Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions docs/soc-optimization-unified/overview.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
| Field | Value |
|---|---|
| ID | `soc-optimization-unified` |
| Version | `3.10.10` |
| Version | `3.10.11` |
| Category | Use Case |
| Pack Path | `Packs/soc-optimization-unified` |
| Manifest | [`Packs/soc-optimization-unified/xsoar_config.json`](https://github.com/Palo-Cortex/secops-framework/blob/main/Packs/soc-optimization-unified/xsoar_config.json) |
Expand All @@ -24,7 +24,7 @@ Additional custom packs the installer pulls in alongside this pack.

| Pack | System | Source |
|---|---|---|
| `soc-optimization-unified.zip` | `yes` | [release](https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.10.10/soc-optimization-unified-v3.10.10.zip) |
| `soc-optimization-unified.zip` | `yes` | [release](https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.10.11/soc-optimization-unified-v3.10.11.zip) |
| `soc-framework-nist-ir.zip` | `yes` | [release](https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-nist-ir-v1.6.3/soc-framework-nist-ir-v1.6.3.zip) |

## Marketplace Dependencies
Expand Down
1 change: 1 addition & 0 deletions docs/soc-sentinel-one/overview.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
Reference documentation for the schemas this pack defines.

- [SentinelOne Singularity (sentinelone)](sentinelone-threat.md)
- [SentinelOne Singularity (sentinelone)](soc-sentinelone-threat.md)

## Custom Packs Installed

Expand Down
250 changes: 250 additions & 0 deletions docs/soc-sentinel-one/soc-sentinelone-threat.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,250 @@
# SentinelOne Singularity (sentinelone) — Vendor Schema

<!-- GENERATED FILE — do not edit by hand. Run `python tools/generate_schema_docs.py` to regenerate. -->

> **Source:** [`schemas/vendors/sentinel-one/soc-sentinelone-threat.yaml`](https://github.com/Palo-Cortex/secops-framework/blob/main/schemas/vendors/sentinel-one/soc-sentinelone-threat.yaml)

## Identity

| Field | Value |
|---|---|
| vendor | `sentinelone` |
| product | `SentinelOne Singularity` |
| data_source | `sentinelone_v2_generic_alert_raw` |
| category | `Endpoint` |

## Raw Schema

Fields available in the raw ingest dataset.

| Field | Type | Array | Status | JSON Subfields |
|---|---|---|---|---|
| `_alert_data` | `json` | | declared | |
| `threatInfo` | `json` | | declared | |
| `sourceProcessInfo` | `json` | | declared | |
| `sourceParentProcessInfo` | `json` | | declared | |
| `agentRealtimeInfo` | `json` | | declared | |
| `indicators` | `json` | ✓ | declared | |

## Modeling Rule — SentinelOne Singularity Modeling Rule

| Field | Value |
|---|---|
| modeling_rule_id | `SentinelOne_V2_ModelingRule` |
| modeling_rule_name | `SentinelOne Singularity Modeling Rule` |
| directory_name | `SentinelOneV2_ModelingRule` |
| fromversion | `8.0.0` |

### Field Mappings

What each XDM field is, where it sources from, what issue field it surfaces on, and why the mapping is shaped the way it is.

| XDM Path | Expression | Sources | Issue Field | Description |
|---|---|---|---|---|
| `xdm.observer.vendor` | `"SentinelOne"` | | | |
| `xdm.observer.product` | `"SentinelOne Singularity"` | | | |
| `xdm.alert.severity` | `lowercase(json_extract_scalar(_alert_data, "$.severity"))` | | | |
| `xdm.alert.name` | `json_extract_scalar(_alert_data, "$.alert_name")` | | | |
| `xdm.alert.description` | `json_extract_scalar(_alert_data, "$.alert_description")` | | | |
| `xdm.source.user.username` | `lowercase(coalesce( threatInfo -> processUser, sourceProcessInfo -> effec...` | | | Filters SYSTEM / NT AUTHORITY / service accounts to null. No domain-strip — REAL_TIME forbids the identity-map join. |
| `xdm.source.host.hostname` | `agentRealtimeInfo -> agentComputerName` | | | |
| `xdm.source.agent.identifier` | `json_extract_scalar(_alert_data, "$.agent_id")` | | | |
| `xdm.source.host.device_id` | `json_extract_scalar(_alert_data, "$.agent_id")` | | | |
| `xdm.source.process.name` | `coalesce(threatInfo -> originatorProcess, sourceProcessInfo -> name)` | | | |
| `xdm.source.process.executable.path` | `coalesce(threatInfo -> filePath, sourceProcessInfo -> filePath)` | | | |
| `xdm.source.process.executable.sha256` | `coalesce(threatInfo -> sha256, sourceProcessInfo -> fileHashSha256)` | | | |
| `xdm.source.process.command_line` | `coalesce(sourceProcessInfo -> commandline, threatInfo -> maliciousProcessArgu...` | | | |
| `xdm.source.process.pid` | `sourceProcessInfo -> pid` | | | |
| `xdm.source.process.executable.signer` | `coalesce(threatInfo -> publisherName, sourceProcessInfo -> fileSignerIdentity)` | | | |
| `xdm.source.process.parent_process.executable.name` | `sourceParentProcessInfo -> name` | | | |
| `xdm.source.process.parent_process.executable.path` | `sourceParentProcessInfo -> filePath` | | | |
| `xdm.source.process.parent_process.executable.sha256` | `sourceParentProcessInfo -> fileHashSha256` | | | |
| `xdm.source.process.causality_id` | `coalesce(sourceProcessInfo -> storyline, sourceParentProcessInfo -> storyline)` | | | S1 storyline is the causality pivot — the strongest cross-alert grouping key. |
| `xdm.target.file.filename` | `threatInfo -> threatName` | | | |
| `xdm.target.file.sha256` | `coalesce(threatInfo -> sha256, sourceProcessInfo -> fileHashSha256)` | | | |
| `xdm.target.file.sha1` | `coalesce(threatInfo -> sha1, sourceProcessInfo -> fileHashSha1)` | | | |
| `xdm.target.file.md5` | `coalesce(threatInfo -> md5, sourceProcessInfo -> fileHashMd5)` | | | |

### Contributes (Artifacts.*)

Fields populated for downstream lifecycle Artifacts schemas:

- `Vendor`
- `Product`
- `User`
- `Endpoint.Hostname`
- `Endpoint.AgentID`
- `Process.Name`
- `Process.Path`
- `Process.SHA256`
- `Process.CommandLine`
- `Process.PID`
- `Process.Signer`
- `Process.Parent.Name`
- `Process.Parent.Path`
- `Process.Parent.SHA256`
- `Process.Causality.ID`
- `Target.File`
- `Target.SHA256`

## Correlation Rules

### SOC SentinelOne Threat

| Field | Value |
|---|---|
| global_rule_id | `SOC SentinelOne Threat` |
| subtype | `passthrough` |
| fromversion | `8.0.0` |

Creates an XSIAM passthrough alert for each SentinelOne Singularity threat, normalized to the SOC Framework endpoint contract for cross-vendor case grouping.

**Tags:** `SOCFramework`, `Passthrough`, `Endpoint`, `SentinelOne`

#### Schema Constants

| Field | Value |
|---|---|
| rule_id | `0` |
| alert_category | `User Defined` |
| alert_domain | `DOMAIN_SECURITY` |
| action | `ALERTS` |
| execution_mode | `REAL_TIME` |
| mapping_strategy | `CUSTOM` |
| user_defined_category | `alert_cat` |
| user_defined_severity | `severity` |
| is_enabled | `✓` |
| drilldown_query_timeframe | `ALERT` |
| severity | `User Defined` |

#### Suppression

| Field | Value |
|---|---|
| enabled | `✓` |
| duration | `1 hours` |
| fields | `s1_threat_id` |

#### Alert Fields

Issue-field assignments emitted by the correlation rule. The Description column captures intent — when present, this is what downstream playbooks rely on the field meaning.

| Issue Field | Source | Bucket | Description |
|---|---|---|---|
| `vendor` | `vendor` | | |
| `product` | `product` | | |
| `severity` | `severity` | | |
| `alert_description` | `alert_description` | | |
| `alert_name` | `alert_name` | | |
| `originalalertid` | `originalalertid` | | |
| `originalalertname` | `originalalertname` | | |
| `sentinelonethreatid` | `s1_threat_id` | | |
| `mitretacticid` | `mitre_tactic_id` | | |
| `mitretacticname` | `mitre_tactic` | | |
| `mitretechniqueid` | `mitre_ids_str` | | |
| `mitretechniquename` | `mitre_ids_str` | | |
| `agent_hostname` | `agent_hostname` | | |
| `hostname` | `agent_hostname` | | |
| `agent_id` | `agent_id` | | |
| `agentid` | `agent_id` | | |
| `agent_device_domain` | `agent_device_domain` | | |
| `domain` | `agent_device_domain` | | |
| `deviceosname` | `deviceosname` | | |
| `actor_effective_username` | `actor_effective_username` | | |
| `username` | `actor_effective_username` | | |
| `user_principal` | `user_principal` | | |
| `actor_process_image_name` | `actor_process_image_name` | | |
| `initiatedby` | `actor_process_image_name` | | |
| `actor_process_image_path` | `actor_process_image_path` | | |
| `initiatorpath` | `actor_process_image_path` | | |
| `actor_process_image_sha256` | `actor_process_image_sha256` | | |
| `initiatorsha256` | `actor_process_image_sha256` | | |
| `actor_process_command_line` | `actor_process_command_line` | | |
| `initiatorcmd` | `actor_process_command_line` | | |
| `actor_process_os_pid` | `actor_process_os_pid` | | |
| `initiatorpid` | `actor_process_os_pid` | | |
| `actor_process_signature_vendor` | `actor_process_signature_vendor` | | |
| `initiatorsigner` | `actor_process_signature_vendor` | | |
| `causality_actor_process_image_name` | `causality_actor_process_image_name` | | |
| `causality_actor_process_image_path` | `causality_actor_process_image_path` | | |
| `causality_actor_process_image_sha256` | `causality_actor_process_image_sha256` | | |
| `cgosha256` | `causality_actor_process_image_sha256` | | |
| `causality_actor_process_command_line` | `causality_actor_process_command_line` | | |
| `causality_actor_causality_id` | `causality_actor_causality_id` | | |
| `xdmsourceprocesscausalityid` | `causality_actor_causality_id` | | |
| `action_file_name` | `action_file_name` | | |
| `filename` | `action_file_name` | | |
| `action_file_sha256` | `action_file_sha256` | | |
| `filesha256` | `action_file_sha256` | | |
| `filehash` | `action_file_sha256` | | |
| `file_sha1` | `file_sha1` | | |
| `filesha1` | `file_sha1` | | |
| `filemd5` | `file_md5` | | |

#### Pre-Alter XQL

```xql
| filter _alert_data != null
| filter json_extract_scalar(_alert_data, "$.alert_name") ~= "Sentinel One Threat"

| alter
vendor = "SentinelOne",
product = "SentinelOne Singularity",
severity = lowercase(coalesce(json_extract_scalar(_alert_data, "$.severity"), "medium")),
s1_threat_id = id,
classification = threatInfo -> classification,
confidence = threatInfo -> confidenceLevel,
detection_type = threatInfo -> detectionType,
threat_name = threatInfo -> threatName

| alter
agent_hostname = agentRealtimeInfo -> agentComputerName,
agent_id = _alert_data -> agent_id,
agent_device_domain = agentRealtimeInfo -> agentDomain,
deviceosname = agentRealtimeInfo -> agentOsName

| alter
user_raw = coalesce(threatInfo -> processUser, sourceProcessInfo -> effectiveUser, sourceProcessInfo -> user),
actor_effective_username = lowercase(coalesce(threatInfo -> processUser, sourceProcessInfo -> effectiveUser, sourceProcessInfo -> user)),
user_principal = if(coalesce(threatInfo -> processUser, sourceProcessInfo -> user, "") contains "@",
coalesce(threatInfo -> processUser, sourceProcessInfo -> user), null)

| alter
actor_process_image_name = coalesce(threatInfo -> originatorProcess, sourceProcessInfo -> name),
actor_process_image_path = coalesce(threatInfo -> filePath, sourceProcessInfo -> filePath),
actor_process_image_sha256 = coalesce(threatInfo -> sha256, sourceProcessInfo -> fileHashSha256),
actor_process_command_line = coalesce(sourceProcessInfo -> commandline, threatInfo -> maliciousProcessArguments),
actor_process_os_pid = sourceProcessInfo -> pid,
actor_process_signature_vendor = coalesce(threatInfo -> publisherName, sourceProcessInfo -> fileSignerIdentity)

| alter
causality_actor_process_image_name = sourceParentProcessInfo -> name,
causality_actor_process_image_path = sourceParentProcessInfo -> filePath,
causality_actor_process_image_sha256 = sourceParentProcessInfo -> fileHashSha256,
causality_actor_process_command_line = sourceParentProcessInfo -> commandline,
causality_actor_causality_id = coalesce(sourceProcessInfo -> storyline, sourceParentProcessInfo -> storyline)

| alter
action_file_name = threat_name,
action_file_sha256 = coalesce(threatInfo -> sha256, sourceProcessInfo -> fileHashSha256),
file_sha1 = coalesce(threatInfo -> sha1, sourceProcessInfo -> fileHashSha1),
file_md5 = coalesce(threatInfo -> md5, sourceProcessInfo -> fileHashMd5)

| alter
indicator_descriptions = arraystring(arraydistinct(arraymap(json_extract_array(to_json_string(indicators), "$."), concat("@element" -> description, " (", "@element" -> category, ")"))), ", "),
mitre_tactic = arraystring(arraydistinct(arraymap(json_extract_array(to_json_string(indicators), "$."), "@element" -> category)), ", "),
mitre_tactic_id = null,
mitre_ids_str = null

| alter
alert_cat = coalesce(classification, "Threat"),
alert_description = coalesce(json_extract_scalar(_alert_data, "$.alert_description"),
concat("SentinelOne threat: ", coalesce(threat_name, "Detection"))),
originalalertid = s1_threat_id,
originalalertname = threat_name,
alert_name = concat(
"[Endpoint] ",
coalesce(agent_hostname, "Unknown Host"), " | ",
coalesce(classification, "Threat"), " | ",
coalesce(threat_name, "Detection"))
```
1 change: 1 addition & 0 deletions mkdocs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,7 @@ nav:
- "soc-sentinel-one":
- Overview: soc-sentinel-one/overview.md
- SentinelOne Singularity (sentinelone): soc-sentinel-one/sentinelone-threat.md
- SentinelOne Singularity (sentinelone): soc-sentinel-one/soc-sentinelone-threat.md
- "soc-wiz-cloud":
- Overview: soc-wiz-cloud/overview.md
- Wiz Cloud (wiz): soc-wiz-cloud/wiz-finding.md
Expand Down
5 changes: 4 additions & 1 deletion scenarios/h8_full_chain.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# H8: Full kill chain — Proofpoint + CrowdStrike
# H8: Full kill chain — Proofpoint + CrowdStrike EPP + CrowdStrike IDP
# Tests: Cross-source grouping, full NIST IR lifecycle E2E
scenario: Turla Carbon — Full Kill Chain (H8)
compress_window: 30m
Expand All @@ -10,3 +10,6 @@ sources:
- name: CrowdStrike
file: input_tsv/CrowdStrike-MITRE-Turla-Carbon-in-XSIAM.tsv
env: .env-brumxdr-crowdstrike
- name: CrowdStrike IDP
file: input_tsv/CrowdStrike-IDP-Turla-Carbon-Synthetic.tsv
env: .env-brumxdr-crowdstrike
Loading
Loading