diff --git a/packages/sentinel_one/_dev/build/docs/README.md b/packages/sentinel_one/_dev/build/docs/README.md index 4daee91687c..f3fd7e1132d 100644 --- a/packages/sentinel_one/_dev/build/docs/README.md +++ b/packages/sentinel_one/_dev/build/docs/README.md @@ -87,4 +87,12 @@ This is the `threat` dataset. {{event "threat"}} -{{fields "threat"}} \ No newline at end of file +{{fields "threat"}} + +### application risk + +This is the `application risk` dataset. + +{{event "application_risk"}} + +{{fields "application_risk"}} diff --git a/packages/sentinel_one/_dev/deploy/docker/files/config.yml b/packages/sentinel_one/_dev/deploy/docker/files/config.yml index 415c58e9439..dd45e3a5654 100644 --- a/packages/sentinel_one/_dev/deploy/docker/files/config.yml +++ b/packages/sentinel_one/_dev/deploy/docker/files/config.yml @@ -352,3 +352,200 @@ rules: } } `}} + - path: /web/api/v2.1/application-management/risks + methods: ['GET'] + query_params: + limit: 2 + cursor: null + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "application": "7-Zip 22.01", + "applicationName": "7-Zip", + "applicationVendor": "Igor Pavlov", + "applicationVersion": "22.01", + "baseScore": "7.00", + "cveId": "CVE-2025-0411", + "cvssVersion": "3.1", + "daysDetected": 59, + "detectionDate": "2025-06-02T04:46:51.710569Z", + "endpointId": "2162143406517023959", + "endpointName": "test_endpoint", + "endpointType": "desktop", + "id": "2228104980801805822", + "lastScanDate": "2025-07-29T19:25:47Z", + "lastScanResult": "Succeeded", + "markType": "", + "markedBy": null, + "markedDate": null, + "osType": "windows", + "publishedDate": "2025-01-20T07:04:04Z", + "reason": null, + "severity": "HIGH", + "status": "Detected" + }, + { + "application": "7-Zip 22.01", + "applicationName": "7-Zip", + "applicationVendor": "Igor Pavlov", + "applicationVersion": "22.01", + "baseScore": "7.80", + "cveId": "CVE-2024-11477", + "cvssVersion": "3.1", + "daysDetected": 59, + "detectionDate": "2025-06-02T04:46:51.710578Z", + "endpointId": "2162143406517023959", + "endpointName": "example_endpoint", + "endpointType": "desktop", + "id": "2228104981028298282", + "lastScanDate": "2025-07-29T19:25:47Z", + "lastScanResult": "Succeeded", + "markType": "", + "markedBy": null, + "markedDate": null, + "osType": "windows", + "publishedDate": "2024-11-21T06:42:16Z", + "reason": null, + "severity": "HIGH", + "status": "Detected" + } + ], + "pagination": { + "nextCursor": "page2", + "totalItems": 5 + } + } + `}} + - path: /web/api/v2.1/application-management/risks + methods: ['GET'] + query_params: + limit: 2 + cursor: page2 + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "application": "Microsoft Edge 112.0.1722.68", + "applicationName": "Microsoft Edge", + "applicationVendor": "Microsoft Corporation", + "applicationVersion": "112.0.1722.68", + "baseScore": "4.30", + "cveId": "CVE-2024-29057", + "cvssVersion": "3.1", + "daysDetected": 59, + "detectionDate": "2025-06-02T04:46:51.710587Z", + "endpointId": "2162143406517023959", + "endpointName": "DESKTOP-example", + "endpointType": "desktop", + "id": "2228104981036686896", + "lastScanDate": "2025-07-29T19:25:47Z", + "lastScanResult": "Succeeded", + "markType": "", + "markedBy": null, + "markedDate": null, + "osType": "windows", + "publishedDate": "2024-03-22T22:15:00Z", + "reason": null, + "severity": "MEDIUM", + "status": "Detected" + }, + { + "application": "Microsoft Edge 112.0.1722.68", + "applicationName": "Microsoft Edge", + "applicationVendor": "Microsoft Corporation", + "applicationVersion": "112.0.1722.68", + "baseScore": "6.10", + "cveId": "CVE-2024-38156", + "cvssVersion": "3.1", + "daysDetected": 59, + "detectionDate": "2025-06-02T04:46:51.710591Z", + "endpointId": "2162143406517023959", + "endpointName": "DESKTOP-test", + "endpointType": "desktop", + "id": "2228104981070241336", + "lastScanDate": "2025-07-29T19:25:47Z", + "lastScanResult": "Succeeded", + "markType": "", + "markedBy": null, + "markedDate": null, + "osType": "windows", + "publishedDate": "2024-07-18T05:39:23Z", + "reason": null, + "severity": "MEDIUM", + "status": "Detected" + } + ], + "pagination": { + "nextCursor": "page3", + "totalItems": 5 + } + } + `}} + - path: /web/api/v2.1/application-management/risks + methods: ['GET'] + query_params: + limit: 2 + cursor: page3 + request_headers: + Authorization: + - "ApiToken xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "application": "Microsoft Edge 112.0.1722.68", + "applicationName": "Microsoft Edge", + "applicationVendor": "Microsoft Corporation", + "applicationVersion": "112.0.1722.68", + "baseScore": "6.50", + "cveId": "CVE-2024-38222", + "cvssVersion": "3.1", + "daysDetected": 59, + "detectionDate": "2025-06-02T04:46:51.710593Z", + "endpointId": "2162143406517023959", + "endpointName": "DESKTOP-R1E2DQ2", + "endpointType": "desktop", + "id": "2228104981095407166", + "lastScanDate": "2025-07-29T19:25:47Z", + "lastScanResult": "Succeeded", + "markType": "", + "markedBy": null, + "markedDate": null, + "osType": "windows", + "publishedDate": "2024-08-13T18:27:28Z", + "reason": null, + "severity": "MEDIUM", + "status": "Detected" + } + ], + "pagination": { + "nextCursor": null, + "totalItems": 5 + } + } + `}} diff --git a/packages/sentinel_one/changelog.yml b/packages/sentinel_one/changelog.yml index 2c54269c209..4d9d4cbd97c 100644 --- a/packages/sentinel_one/changelog.yml +++ b/packages/sentinel_one/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.38.0" + changes: + - description: Add support for application risk data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/14910 - version: "1.37.0" changes: - description: Add support for application data stream. diff --git a/packages/sentinel_one/data_stream/application_risk/_dev/test/pipeline/test-application-risk.log b/packages/sentinel_one/data_stream/application_risk/_dev/test/pipeline/test-application-risk.log new file mode 100644 index 00000000000..337aa387549 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/_dev/test/pipeline/test-application-risk.log @@ -0,0 +1,10 @@ +{"application":"7-Zip 22.01","applicationName":"7-Zip","applicationVendor":"Igor Pavlov","applicationVersion":"22.01","baseScore":"7.00","cveId":"CVE-2025-0411","cvssVersion":"3.1","daysDetected":59,"detectionDate":"2025-06-02T04:46:51.710569Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104980801805822","lastScanDate":"2025-07-29T19:25:47Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2025-01-20T07:04:04Z","reason":null,"severity":"HIGH","status":"Detected"} +{"application":"Microsoft Edge 112.0.1722.68","applicationName":"Microsoft Edge","applicationVendor":"Microsoft Corporation","applicationVersion":"112.0.1722.68","baseScore":"4.30","cveId":"CVE-2024-29057","cvssVersion":"3.1","daysDetected":59,"detectionDate":"2025-06-02T04:46:51.710587Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981036686896","lastScanDate":"2025-07-29T19:25:47Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-03-22T22:15:00Z","reason":null,"severity":"MEDIUM","status":"Detected"} +{"application":"Microsoft Edge WebView2 Runtime 112.0.1722.64","applicationName":"Microsoft Edge WebView2 Runtime","applicationVendor":"Microsoft Corporation","applicationVersion":"112.0.1722.64","baseScore":"4.70","cveId":"CVE-2024-26247","cvssVersion":"3.1","daysDetected":59,"detectionDate":"2025-06-02T04:46:51.710624Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981154127438","lastScanDate":"2025-07-29T19:25:47Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-03-22T22:15:00Z","reason":null,"severity":"MEDIUM","status":"Detected"} +{"application":"VMware Tools 10.3.10.12406962","applicationName":"VMware Tools","applicationVendor":"VMware, Inc.","applicationVersion":"10.3.10.12406962","baseScore":"7.10","cveId":"CVE-2022-22977","cvssVersion":"3.1","daysDetected":59,"detectionDate":"2025-06-02T04:46:51.710668Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981196070492","lastScanDate":"2025-07-29T19:25:47Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2022-05-24T19:15:00Z","reason":null,"severity":"HIGH","status":"Detected"} +{"application":"PuTTY release 0.77.0.0","applicationName":"PuTTY release","applicationVendor":"Simon Tatham","applicationVersion":"0.77.0.0","baseScore":"5.90","cveId":"CVE-2024-31497","cvssVersion":"3.1","daysDetected":10,"detectionDate":"2025-07-21T18:00:44.231765Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2264018562208952766","lastScanDate":"2025-07-29T19:25:47Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-04-15T20:15:00Z","reason":null,"severity":"MEDIUM","status":"Detected"} +{"application":"7-Zip 22.01","applicationName":"7-Zip","applicationVendor":"Igor Pavlov","applicationVersion":"22.01","baseScore":"7.80","cveId":"CVE-2024-11477","cvssVersion":"3.1","daysDetected":72,"detectionDate":"2025-06-02T04:46:51.710578Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981028298282","lastScanDate":"2025-08-11T18:02:20Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-11-21T06:42:16Z","reason":null,"severity":"HIGH","status":"Detected"} +{"application":"Microsoft Edge 112.0.1722.68","applicationName":"Microsoft Edge","applicationVendor":"Microsoft Corporation","applicationVersion":"112.0.1722.68","baseScore":"6.10","cveId":"CVE-2024-38156","cvssVersion":"3.1","daysDetected":72,"detectionDate":"2025-06-02T04:46:51.710591Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981070241336","lastScanDate":"2025-08-11T18:02:20Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-07-18T05:39:23Z","reason":null,"severity":"MEDIUM","status":"Detected"} +{"application":"Microsoft Edge 112.0.1722.68","applicationName":"Microsoft Edge","applicationVendor":"Microsoft Corporation","applicationVersion":"112.0.1722.68","baseScore":"6.50","cveId":"CVE-2024-38222","cvssVersion":"3.1","daysDetected":72,"detectionDate":"2025-06-02T04:46:51.710593Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981095407166","lastScanDate":"2025-08-11T18:02:20Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-08-13T18:27:28Z","reason":null,"severity":"MEDIUM","status":"Detected"} +{"application":"Microsoft Edge 112.0.1722.68","applicationName":"Microsoft Edge","applicationVendor":"Microsoft Corporation","applicationVersion":"112.0.1722.68","baseScore":"9.60","cveId":"CVE-2024-7971","cvssVersion":"3.1","daysDetected":72,"detectionDate":"2025-06-02T04:46:51.710604Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981128961604","lastScanDate":"2025-08-11T18:02:20Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-08-21T21:15:00Z","reason":null,"severity":"CRITICAL","status":"Detected"} +{"application":"Microsoft Edge 112.0.1722.68","applicationName":"Microsoft Edge","applicationVendor":"Microsoft Corporation","applicationVersion":"112.0.1722.68","baseScore":"4.70","cveId":"CVE-2024-38082","cvssVersion":"3.1","daysDetected":72,"detectionDate":"2025-06-02T04:46:51.710607Z","endpointId":"2162143406517023959","endpointName":"DESKTOP-R1E2DQ2","endpointType":"desktop","id":"2228104981137350215","lastScanDate":"2025-08-11T18:02:20Z","lastScanResult":"Succeeded","markType":"","markedBy":null,"markedDate":null,"osType":"windows","publishedDate":"2024-06-20T20:15:00Z","reason":null,"severity":"MEDIUM","status":"Detected"} diff --git a/packages/sentinel_one/data_stream/application_risk/_dev/test/pipeline/test-application-risk.log-expected.json b/packages/sentinel_one/data_stream/application_risk/_dev/test/pipeline/test-application-risk.log-expected.json new file mode 100644 index 00000000000..d327a118ddc --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/_dev/test/pipeline/test-application-risk.log-expected.json @@ -0,0 +1,714 @@ +{ + "expected": [ + { + "@timestamp": "2025-07-29T19:25:47.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "2228104980801805822", + "kind": "event", + "original": "{\"application\":\"7-Zip 22.01\",\"applicationName\":\"7-Zip\",\"applicationVendor\":\"Igor Pavlov\",\"applicationVersion\":\"22.01\",\"baseScore\":\"7.00\",\"cveId\":\"CVE-2025-0411\",\"cvssVersion\":\"3.1\",\"daysDetected\":59,\"detectionDate\":\"2025-06-02T04:46:51.710569Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"DESKTOP-R1E2DQ2\",\"endpointType\":\"desktop\",\"id\":\"2228104980801805822\",\"lastScanDate\":\"2025-07-29T19:25:47Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2025-01-20T07:04:04Z\",\"reason\":null,\"severity\":\"HIGH\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 73, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "package": { + "name": "7-Zip", + "version": "22.01" + }, + "resource": { + "id": "2162143406517023959", + "name": "DESKTOP-R1E2DQ2" + }, + "sentinel_one": { + "application_risk": { + "application": "7-Zip 22.01", + "application_name": "7-Zip", + "application_vendor": "Igor Pavlov", + "application_version": "22.01", + "base_score": 7.0, + "cve_id": "CVE-2025-0411", + "cvss_version": "3.1", + "days_detected": 59, + "detection_date": "2025-06-02T04:46:51.710Z", + "endpoint_id": "2162143406517023959", + "endpoint_name": "DESKTOP-R1E2DQ2", + "endpoint_type": "desktop", + "id": "2228104980801805822", + "last_scan_date": "2025-07-29T19:25:47.000Z", + "last_scan_result": "Succeeded", + "os_type": "windows", + "published_date": "2025-01-20T07:04:04.000Z", + "severity": "HIGH", + "status": "Detected" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "cve": "CVE-2025-0411", + "id": "CVE-2025-0411", + "package": { + "published_date": "2025-01-20T07:04:04.000Z" + }, + "score": { + "base": 7.0, + "version": "3.1" + } + } + }, + { + "@timestamp": "2025-07-29T19:25:47.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "2228104981036686896", + "kind": "event", + "original": "{\"application\":\"Microsoft Edge 112.0.1722.68\",\"applicationName\":\"Microsoft Edge\",\"applicationVendor\":\"Microsoft Corporation\",\"applicationVersion\":\"112.0.1722.68\",\"baseScore\":\"4.30\",\"cveId\":\"CVE-2024-29057\",\"cvssVersion\":\"3.1\",\"daysDetected\":59,\"detectionDate\":\"2025-06-02T04:46:51.710587Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"DESKTOP-R1E2DQ2\",\"endpointType\":\"desktop\",\"id\":\"2228104981036686896\",\"lastScanDate\":\"2025-07-29T19:25:47Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2024-03-22T22:15:00Z\",\"reason\":null,\"severity\":\"MEDIUM\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 47, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "package": { + "name": "Microsoft Edge", + "version": "112.0.1722.68" + }, + "resource": { + "id": "2162143406517023959", + "name": "DESKTOP-R1E2DQ2" + }, + "sentinel_one": { + "application_risk": { + "application": "Microsoft Edge 112.0.1722.68", + "application_name": "Microsoft Edge", + "application_vendor": "Microsoft Corporation", + "application_version": "112.0.1722.68", + "base_score": 4.3, + "cve_id": "CVE-2024-29057", + "cvss_version": "3.1", + "days_detected": 59, + "detection_date": "2025-06-02T04:46:51.710Z", + "endpoint_id": "2162143406517023959", + "endpoint_name": "DESKTOP-R1E2DQ2", + "endpoint_type": "desktop", + "id": "2228104981036686896", + "last_scan_date": "2025-07-29T19:25:47.000Z", + "last_scan_result": "Succeeded", + "os_type": "windows", + "published_date": "2024-03-22T22:15:00.000Z", + "severity": "MEDIUM", + "status": "Detected" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "cve": "CVE-2024-29057", + "id": "CVE-2024-29057", + "package": { + "published_date": "2024-03-22T22:15:00.000Z" + }, + "score": { + "base": 4.3, + "version": "3.1" + } + } + }, + { + "@timestamp": "2025-07-29T19:25:47.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "2228104981154127438", + "kind": "event", + "original": "{\"application\":\"Microsoft Edge WebView2 Runtime 112.0.1722.64\",\"applicationName\":\"Microsoft Edge WebView2 Runtime\",\"applicationVendor\":\"Microsoft Corporation\",\"applicationVersion\":\"112.0.1722.64\",\"baseScore\":\"4.70\",\"cveId\":\"CVE-2024-26247\",\"cvssVersion\":\"3.1\",\"daysDetected\":59,\"detectionDate\":\"2025-06-02T04:46:51.710624Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"DESKTOP-R1E2DQ2\",\"endpointType\":\"desktop\",\"id\":\"2228104981154127438\",\"lastScanDate\":\"2025-07-29T19:25:47Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2024-03-22T22:15:00Z\",\"reason\":null,\"severity\":\"MEDIUM\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 47, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "package": { + "name": "Microsoft Edge WebView2 Runtime", + "version": "112.0.1722.64" + }, + "resource": { + "id": "2162143406517023959", + "name": "DESKTOP-R1E2DQ2" + }, + "sentinel_one": { + "application_risk": { + "application": "Microsoft Edge WebView2 Runtime 112.0.1722.64", + "application_name": "Microsoft Edge WebView2 Runtime", + "application_vendor": "Microsoft Corporation", + "application_version": "112.0.1722.64", + "base_score": 4.7, + "cve_id": "CVE-2024-26247", + "cvss_version": "3.1", + "days_detected": 59, + "detection_date": "2025-06-02T04:46:51.710Z", + "endpoint_id": "2162143406517023959", + "endpoint_name": "DESKTOP-R1E2DQ2", + "endpoint_type": "desktop", + "id": "2228104981154127438", + "last_scan_date": "2025-07-29T19:25:47.000Z", + "last_scan_result": "Succeeded", + "os_type": "windows", + "published_date": "2024-03-22T22:15:00.000Z", + "severity": "MEDIUM", + "status": "Detected" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "cve": "CVE-2024-26247", + "id": "CVE-2024-26247", + "package": { + "published_date": "2024-03-22T22:15:00.000Z" + }, + "score": { + "base": 4.7, + "version": "3.1" + } + } + }, + { + "@timestamp": "2025-07-29T19:25:47.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "2228104981196070492", + "kind": "event", + "original": "{\"application\":\"VMware Tools 10.3.10.12406962\",\"applicationName\":\"VMware Tools\",\"applicationVendor\":\"VMware, Inc.\",\"applicationVersion\":\"10.3.10.12406962\",\"baseScore\":\"7.10\",\"cveId\":\"CVE-2022-22977\",\"cvssVersion\":\"3.1\",\"daysDetected\":59,\"detectionDate\":\"2025-06-02T04:46:51.710668Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"DESKTOP-R1E2DQ2\",\"endpointType\":\"desktop\",\"id\":\"2228104981196070492\",\"lastScanDate\":\"2025-07-29T19:25:47Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2022-05-24T19:15:00Z\",\"reason\":null,\"severity\":\"HIGH\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 73, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "package": { + "name": "VMware Tools", + "version": "10.3.10.12406962" + }, + "resource": { + "id": "2162143406517023959", + "name": "DESKTOP-R1E2DQ2" + }, + "sentinel_one": { + "application_risk": { + "application": "VMware Tools 10.3.10.12406962", + "application_name": "VMware Tools", + "application_vendor": "VMware, Inc.", + "application_version": "10.3.10.12406962", + "base_score": 7.1, + "cve_id": "CVE-2022-22977", + "cvss_version": "3.1", + "days_detected": 59, + "detection_date": "2025-06-02T04:46:51.710Z", + "endpoint_id": "2162143406517023959", + "endpoint_name": "DESKTOP-R1E2DQ2", + "endpoint_type": "desktop", + "id": "2228104981196070492", + "last_scan_date": "2025-07-29T19:25:47.000Z", + "last_scan_result": "Succeeded", + "os_type": "windows", + "published_date": "2022-05-24T19:15:00.000Z", + "severity": "HIGH", + "status": "Detected" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "cve": "CVE-2022-22977", + "id": "CVE-2022-22977", + "package": { + "published_date": "2022-05-24T19:15:00.000Z" + }, + "score": { + "base": 7.1, + "version": "3.1" + } + } + }, + { + "@timestamp": "2025-07-29T19:25:47.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "2264018562208952766", + "kind": "event", + "original": "{\"application\":\"PuTTY release 0.77.0.0\",\"applicationName\":\"PuTTY release\",\"applicationVendor\":\"Simon Tatham\",\"applicationVersion\":\"0.77.0.0\",\"baseScore\":\"5.90\",\"cveId\":\"CVE-2024-31497\",\"cvssVersion\":\"3.1\",\"daysDetected\":10,\"detectionDate\":\"2025-07-21T18:00:44.231765Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"DESKTOP-R1E2DQ2\",\"endpointType\":\"desktop\",\"id\":\"2264018562208952766\",\"lastScanDate\":\"2025-07-29T19:25:47Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2024-04-15T20:15:00Z\",\"reason\":null,\"severity\":\"MEDIUM\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 47, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "package": { + "name": "PuTTY release", + "version": "0.77.0.0" + }, + "resource": { + "id": "2162143406517023959", + "name": "DESKTOP-R1E2DQ2" + }, + "sentinel_one": { + "application_risk": { + "application": "PuTTY release 0.77.0.0", + "application_name": "PuTTY release", + "application_vendor": "Simon Tatham", + "application_version": "0.77.0.0", + "base_score": 5.9, + "cve_id": "CVE-2024-31497", + "cvss_version": "3.1", + "days_detected": 10, + "detection_date": "2025-07-21T18:00:44.231Z", + "endpoint_id": "2162143406517023959", + "endpoint_name": "DESKTOP-R1E2DQ2", + "endpoint_type": "desktop", + "id": "2264018562208952766", + "last_scan_date": "2025-07-29T19:25:47.000Z", + "last_scan_result": "Succeeded", + "os_type": "windows", + "published_date": "2024-04-15T20:15:00.000Z", + "severity": "MEDIUM", + "status": "Detected" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "cve": "CVE-2024-31497", + "id": "CVE-2024-31497", + "package": { + "published_date": "2024-04-15T20:15:00.000Z" + }, + "score": { + "base": 5.9, + "version": "3.1" + } + } + }, + { + "@timestamp": "2025-08-11T18:02:20.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "2228104981028298282", + "kind": "event", + "original": "{\"application\":\"7-Zip 22.01\",\"applicationName\":\"7-Zip\",\"applicationVendor\":\"Igor Pavlov\",\"applicationVersion\":\"22.01\",\"baseScore\":\"7.80\",\"cveId\":\"CVE-2024-11477\",\"cvssVersion\":\"3.1\",\"daysDetected\":72,\"detectionDate\":\"2025-06-02T04:46:51.710578Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"DESKTOP-R1E2DQ2\",\"endpointType\":\"desktop\",\"id\":\"2228104981028298282\",\"lastScanDate\":\"2025-08-11T18:02:20Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2024-11-21T06:42:16Z\",\"reason\":null,\"severity\":\"HIGH\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 73, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "package": { + "name": "7-Zip", + "version": "22.01" + }, + "resource": { + "id": "2162143406517023959", + "name": "DESKTOP-R1E2DQ2" + }, + "sentinel_one": { + "application_risk": { + "application": "7-Zip 22.01", + "application_name": "7-Zip", + "application_vendor": "Igor Pavlov", + "application_version": "22.01", + "base_score": 7.8, + "cve_id": "CVE-2024-11477", + "cvss_version": "3.1", + "days_detected": 72, + "detection_date": "2025-06-02T04:46:51.710Z", + "endpoint_id": "2162143406517023959", + "endpoint_name": "DESKTOP-R1E2DQ2", + "endpoint_type": "desktop", + "id": "2228104981028298282", + "last_scan_date": "2025-08-11T18:02:20.000Z", + "last_scan_result": "Succeeded", + "os_type": "windows", + "published_date": "2024-11-21T06:42:16.000Z", + "severity": "HIGH", + "status": "Detected" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "cve": "CVE-2024-11477", + "id": "CVE-2024-11477", + "package": { + "published_date": "2024-11-21T06:42:16.000Z" + }, + "score": { + "base": 7.8, + "version": "3.1" + } + } + }, + { + "@timestamp": "2025-08-11T18:02:20.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "2228104981070241336", + "kind": "event", + "original": "{\"application\":\"Microsoft Edge 112.0.1722.68\",\"applicationName\":\"Microsoft Edge\",\"applicationVendor\":\"Microsoft Corporation\",\"applicationVersion\":\"112.0.1722.68\",\"baseScore\":\"6.10\",\"cveId\":\"CVE-2024-38156\",\"cvssVersion\":\"3.1\",\"daysDetected\":72,\"detectionDate\":\"2025-06-02T04:46:51.710591Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"DESKTOP-R1E2DQ2\",\"endpointType\":\"desktop\",\"id\":\"2228104981070241336\",\"lastScanDate\":\"2025-08-11T18:02:20Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2024-07-18T05:39:23Z\",\"reason\":null,\"severity\":\"MEDIUM\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 47, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "package": { + "name": "Microsoft Edge", + "version": "112.0.1722.68" + }, + "resource": { + "id": "2162143406517023959", + "name": "DESKTOP-R1E2DQ2" + }, + "sentinel_one": { + "application_risk": { + "application": "Microsoft Edge 112.0.1722.68", + "application_name": "Microsoft Edge", + "application_vendor": "Microsoft Corporation", + "application_version": "112.0.1722.68", + "base_score": 6.1, + "cve_id": "CVE-2024-38156", + "cvss_version": "3.1", + "days_detected": 72, + "detection_date": "2025-06-02T04:46:51.710Z", + "endpoint_id": "2162143406517023959", + "endpoint_name": "DESKTOP-R1E2DQ2", + "endpoint_type": "desktop", + "id": "2228104981070241336", + "last_scan_date": "2025-08-11T18:02:20.000Z", + "last_scan_result": "Succeeded", + "os_type": "windows", + "published_date": "2024-07-18T05:39:23.000Z", + "severity": "MEDIUM", + "status": "Detected" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "cve": "CVE-2024-38156", + "id": "CVE-2024-38156", + "package": { + "published_date": "2024-07-18T05:39:23.000Z" + }, + "score": { + "base": 6.1, + "version": "3.1" + } + } + }, + { + "@timestamp": "2025-08-11T18:02:20.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "2228104981095407166", + "kind": "event", + "original": "{\"application\":\"Microsoft Edge 112.0.1722.68\",\"applicationName\":\"Microsoft Edge\",\"applicationVendor\":\"Microsoft Corporation\",\"applicationVersion\":\"112.0.1722.68\",\"baseScore\":\"6.50\",\"cveId\":\"CVE-2024-38222\",\"cvssVersion\":\"3.1\",\"daysDetected\":72,\"detectionDate\":\"2025-06-02T04:46:51.710593Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"DESKTOP-R1E2DQ2\",\"endpointType\":\"desktop\",\"id\":\"2228104981095407166\",\"lastScanDate\":\"2025-08-11T18:02:20Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2024-08-13T18:27:28Z\",\"reason\":null,\"severity\":\"MEDIUM\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 47, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "package": { + "name": "Microsoft Edge", + "version": "112.0.1722.68" + }, + "resource": { + "id": "2162143406517023959", + "name": "DESKTOP-R1E2DQ2" + }, + "sentinel_one": { + "application_risk": { + "application": "Microsoft Edge 112.0.1722.68", + "application_name": "Microsoft Edge", + "application_vendor": "Microsoft Corporation", + "application_version": "112.0.1722.68", + "base_score": 6.5, + "cve_id": "CVE-2024-38222", + "cvss_version": "3.1", + "days_detected": 72, + "detection_date": "2025-06-02T04:46:51.710Z", + "endpoint_id": "2162143406517023959", + "endpoint_name": "DESKTOP-R1E2DQ2", + "endpoint_type": "desktop", + "id": "2228104981095407166", + "last_scan_date": "2025-08-11T18:02:20.000Z", + "last_scan_result": "Succeeded", + "os_type": "windows", + "published_date": "2024-08-13T18:27:28.000Z", + "severity": "MEDIUM", + "status": "Detected" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "cve": "CVE-2024-38222", + "id": "CVE-2024-38222", + "package": { + "published_date": "2024-08-13T18:27:28.000Z" + }, + "score": { + "base": 6.5, + "version": "3.1" + } + } + }, + { + "@timestamp": "2025-08-11T18:02:20.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "2228104981128961604", + "kind": "event", + "original": "{\"application\":\"Microsoft Edge 112.0.1722.68\",\"applicationName\":\"Microsoft Edge\",\"applicationVendor\":\"Microsoft Corporation\",\"applicationVersion\":\"112.0.1722.68\",\"baseScore\":\"9.60\",\"cveId\":\"CVE-2024-7971\",\"cvssVersion\":\"3.1\",\"daysDetected\":72,\"detectionDate\":\"2025-06-02T04:46:51.710604Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"DESKTOP-R1E2DQ2\",\"endpointType\":\"desktop\",\"id\":\"2228104981128961604\",\"lastScanDate\":\"2025-08-11T18:02:20Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2024-08-21T21:15:00Z\",\"reason\":null,\"severity\":\"CRITICAL\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 99, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "package": { + "name": "Microsoft Edge", + "version": "112.0.1722.68" + }, + "resource": { + "id": "2162143406517023959", + "name": "DESKTOP-R1E2DQ2" + }, + "sentinel_one": { + "application_risk": { + "application": "Microsoft Edge 112.0.1722.68", + "application_name": "Microsoft Edge", + "application_vendor": "Microsoft Corporation", + "application_version": "112.0.1722.68", + "base_score": 9.6, + "cve_id": "CVE-2024-7971", + "cvss_version": "3.1", + "days_detected": 72, + "detection_date": "2025-06-02T04:46:51.710Z", + "endpoint_id": "2162143406517023959", + "endpoint_name": "DESKTOP-R1E2DQ2", + "endpoint_type": "desktop", + "id": "2228104981128961604", + "last_scan_date": "2025-08-11T18:02:20.000Z", + "last_scan_result": "Succeeded", + "os_type": "windows", + "published_date": "2024-08-21T21:15:00.000Z", + "severity": "CRITICAL", + "status": "Detected" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "cve": "CVE-2024-7971", + "id": "CVE-2024-7971", + "package": { + "published_date": "2024-08-21T21:15:00.000Z" + }, + "score": { + "base": 9.6, + "version": "3.1" + } + } + }, + { + "@timestamp": "2025-08-11T18:02:20.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "2228104981137350215", + "kind": "event", + "original": "{\"application\":\"Microsoft Edge 112.0.1722.68\",\"applicationName\":\"Microsoft Edge\",\"applicationVendor\":\"Microsoft Corporation\",\"applicationVersion\":\"112.0.1722.68\",\"baseScore\":\"4.70\",\"cveId\":\"CVE-2024-38082\",\"cvssVersion\":\"3.1\",\"daysDetected\":72,\"detectionDate\":\"2025-06-02T04:46:51.710607Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"DESKTOP-R1E2DQ2\",\"endpointType\":\"desktop\",\"id\":\"2228104981137350215\",\"lastScanDate\":\"2025-08-11T18:02:20Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2024-06-20T20:15:00Z\",\"reason\":null,\"severity\":\"MEDIUM\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 47, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "package": { + "name": "Microsoft Edge", + "version": "112.0.1722.68" + }, + "resource": { + "id": "2162143406517023959", + "name": "DESKTOP-R1E2DQ2" + }, + "sentinel_one": { + "application_risk": { + "application": "Microsoft Edge 112.0.1722.68", + "application_name": "Microsoft Edge", + "application_vendor": "Microsoft Corporation", + "application_version": "112.0.1722.68", + "base_score": 4.7, + "cve_id": "CVE-2024-38082", + "cvss_version": "3.1", + "days_detected": 72, + "detection_date": "2025-06-02T04:46:51.710Z", + "endpoint_id": "2162143406517023959", + "endpoint_name": "DESKTOP-R1E2DQ2", + "endpoint_type": "desktop", + "id": "2228104981137350215", + "last_scan_date": "2025-08-11T18:02:20.000Z", + "last_scan_result": "Succeeded", + "os_type": "windows", + "published_date": "2024-06-20T20:15:00.000Z", + "severity": "MEDIUM", + "status": "Detected" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "cve": "CVE-2024-38082", + "id": "CVE-2024-38082", + "package": { + "published_date": "2024-06-20T20:15:00.000Z" + }, + "score": { + "base": 4.7, + "version": "3.1" + } + } + } + ] +} diff --git a/packages/sentinel_one/data_stream/application_risk/_dev/test/pipeline/test-common-config.yml b/packages/sentinel_one/data_stream/application_risk/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..37e8fa225fd --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_duplicate_custom_fields diff --git a/packages/sentinel_one/data_stream/application_risk/_dev/test/system/test-default-config.yml b/packages/sentinel_one/data_stream/application_risk/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..4f89c5aae02 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/_dev/test/system/test-default-config.yml @@ -0,0 +1,12 @@ +input: cel +service: sentinel_one +vars: + url: http://{{Hostname}}:{{Port}} + api_token: xxxx +data_stream: + vars: + batch_size: 2 + preserve_original_event: true + enable_request_tracer: true +assert: + hit_count: 5 diff --git a/packages/sentinel_one/data_stream/application_risk/agent/stream/cel.yml.hbs b/packages/sentinel_one/data_stream/application_risk/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..fc119f9c683 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/agent/stream/cel.yml.hbs @@ -0,0 +1,81 @@ +config_version: 2 +interval: {{interval}} +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} +state: + batch_size: {{batch_size}} + api_token: {{api_token}} + site_ids: {{site_ids}} +redact: + fields: + - api_token +program: | + request("GET", + state.url.trim_right("/") + "/web/api/v2.1/application-management/risks?" + { + ?"cursor": state.?next.page.optMap(v, [v]), + ?"siteids": state.?site_ids.orValue(null) != null ? optional.of([string(state.site_ids)]) : optional.none(), + "limit": [string(state.batch_size)], + }.format_query() + ).with({ + "Header":{ + "Authorization": ["ApiToken " + state.api_token] + }, + }).do_request().as(resp, resp.StatusCode == 200 ? + resp.Body.decode_json().as(body, { + "events": body.data.map(e, { + "message": e.encode_json(), + }), + "api_token": state.api_token, + "batch_size": state.batch_size, + ?"site_ids": state.?site_ids.orValue(null) != null ? optional.of(state.site_ids) : optional.none(), + "next": { + ?"page": body.?pagination.?nextCursor.orValue(null) != null ? optional.of(body.pagination.nextCursor) : optional.none(), + }, + "want_more": body.?pagination.?nextCursor.orValue(null) != null, + }) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET " + state.url.trim_right("/") + "/web/api/v2.1/application-management/risks: " + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' + ), + }, + }, + "want_more": false, + } + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/sentinel_one/data_stream/application_risk/elasticsearch/ilm/default_policy.json b/packages/sentinel_one/data_stream/application_risk/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..7996af84e22 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/elasticsearch/ilm/default_policy.json @@ -0,0 +1,20 @@ +{ + "policy": { + "phases": { + "hot": { + "actions": { + "rollover": { + "max_age": "30d", + "max_primary_shard_size": "50gb" + } + } + }, + "delete": { + "min_age": "30d", + "actions": { + "delete": {} + } + } + } + } +} diff --git a/packages/sentinel_one/data_stream/application_risk/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/data_stream/application_risk/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..f473455f00b --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,443 @@ +--- +description: Pipeline for processing application_risk logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 8.11.0 + - terminate: + tag: data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null + description: error message set and no data to process. + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - json: + field: event.original + tag: json_event_original + target_field: json + - set: + field: event.kind + tag: set_event_kind + value: event + - append: + field: event.type + tag: append_info_into_event_type + value: info + - append: + field: event.category + tag: append_vulnerability_into_event_category + value: vulnerability + - rename: + field: json.application + tag: rename_application + target_field: sentinel_one.application_risk.application + ignore_missing: true + - rename: + field: json.applicationName + tag: rename_applicationName + target_field: sentinel_one.application_risk.application_name + ignore_missing: true + - set: + field: package.name + tag: set_package_name_from_application_risk_application_name + copy_from: sentinel_one.application_risk.application_name + ignore_empty_value: true + - rename: + field: json.applicationVendor + tag: rename_applicationVendor + target_field: sentinel_one.application_risk.application_vendor + ignore_missing: true + - rename: + field: json.applicationVersion + tag: rename_applicationVersion + target_field: sentinel_one.application_risk.application_version + ignore_missing: true + - set: + field: package.version + tag: set_package_version_from_application_risk_application_version + copy_from: sentinel_one.application_risk.application_version + ignore_empty_value: true + - convert: + field: json.baseScore + tag: convert_baseScore_to_double + target_field: sentinel_one.application_risk.base_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: vulnerability.score.base + tag: set_vulnerability_score_base_from_application_risk_base_score + copy_from: sentinel_one.application_risk.base_score + ignore_empty_value: true + - rename: + field: json.cveId + tag: rename_cveId + target_field: sentinel_one.application_risk.cve_id + ignore_missing: true + - set: + field: vulnerability.id + tag: set_vulnerability_id_from_application_risk_cve_id + copy_from: sentinel_one.application_risk.cve_id + ignore_empty_value: true + - set: + field: vulnerability.cve + tag: set_vulnerability_cve_from_application_risk_cve_id + copy_from: sentinel_one.application_risk.cve_id + ignore_empty_value: true + - rename: + field: json.cvssVersion + tag: rename_cvssVersion + target_field: sentinel_one.application_risk.cvss_version + ignore_missing: true + - set: + field: vulnerability.score.version + tag: set_vulnerability_score_version_from_application_risk_cvss_version + copy_from: sentinel_one.application_risk.cvss_version + ignore_empty_value: true + - convert: + field: json.daysDetected + tag: convert_daysDetected_to_long + target_field: sentinel_one.application_risk.days_detected + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.detectionDate + tag: date_detectionDate + target_field: sentinel_one.application_risk.detection_date + formats: + - strict_date_optional_time_nanos + if: ctx.json?.detectionDate != null && ctx.json.detectionDate != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.endpointId + tag: convert_endpointId_to_string + target_field: sentinel_one.application_risk.endpoint_id + type: string + ignore_missing: true + - set: + field: host.id + tag: set_host_id_from_application_risk_endpoint_id + copy_from: sentinel_one.application_risk.endpoint_id + ignore_empty_value: true + - set: + field: resource.id + tag: set_resource_id_from_application_risk_endpoint_id + copy_from: sentinel_one.application_risk.endpoint_id + ignore_empty_value: true + - rename: + field: json.endpointName + tag: rename_endpointName + target_field: sentinel_one.application_risk.endpoint_name + ignore_missing: true + - set: + field: resource.name + tag: set_resource_name_from_application_risk_endpoint_name + copy_from: sentinel_one.application_risk.endpoint_name + ignore_empty_value: true + - rename: + field: json.endpointType + tag: rename_endpointType + target_field: sentinel_one.application_risk.endpoint_type + ignore_missing: true + - set: + field: host.type + tag: set_host_type_from_application_risk_endpoint_type + copy_from: sentinel_one.application_risk.endpoint_type + ignore_empty_value: true + - rename: + field: json.exploitCodeMaturity + tag: rename_exploitCodeMaturity + target_field: sentinel_one.application_risk.exploit_code_maturity + ignore_missing: true + - convert: + field: json.id + tag: convert_id_to_string + target_field: sentinel_one.application_risk.id + type: string + ignore_missing: true + - set: + field: event.id + tag: set_event_id_from_application_risk_id + copy_from: sentinel_one.application_risk.id + ignore_empty_value: true + - date: + field: json.lastScanDate + tag: date_lastScanDate + target_field: sentinel_one.application_risk.last_scan_date + formats: + - date_optional_time + if: ctx.json?.lastScanDate != null && ctx.json.lastScanDate != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + tag: set_timestamp_from_last_scan_date + copy_from: sentinel_one.application_risk.last_scan_date + ignore_empty_value: true + - rename: + field: json.lastScanResult + tag: rename_lastScanResult + target_field: sentinel_one.application_risk.last_scan_result + ignore_missing: true + - set: + field: event.outcome + value: success + if: ctx.sentinel_one?.application_risk?.last_scan_result?.equalsIgnoreCase('Succeeded') == true + - set: + field: event.outcome + value: failure + if: ctx.sentinel_one?.application_risk?.last_scan_result?.equalsIgnoreCase('Failed') == true + - set: + field: event.outcome + value: unknown + override: false + - rename: + field: json.markType + tag: rename_markType + target_field: sentinel_one.application_risk.mark_type + ignore_missing: true + - rename: + field: json.markedBy + tag: rename_markedBy + target_field: sentinel_one.application_risk.marked_by + ignore_missing: true + - set: + field: host.name + tag: set_host_name_from_application_risk_marked_by + copy_from: sentinel_one.application_risk.marked_by + ignore_empty_value: true + - date: + field: json.markedDate + tag: date_markedDate + target_field: sentinel_one.application_risk.marked_date + formats: + - date_optional_time + if: ctx.json?.markedDate != null && ctx.json.markedDate != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.mitigationStatus + tag: rename_mitigationStatus + target_field: sentinel_one.application_risk.mitigation_status + ignore_missing: true + - date: + field: json.mitigationStatusChangeTime + tag: date_mitigationStatusChangeTime + target_field: sentinel_one.application_risk.mitigation_status_change_time + formats: + - ISO8601 + - date_optional_time + if: ctx.json?.mitigationStatusChangeTime != null && ctx.json.mitigationStatusChangeTime != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.mitigationStatusChangedBy + tag: rename_mitigationStatusChangedBy + target_field: sentinel_one.application_risk.mitigation_status_changed_by + ignore_missing: true + - rename: + field: json.mitigationStatusReason + tag: rename_mitigationStatusReason + target_field: sentinel_one.application_risk.mitigation_status_reason + ignore_missing: true + - convert: + field: json.nvdBaseScore + tag: convert_nvdBaseScore_to_float + target_field: sentinel_one.application_risk.nvd_base_score + type: float + ignore_missing: true + if: ctx.json?.nvdBaseScore != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.nvdCvssVersion + tag: rename_nvdCvssVersion + target_field: sentinel_one.application_risk.nvd_cvss_version + ignore_missing: true + - rename: + field: json.osType + tag: rename_osType + target_field: sentinel_one.application_risk.os_type + ignore_missing: true + - set: + field: host.os.type + tag: set_host_os_type_from_application_risk_os_type + copy_from: sentinel_one.application_risk.os_type + if: >- + ctx.sentinel_one?.application_risk?.os_type == 'windows' + || ctx.sentinel_one?.application_risk?.os_type == 'linux' + || ctx.sentinel_one?.application_risk?.os_type == 'macos' + ignore_empty_value: true + - date: + field: json.publishedDate + tag: date_publishedDate + target_field: sentinel_one.application_risk.published_date + formats: + - date_optional_time + if: ctx.json?.publishedDate != null && ctx.json.publishedDate != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: vulnerability.package.published_date + tag: set_vulnerability_package_publisheddate_from_application_published_date + copy_from: sentinel_one.application_risk.published_date + ignore_empty_value: true + - rename: + field: json.reason + tag: rename_reason + target_field: sentinel_one.application_risk.reason + ignore_missing: true + - set: + field: event.reason + tag: set_event_reason_from_application_risk_reason + copy_from: sentinel_one.application_risk.reason + ignore_empty_value: true + - rename: + field: json.remediationLevel + tag: rename_remediationLevel + target_field: sentinel_one.application_risk.remediation_level + ignore_missing: true + - rename: + field: json.reportConfidence + tag: rename_reportConfidence + target_field: sentinel_one.application_risk.report_confidence + ignore_missing: true + - convert: + field: json.riskScore + tag: convert_riskScore_to_double + target_field: sentinel_one.application_risk.risk_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.severity + tag: rename_severity + target_field: sentinel_one.application_risk.severity + ignore_missing: true + - script: + description: Set event severity based on severity. + if: ctx.sentinel_one?.application_risk?.severity != null + lang: painless + params: + low: 21 + medium: 47 + high: 73 + critical: 99 + source: |- + ctx.event = ctx.event ?: [:]; + ctx.event.severity = params.get(ctx.sentinel_one.application_risk.severity.toLowerCase()); + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.status + tag: rename_status + target_field: sentinel_one.application_risk.status + ignore_missing: true + - remove: + field: + - sentinel_one.application_risk.application_name + - sentinel_one.application_risk.application_version + - sentinel_one.application_risk.base_score + - sentinel_one.application_risk.cve_id + - sentinel_one.application_risk.cvss_version + - sentinel_one.application_risk.endpoint_id + - sentinel_one.application_risk.endpoint_name + - sentinel_one.application_risk.endpoint_type + - sentinel_one.application_risk.id + - sentinel_one.application_risk.os_type + - sentinel_one.application_risk.published_date + - sentinel_one.application_risk.reason + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + - remove: + field: json + tag: remove_json + ignore_missing: true + - script: + tag: script_to_drop_null_values + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: |- + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + - set: + field: event.kind + tag: set_pipeline_error_into_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/sentinel_one/data_stream/application_risk/fields/base-fields.yml b/packages/sentinel_one/data_stream/application_risk/fields/base-fields.yml new file mode 100644 index 00000000000..370b308b61d --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs +- name: "@timestamp" + external: ecs +- name: event.module + type: constant_keyword + external: ecs + value: sentinel_one +- name: event.dataset + type: constant_keyword + external: ecs + value: sentinel_one.application_risk diff --git a/packages/sentinel_one/data_stream/application_risk/fields/beats.yml b/packages/sentinel_one/data_stream/application_risk/fields/beats.yml new file mode 100644 index 00000000000..d5fd38748ba --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/sentinel_one/data_stream/application_risk/fields/ecs.yml b/packages/sentinel_one/data_stream/application_risk/fields/ecs.yml new file mode 100644 index 00000000000..81da2d50621 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/fields/ecs.yml @@ -0,0 +1,4 @@ +- name: observer.vendor + external: ecs + type: constant_keyword + value: SentinelOne diff --git a/packages/sentinel_one/data_stream/application_risk/fields/fields.yml b/packages/sentinel_one/data_stream/application_risk/fields/fields.yml new file mode 100644 index 00000000000..33aaaa985b9 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/fields/fields.yml @@ -0,0 +1,98 @@ +- name: sentinel_one + type: group + fields: + - name: application_risk + type: group + fields: + - name: application + type: keyword + description: Composed application name. + - name: application_name + type: keyword + description: Application name. + - name: application_vendor + type: keyword + description: Application vendor. + - name: application_version + type: keyword + description: Application version. + - name: base_score + type: float + - name: cve_id + type: keyword + description: CVE Id. + - name: cvss_version + type: keyword + description: Cvss version. + - name: days_detected + type: long + description: Days detected. + - name: detection_date + type: date + description: Detection date. + - name: endpoint_id + type: keyword + description: Endpoint id. + - name: endpoint_name + type: keyword + description: Endpoint name. + - name: endpoint_type + type: keyword + description: Endpoint type. + - name: exploit_code_maturity + type: keyword + - name: id + type: keyword + description: Id. + - name: last_scan_date + type: date + description: Last scan date. + - name: last_scan_result + type: keyword + description: Last scan result. + - name: mark_type + type: keyword + description: Mark type. + - name: marked_by + type: keyword + description: Marked by. + - name: marked_date + type: date + description: Marked date. + - name: mitigation_status + type: keyword + description: Risk mitigation status. + - name: mitigation_status_change_time + type: date + description: Mitigation status change time. + - name: mitigation_status_changed_by + type: keyword + description: Mitigation status changer. + - name: mitigation_status_reason + type: keyword + description: Mitigation status reason. + - name: nvd_base_score + type: double + - name: nvd_cvss_version + type: keyword + - name: os_type + type: keyword + description: OS type. + - name: published_date + type: date + description: Published date. + - name: reason + type: keyword + description: Reason. + - name: remediation_level + type: keyword + - name: report_confidence + type: keyword + - name: risk_score + type: double + - name: severity + type: keyword + description: Severity. + - name: status + type: keyword + description: Risk status. diff --git a/packages/sentinel_one/data_stream/application_risk/fields/is-transform-source-true.yml b/packages/sentinel_one/data_stream/application_risk/fields/is-transform-source-true.yml new file mode 100644 index 00000000000..fd4766eacd5 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/fields/is-transform-source-true.yml @@ -0,0 +1,4 @@ +- name: labels.is_transform_source + type: constant_keyword + description: Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering. + value: "true" diff --git a/packages/sentinel_one/data_stream/application_risk/fields/resource.yml b/packages/sentinel_one/data_stream/application_risk/fields/resource.yml new file mode 100644 index 00000000000..dcbad49936b --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/fields/resource.yml @@ -0,0 +1,9 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + description: The ID of the vulnerable resource. + - name: name + type: keyword + description: The name of the vulnerable resource. diff --git a/packages/sentinel_one/data_stream/application_risk/fields/vulnerability.yml b/packages/sentinel_one/data_stream/application_risk/fields/vulnerability.yml new file mode 100644 index 00000000000..0ecdd74143f --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/fields/vulnerability.yml @@ -0,0 +1,12 @@ +- name: vulnerability + type: group + fields: + - name: cve + type: keyword + description: The CVE id of the vulnerability. + - name: package + type: group + fields: + - name: published_date + type: date + description: When the vulnerability was published. diff --git a/packages/sentinel_one/data_stream/application_risk/lifecycle.yml b/packages/sentinel_one/data_stream/application_risk/lifecycle.yml new file mode 100644 index 00000000000..b56a81e81d7 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/lifecycle.yml @@ -0,0 +1 @@ +data_retention: "30d" diff --git a/packages/sentinel_one/data_stream/application_risk/manifest.yml b/packages/sentinel_one/data_stream/application_risk/manifest.yml new file mode 100644 index 00000000000..aa2ad6240e5 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/manifest.yml @@ -0,0 +1,81 @@ +title: "Application Risk" +type: logs +streams: + - input: cel + title: Application Risk + description: Collecting application risk via API. + template_path: cel.yml.hbs + enabled: false + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the Sentinel One API. Supported units for this parameter are h/m/s. + default: 24h + multi: false + required: true + show_user: true + - name: batch_size + type: integer + title: Batch Size + multi: false + required: true + show_user: false + description: Batch size for the response of the Sentinel One API. The maximum supported page size value is 1000. + default: 1000 + - name: site_ids + type: text + title: Site IDs + multi: false + required: false + show_user: false + description: Comma separated list of Site IDs to filter by. Example - "225494730938493804,225494730938493915". + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: enable_request_tracer + type: bool + title: Enable request tracing + default: false + multi: false + required: false + show_user: false + description: >- + The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - sentinel_one-application_risk + - name: preserve_original_event + required: false + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: false + show_user: false + title: Preserve duplicate custom fields + description: Preserve sentinel_one.application_risk fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. diff --git a/packages/sentinel_one/data_stream/application_risk/sample_event.json b/packages/sentinel_one/data_stream/application_risk/sample_event.json new file mode 100644 index 00000000000..1d825414c88 --- /dev/null +++ b/packages/sentinel_one/data_stream/application_risk/sample_event.json @@ -0,0 +1,85 @@ +{ + "@timestamp": "2025-07-29T19:25:47.000Z", + "agent": { + "ephemeral_id": "bec56874-9c81-4a9a-a08c-44ffb0bfc990", + "id": "47222315-41e7-4e81-811a-0046629ea1a7", + "name": "elastic-agent-39294", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "sentinel_one.application_risk", + "namespace": "88783", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "47222315-41e7-4e81-811a-0046629ea1a7", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "vulnerability" + ], + "dataset": "sentinel_one.application_risk", + "id": "2228104980801805822", + "ingested": "2025-08-07T10:16:01Z", + "kind": "event", + "original": "{\"application\":\"7-Zip 22.01\",\"applicationName\":\"7-Zip\",\"applicationVendor\":\"Igor Pavlov\",\"applicationVersion\":\"22.01\",\"baseScore\":\"7.00\",\"cveId\":\"CVE-2025-0411\",\"cvssVersion\":\"3.1\",\"daysDetected\":59,\"detectionDate\":\"2025-06-02T04:46:51.710569Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"test_endpoint\",\"endpointType\":\"desktop\",\"id\":\"2228104980801805822\",\"lastScanDate\":\"2025-07-29T19:25:47Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2025-01-20T07:04:04Z\",\"reason\":null,\"severity\":\"HIGH\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 73, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "input": { + "type": "cel" + }, + "package": { + "name": "7-Zip", + "version": "22.01" + }, + "resource": { + "id": "2162143406517023959", + "name": "test_endpoint" + }, + "sentinel_one": { + "application_risk": { + "application": "7-Zip 22.01", + "application_vendor": "Igor Pavlov", + "days_detected": 59, + "detection_date": "2025-06-02T04:46:51.710Z", + "last_scan_date": "2025-07-29T19:25:47.000Z", + "last_scan_result": "Succeeded", + "severity": "HIGH", + "status": "Detected" + } + }, + "tags": [ + "preserve_original_event", + "forwarded", + "sentinel_one-application_risk" + ], + "vulnerability": { + "cve": "CVE-2025-0411", + "id": "CVE-2025-0411", + "package": { + "published_date": "2025-01-20T07:04:04.000Z" + }, + "score": { + "base": 7, + "version": "3.1" + } + } +} diff --git a/packages/sentinel_one/docs/README.md b/packages/sentinel_one/docs/README.md index 2382d8b5cb9..a02e2ea7258 100644 --- a/packages/sentinel_one/docs/README.md +++ b/packages/sentinel_one/docs/README.md @@ -1554,3 +1554,151 @@ An example event for `threat` looks as following: | sentinel_one.threat.storyline | Storyline identifier from agent. | keyword | | sentinel_one.threat.threat_id | Threat id. | keyword | | sentinel_one.threat.whitening_option | Whitening options. | keyword | + + +### application risk + +This is the `application risk` dataset. + +An example event for `application_risk` looks as following: + +```json +{ + "@timestamp": "2025-07-29T19:25:47.000Z", + "agent": { + "ephemeral_id": "bec56874-9c81-4a9a-a08c-44ffb0bfc990", + "id": "47222315-41e7-4e81-811a-0046629ea1a7", + "name": "elastic-agent-39294", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "sentinel_one.application_risk", + "namespace": "88783", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "47222315-41e7-4e81-811a-0046629ea1a7", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "vulnerability" + ], + "dataset": "sentinel_one.application_risk", + "id": "2228104980801805822", + "ingested": "2025-08-07T10:16:01Z", + "kind": "event", + "original": "{\"application\":\"7-Zip 22.01\",\"applicationName\":\"7-Zip\",\"applicationVendor\":\"Igor Pavlov\",\"applicationVersion\":\"22.01\",\"baseScore\":\"7.00\",\"cveId\":\"CVE-2025-0411\",\"cvssVersion\":\"3.1\",\"daysDetected\":59,\"detectionDate\":\"2025-06-02T04:46:51.710569Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"test_endpoint\",\"endpointType\":\"desktop\",\"id\":\"2228104980801805822\",\"lastScanDate\":\"2025-07-29T19:25:47Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2025-01-20T07:04:04Z\",\"reason\":null,\"severity\":\"HIGH\",\"status\":\"Detected\"}", + "outcome": "success", + "severity": 73, + "type": [ + "info" + ] + }, + "host": { + "id": "2162143406517023959", + "os": { + "type": "windows" + }, + "type": "desktop" + }, + "input": { + "type": "cel" + }, + "package": { + "name": "7-Zip", + "version": "22.01" + }, + "resource": { + "id": "2162143406517023959", + "name": "test_endpoint" + }, + "sentinel_one": { + "application_risk": { + "application": "7-Zip 22.01", + "application_vendor": "Igor Pavlov", + "days_detected": 59, + "detection_date": "2025-06-02T04:46:51.710Z", + "last_scan_date": "2025-07-29T19:25:47.000Z", + "last_scan_result": "Succeeded", + "severity": "HIGH", + "status": "Detected" + } + }, + "tags": [ + "preserve_original_event", + "forwarded", + "sentinel_one-application_risk" + ], + "vulnerability": { + "cve": "CVE-2025-0411", + "id": "CVE-2025-0411", + "package": { + "published_date": "2025-01-20T07:04:04.000Z" + }, + "score": { + "base": 7, + "version": "3.1" + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | +| input.type | Type of Filebeat input. | keyword | +| labels.is_transform_source | Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering. | constant_keyword | +| log.offset | Log offset. | long | +| observer.vendor | Vendor name of the observer. | constant_keyword | +| resource.id | The ID of the vulnerable resource. | keyword | +| resource.name | The name of the vulnerable resource. | keyword | +| sentinel_one.application_risk.application | Composed application name. | keyword | +| sentinel_one.application_risk.application_name | Application name. | keyword | +| sentinel_one.application_risk.application_vendor | Application vendor. | keyword | +| sentinel_one.application_risk.application_version | Application version. | keyword | +| sentinel_one.application_risk.base_score | | float | +| sentinel_one.application_risk.cve_id | CVE Id. | keyword | +| sentinel_one.application_risk.cvss_version | Cvss version. | keyword | +| sentinel_one.application_risk.days_detected | Days detected. | long | +| sentinel_one.application_risk.detection_date | Detection date. | date | +| sentinel_one.application_risk.endpoint_id | Endpoint id. | keyword | +| sentinel_one.application_risk.endpoint_name | Endpoint name. | keyword | +| sentinel_one.application_risk.endpoint_type | Endpoint type. | keyword | +| sentinel_one.application_risk.exploit_code_maturity | | keyword | +| sentinel_one.application_risk.id | Id. | keyword | +| sentinel_one.application_risk.last_scan_date | Last scan date. | date | +| sentinel_one.application_risk.last_scan_result | Last scan result. | keyword | +| sentinel_one.application_risk.mark_type | Mark type. | keyword | +| sentinel_one.application_risk.marked_by | Marked by. | keyword | +| sentinel_one.application_risk.marked_date | Marked date. | date | +| sentinel_one.application_risk.mitigation_status | Risk mitigation status. | keyword | +| sentinel_one.application_risk.mitigation_status_change_time | Mitigation status change time. | date | +| sentinel_one.application_risk.mitigation_status_changed_by | Mitigation status changer. | keyword | +| sentinel_one.application_risk.mitigation_status_reason | Mitigation status reason. | keyword | +| sentinel_one.application_risk.nvd_base_score | | double | +| sentinel_one.application_risk.nvd_cvss_version | | keyword | +| sentinel_one.application_risk.os_type | OS type. | keyword | +| sentinel_one.application_risk.published_date | Published date. | date | +| sentinel_one.application_risk.reason | Reason. | keyword | +| sentinel_one.application_risk.remediation_level | | keyword | +| sentinel_one.application_risk.report_confidence | | keyword | +| sentinel_one.application_risk.risk_score | | double | +| sentinel_one.application_risk.severity | Severity. | keyword | +| sentinel_one.application_risk.status | Risk status. | keyword | +| vulnerability.cve | The CVE id of the vulnerability. | keyword | +| vulnerability.package.published_date | When the vulnerability was published. | date | + diff --git a/packages/sentinel_one/elasticsearch/transform/latest_risk/fields/base-fields.yml b/packages/sentinel_one/elasticsearch/transform/latest_risk/fields/base-fields.yml new file mode 100644 index 00000000000..370b308b61d --- /dev/null +++ b/packages/sentinel_one/elasticsearch/transform/latest_risk/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs +- name: "@timestamp" + external: ecs +- name: event.module + type: constant_keyword + external: ecs + value: sentinel_one +- name: event.dataset + type: constant_keyword + external: ecs + value: sentinel_one.application_risk diff --git a/packages/sentinel_one/elasticsearch/transform/latest_risk/fields/beats.yml b/packages/sentinel_one/elasticsearch/transform/latest_risk/fields/beats.yml new file mode 100644 index 00000000000..4084f1dc7f5 --- /dev/null +++ b/packages/sentinel_one/elasticsearch/transform/latest_risk/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/sentinel_one/elasticsearch/transform/latest_risk/fields/ecs.yml b/packages/sentinel_one/elasticsearch/transform/latest_risk/fields/ecs.yml new file mode 100644 index 00000000000..81da2d50621 --- /dev/null +++ b/packages/sentinel_one/elasticsearch/transform/latest_risk/fields/ecs.yml @@ -0,0 +1,4 @@ +- name: observer.vendor + external: ecs + type: constant_keyword + value: SentinelOne diff --git a/packages/sentinel_one/elasticsearch/transform/latest_risk/fields/fields.yml b/packages/sentinel_one/elasticsearch/transform/latest_risk/fields/fields.yml new file mode 100644 index 00000000000..33aaaa985b9 --- /dev/null +++ b/packages/sentinel_one/elasticsearch/transform/latest_risk/fields/fields.yml @@ -0,0 +1,98 @@ +- name: sentinel_one + type: group + fields: + - name: application_risk + type: group + fields: + - name: application + type: keyword + description: Composed application name. + - name: application_name + type: keyword + description: Application name. + - name: application_vendor + type: keyword + description: Application vendor. + - name: application_version + type: keyword + description: Application version. + - name: base_score + type: float + - name: cve_id + type: keyword + description: CVE Id. + - name: cvss_version + type: keyword + description: Cvss version. + - name: days_detected + type: long + description: Days detected. + - name: detection_date + type: date + description: Detection date. + - name: endpoint_id + type: keyword + description: Endpoint id. + - name: endpoint_name + type: keyword + description: Endpoint name. + - name: endpoint_type + type: keyword + description: Endpoint type. + - name: exploit_code_maturity + type: keyword + - name: id + type: keyword + description: Id. + - name: last_scan_date + type: date + description: Last scan date. + - name: last_scan_result + type: keyword + description: Last scan result. + - name: mark_type + type: keyword + description: Mark type. + - name: marked_by + type: keyword + description: Marked by. + - name: marked_date + type: date + description: Marked date. + - name: mitigation_status + type: keyword + description: Risk mitigation status. + - name: mitigation_status_change_time + type: date + description: Mitigation status change time. + - name: mitigation_status_changed_by + type: keyword + description: Mitigation status changer. + - name: mitigation_status_reason + type: keyword + description: Mitigation status reason. + - name: nvd_base_score + type: double + - name: nvd_cvss_version + type: keyword + - name: os_type + type: keyword + description: OS type. + - name: published_date + type: date + description: Published date. + - name: reason + type: keyword + description: Reason. + - name: remediation_level + type: keyword + - name: report_confidence + type: keyword + - name: risk_score + type: double + - name: severity + type: keyword + description: Severity. + - name: status + type: keyword + description: Risk status. diff --git a/packages/sentinel_one/elasticsearch/transform/latest_risk/fields/is-transform-source-false.yml b/packages/sentinel_one/elasticsearch/transform/latest_risk/fields/is-transform-source-false.yml new file mode 100644 index 00000000000..490a079e7a7 --- /dev/null +++ b/packages/sentinel_one/elasticsearch/transform/latest_risk/fields/is-transform-source-false.yml @@ -0,0 +1,4 @@ +- name: labels.is_transform_source + type: constant_keyword + description: Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering. + value: "false" diff --git a/packages/sentinel_one/elasticsearch/transform/latest_risk/fields/resource.yml b/packages/sentinel_one/elasticsearch/transform/latest_risk/fields/resource.yml new file mode 100644 index 00000000000..dcbad49936b --- /dev/null +++ b/packages/sentinel_one/elasticsearch/transform/latest_risk/fields/resource.yml @@ -0,0 +1,9 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + description: The ID of the vulnerable resource. + - name: name + type: keyword + description: The name of the vulnerable resource. diff --git a/packages/sentinel_one/elasticsearch/transform/latest_risk/fields/vulnerability.yml b/packages/sentinel_one/elasticsearch/transform/latest_risk/fields/vulnerability.yml new file mode 100644 index 00000000000..0ecdd74143f --- /dev/null +++ b/packages/sentinel_one/elasticsearch/transform/latest_risk/fields/vulnerability.yml @@ -0,0 +1,12 @@ +- name: vulnerability + type: group + fields: + - name: cve + type: keyword + description: The CVE id of the vulnerability. + - name: package + type: group + fields: + - name: published_date + type: date + description: When the vulnerability was published. diff --git a/packages/sentinel_one/elasticsearch/transform/latest_risk/manifest.yml b/packages/sentinel_one/elasticsearch/transform/latest_risk/manifest.yml new file mode 100644 index 00000000000..24e9e926793 --- /dev/null +++ b/packages/sentinel_one/elasticsearch/transform/latest_risk/manifest.yml @@ -0,0 +1,11 @@ +start: true +destination_index_template: + mappings: + dynamic: true + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/sentinel_one/elasticsearch/transform/latest_risk/transform.yml b/packages/sentinel_one/elasticsearch/transform/latest_risk/transform.yml new file mode 100644 index 00000000000..03e9b327b89 --- /dev/null +++ b/packages/sentinel_one/elasticsearch/transform/latest_risk/transform.yml @@ -0,0 +1,37 @@ +# Use of "*" to use all namespaces defined. +source: + index: + - "logs-sentinel_one.application_risk-*" +dest: + index: "logs-sentinel_one_latest.dest_application_risk-1" + aliases: + - alias: "logs-sentinel_one_latest.application_risk" + move_on_creation: true +latest: + unique_key: + - event.dataset + - event.id + sort: "@timestamp" +description: >- + Latest application risk from SentinelOne. As application risk get updated, this transform stores only the latest state of each application risk inside the destination index. Thus the transform's destination index contains only the latest state of the application risk. +frequency: 30s +settings: + # This is required to prevent the transform from clobbering the Fleet-managed mappings. + deduce_mappings: false + unattended: true +sync: + time: + field: "event.ingested" + # Updated to 120s because of refresh delay in Serverless. With default 60s, + # sometimes transform wouldn't process all documents. + delay: 120s +retention_policy: + time: + field: "event.ingested" + max_age: 30d +_meta: + managed: false + # Bump this version to delete, reinstall, and restart the transform during + # package installation. + fleet_transform_version: 0.1.0 + run_as_kibana_system: false diff --git a/packages/sentinel_one/img/sentinel-one-application-risk-dashboard.png b/packages/sentinel_one/img/sentinel-one-application-risk-dashboard.png new file mode 100644 index 00000000000..14e4ca4813a Binary files /dev/null and b/packages/sentinel_one/img/sentinel-one-application-risk-dashboard.png differ diff --git a/packages/sentinel_one/kibana/dashboard/sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5.json b/packages/sentinel_one/kibana/dashboard/sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5.json new file mode 100644 index 00000000000..7ea70818dcd --- /dev/null +++ b/packages/sentinel_one/kibana/dashboard/sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5.json @@ -0,0 +1,882 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "37453bed-8c5d-4440-b59f-6139886d0c30": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "sentinel_one.application_risk.severity", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Severity" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "sentinel_one.application_risk" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "sentinel_one.application_risk" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n[Sentinel One Activity Dashboard](#/dashboard/sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538)\n\n[Sentinel One Agent Dashboard](#/dashboard/sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538)\n\n[Sentinel One Alert Dashboard](#/dashboard/sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538)\n\n[Sentinel One Application Dashboard]()\n\n**Sentinel One Application Risk Dashboard**\n\n[Sentinel One Group Dashboard](#/dashboard/sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538)\n\n[Sentinel One Threat Dashboard](#/dashboard/sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538)\n\n**Overview**\n\nThis dashboard provides a clear overview of application risk data from the SentinelOne integration. It includes total vulnerability metrics, highlights the number of high and critical vulnerabilities, and visualizes application vulnerabilities by severity through a pie chart. A bar chart shows the distribution of applications based on their vulnerability count, while a table lists the top vulnerabilities for deeper insight.\n\n\n\n[**Integrations Page**](/app/integrations/detail/sentinel_one/overview)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 31, + "i": "1bc96a69-6907-4a25-9000-f1d476808080", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "1bc96a69-6907-4a25-9000-f1d476808080", + "title": "Table of Content", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5549cb09-0755-4170-848a-a514a3f21ca1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3610de1c-66cf-4e73-b443-ae863c9aadf3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5549cb09-0755-4170-848a-a514a3f21ca1": { + "columnOrder": [ + "b1e6aec6-468b-4ff1-bb1f-07628982cdea" + ], + "columns": { + "b1e6aec6-468b-4ff1-bb1f-07628982cdea": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "High and Critical Vulnerability", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "vulnerability.cve" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "sentinel_one.application_risk.severity", + "index": "3610de1c-66cf-4e73-b443-ae863c9aadf3", + "key": "sentinel_one.application_risk.severity", + "negate": false, + "params": [ + "CRITICAL", + "HIGH" + ], + "type": "phrases", + "value": [ + "CRITICAL", + "HIGH" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "sentinel_one.application_risk.severity": "CRITICAL" + } + }, + { + "match_phrase": { + "sentinel_one.application_risk.severity": "HIGH" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "5549cb09-0755-4170-848a-a514a3f21ca1", + "layerType": "data", + "metricAccessor": "b1e6aec6-468b-4ff1-bb1f-07628982cdea" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "sentinel_one.application_risk.severity", + "index": "logs-*", + "key": "sentinel_one.application_risk.severity", + "negate": false, + "params": [ + "CRITICAL", + "HIGH" + ], + "type": "phrases", + "value": [ + "CRITICAL", + "HIGH" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "sentinel_one.application_risk.severity": "CRITICAL" + } + }, + { + "match_phrase": { + "sentinel_one.application_risk.severity": "HIGH" + } + } + ] + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 7, + "i": "c971af22-203d-47d5-9386-5da727ac74b8", + "w": 15, + "x": 10, + "y": 7 + }, + "panelIndex": "c971af22-203d-47d5-9386-5da727ac74b8", + "title": "High and Critical Vulnerability [Logs SentinelOne]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8291048e-6365-408f-8ba9-95919847f231", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "8291048e-6365-408f-8ba9-95919847f231": { + "columnOrder": [ + "bca95e37-a4e9-4b88-a874-6ed7e38625a9" + ], + "columns": { + "bca95e37-a4e9-4b88-a874-6ed7e38625a9": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Vulnerability ", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "vulnerability.cve" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "8291048e-6365-408f-8ba9-95919847f231", + "layerType": "data", + "metricAccessor": "bca95e37-a4e9-4b88-a874-6ed7e38625a9" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 7, + "i": "746b8ad1-636e-4d63-8c15-962ad7300974", + "w": 15, + "x": 10, + "y": 0 + }, + "panelIndex": "746b8ad1-636e-4d63-8c15-962ad7300974", + "title": "Total Vulnerability [Logs SentinelOne]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e18d30d0-f39a-4d0f-8044-0fcbd1862198", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "e18d30d0-f39a-4d0f-8044-0fcbd1862198": { + "columnOrder": [ + "a65560c9-9ba1-4cf8-8ac3-1e77a0205d3d", + "b2ef418a-35c1-4b3e-83af-0b0088daa386" + ], + "columns": { + "a65560c9-9ba1-4cf8-8ac3-1e77a0205d3d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "CVE", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b2ef418a-35c1-4b3e-83af-0b0088daa386", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "vulnerability.cve" + }, + "b2ef418a-35c1-4b3e-83af-0b0088daa386": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "a65560c9-9ba1-4cf8-8ac3-1e77a0205d3d", + "isTransposed": false + }, + { + "columnId": "b2ef418a-35c1-4b3e-83af-0b0088daa386", + "isTransposed": false + } + ], + "layerId": "e18d30d0-f39a-4d0f-8044-0fcbd1862198", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 17, + "i": "a317ce8c-e92a-4b6e-9887-0bb678a25cf8", + "w": 10, + "x": 38, + "y": 14 + }, + "panelIndex": "a317ce8c-e92a-4b6e-9887-0bb678a25cf8", + "title": "Top Vulnerability [Logs SentinelOne]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d6a2a1d4-7970-4e71-87ff-b30c10342bad", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d6a2a1d4-7970-4e71-87ff-b30c10342bad": { + "columnOrder": [ + "8f4d13ea-7b9d-454d-a232-9153f204c997", + "377930e7-3d92-42e9-b573-12dc2fdb0373" + ], + "columns": { + "377930e7-3d92-42e9-b573-12dc2fdb0373": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Vulnerability", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "vulnerability.cve" + }, + "8f4d13ea-7b9d-454d-a232-9153f204c997": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Application", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "377930e7-3d92-42e9-b573-12dc2fdb0373", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "sentinel_one.application_risk.application" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "377930e7-3d92-42e9-b573-12dc2fdb0373" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "d6a2a1d4-7970-4e71-87ff-b30c10342bad", + "layerType": "data", + "seriesType": "bar_horizontal", + "xAccessor": "8f4d13ea-7b9d-454d-a232-9153f204c997" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_percentage_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 17, + "i": "a02957bb-1603-4f3e-8bb9-35244d6690a7", + "w": 28, + "x": 10, + "y": 14 + }, + "panelIndex": "a02957bb-1603-4f3e-8bb9-35244d6690a7", + "title": "Application by Vulnerability [Logs SentinelOne]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-aec928f6-a0eb-4995-85b6-844d1c00c34a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "aec928f6-a0eb-4995-85b6-844d1c00c34a": { + "columnOrder": [ + "7bbcca58-f52c-4afd-98e6-12eee067a032", + "468a40e6-8917-4f74-ba2e-a9e4bfd2dab4" + ], + "columns": { + "468a40e6-8917-4f74-ba2e-a9e4bfd2dab4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "CVE", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "vulnerability.cve" + }, + "7bbcca58-f52c-4afd-98e6-12eee067a032": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Risk Severity", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "468a40e6-8917-4f74-ba2e-a9e4bfd2dab4", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "sentinel_one.application_risk.severity" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "aec928f6-a0eb-4995-85b6-844d1c00c34a", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "468a40e6-8917-4f74-ba2e-a9e4bfd2dab4" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "7bbcca58-f52c-4afd-98e6-12eee067a032" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "b301c7d1-65fb-4e9c-bd88-149976cbfaa6", + "w": 23, + "x": 25, + "y": 0 + }, + "panelIndex": "b301c7d1-65fb-4e9c-bd88-149976cbfaa6", + "title": "Application Vulnerability by Severity [Logs Sentinel]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs SentinelOne] Application Risk", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-08-05T13:18:10.722Z", + "id": "sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c971af22-203d-47d5-9386-5da727ac74b8:indexpattern-datasource-layer-5549cb09-0755-4170-848a-a514a3f21ca1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c971af22-203d-47d5-9386-5da727ac74b8:3610de1c-66cf-4e73-b443-ae863c9aadf3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "746b8ad1-636e-4d63-8c15-962ad7300974:indexpattern-datasource-layer-8291048e-6365-408f-8ba9-95919847f231", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a317ce8c-e92a-4b6e-9887-0bb678a25cf8:indexpattern-datasource-layer-e18d30d0-f39a-4d0f-8044-0fcbd1862198", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a02957bb-1603-4f3e-8bb9-35244d6690a7:indexpattern-datasource-layer-d6a2a1d4-7970-4e71-87ff-b30c10342bad", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b301c7d1-65fb-4e9c-bd88-149976cbfaa6:indexpattern-datasource-layer-aec928f6-a0eb-4995-85b6-844d1c00c34a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_37453bed-8c5d-4440-b59f-6139886d0c30:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "sentinel_one-security-solution-default", + "name": "tag-ref-sentinel_one-security-solution-default", + "type": "tag" + }, + { + "id": "sentinel_one-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0" +} \ No newline at end of file diff --git a/packages/sentinel_one/kibana/tag/sentinel_one-security-solution-default.json b/packages/sentinel_one/kibana/tag/sentinel_one-security-solution-default.json index 89ee62ea186..de43ab7e2a2 100644 --- a/packages/sentinel_one/kibana/tag/sentinel_one-security-solution-default.json +++ b/packages/sentinel_one/kibana/tag/sentinel_one-security-solution-default.json @@ -1,13 +1,12 @@ { "attributes": { - "color": "#00BFB3", + "color": "#F583B7", "description": "Tag defined in package-spec", "name": "Security Solution" }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-05-09T10:41:46.010Z", + "created_at": "2025-08-05T11:48:23.245Z", "id": "sentinel_one-security-solution-default", - "managed": true, "references": [], "type": "tag", "typeMigrationVersion": "8.0.0" diff --git a/packages/sentinel_one/manifest.yml b/packages/sentinel_one/manifest.yml index 938bbf6c2a4..57c0b82c939 100644 --- a/packages/sentinel_one/manifest.yml +++ b/packages/sentinel_one/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.4.0" name: sentinel_one title: SentinelOne -version: "1.37.0" +version: "1.38.0" description: Collect logs from SentinelOne with Elastic Agent. type: integration categories: @@ -15,6 +15,10 @@ screenshots: title: SentinelOne Threat Dashboard Screenshot size: 600x600 type: image/png + - src: /img/sentinel-one-application-risk-dashboard.png + title: SentinelOne Application Risk Dashboard + size: 600x600 + type: image/png - src: /img/sentinel-one-application-dashboard.png title: SentinelOne Application Dashboard Screenshot size: 600x600