $endpointId }}",
+    "endpointName": "{{ $endpointName }}",
+    "endpointType": "{{ $endpointType }}",
+    "exploitCodeMaturity": "{{ $exploitCodeMaturity }}",
+    "id": "{{ $id }}",
+    "lastScanResult": "{{ $lastScanResult }}",
+    "markType": "{{ $markType }}",
+    "markedBy": "{{ $markedBy }}",
+    "mitigationStatus": "{{ $mitigationStatus }}",
+    "mitigationStatusChangedBy": "{{ $mitigationStatusChangedBy }}",
+    "mitigationStatusReason": "{{ $mitigationStatusReason }}",
+    "nvdBaseScore": "{{ $nvdBaseScore }}",
+    "nvdCvssVersion": "{{ $nvdCvssVersion }}",
+    "osType": "{{ $osType }}",
+    "reason": "{{ $reason }}",
+    "remediationLevel": "{{ $remediationLevel }}",
+    "reportConfidence": "{{ $reportConfidence }}",
+    "riskScore": "{{ $riskScore }}",
+    "severity": "{{ $severity }}",
+    "status": "{{ $status }}"
+}
+*/ -}}
+{
+    "agent": {
+        "ephemeral_id": "cdaaaabb-be7e-432f-816b-bda019fd7c15",
+        "id": "da6cb4c8-c84c-4c5f-97c7-f8586a098af4",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.18.0"
+    },
+    "data_stream": {
+        "dataset": "sentinel_one.application_risk",
+        "namespace": "93724",
+        "type": "logs"
+    },
+    "elastic_agent": {
+        "id": "da6cb4c8-c84c-4c5f-97c7-f8586a098af4",
+        "snapshot": false,
+        "version": "8.18.0"
+    },
+    "message": "{\"application\": \"{{ $application }}\", \"applicationName\": \"{{ $applicationName }}\", \"applicationVendor\": \"{{ $applicationVendor }}\", \"applicationVersion\": \"{{ $applicationVersion }}\", \"baseScore\": \"{{ $baseScore }}\", \"cveId\": \"{{ $cveId }}\", \"cvssVersion\": \"{{ $cvssVersion }}\", \"daysDetected\": \"{{ $daysDetected }}\", \"endpointId\": \"{{ $endpointId }}\", \"endpointName\": \"{{ $endpointName }}\", \"endpointType\": \"{{ $endpointType }}\", \"exploitCodeMaturity\": \"{{ $exploitCodeMaturity }}\", \"id\": \"{{ $id }}\", \"lastScanResult\": \"{{ $lastScanResult }}\", \"markType\": \"{{ $markType }}\", \"markedBy\": \"{{ $markedBy }}\", \"mitigationStatus\": \"{{ $mitigationStatus }}\", \"mitigationStatusChangedBy\": \"{{ $mitigationStatusChangedBy }}\", \"mitigationStatusReason\": \"{{ $mitigationStatusReason }}\", \"nvdBaseScore\": \"{{ $nvdBaseScore }}\", \"nvdCvssVersion\": \"{{ $nvdCvssVersion }}\", \"osType\": \"{{ $osType }}\", \"reason\": \"{{ $reason }}\", \"remediationLevel\": \"{{ $remediationLevel }}\", \"reportConfidence\": \"{{ $reportConfidence }}\", \"riskScore\": \"{{ $riskScore }}\", \"severity\": \"{{ $severity }}\", \"status\": \"{{ $status }}\"}",
+    "event": {
+        "dataset": "sentinel_one.application_risk"
+    },
+    "input": {
+        "type": "cel"
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "sentinel_one-application_risk"
+    ]
+}

packages/sentinel_one/_dev/build/docs/README.md

@@ -73,6 +73,14 @@ This is the `application` dataset.
 
 {{fields "application"}}
 
+### application risk
+
+This is the `application risk` dataset.
+
+{{event "application_risk"}}
+
+{{fields "application_risk"}}
+
 ### group
 
 This is the `group` dataset.
@@ -87,4 +95,4 @@ This is the `threat` dataset.
 
 {{event "threat"}}
 
-{{fields "threat"}}
+{{fields "threat"}}