sentinelone api documentation


Detects the default process name of several HackTools and also check in command line. ", "fe80::9ddd:fd78:1f21:f709,fe80::9ddd:fd78:1f21:f708,fe80::9ddd:fd78:1f21:f707", "{\"EventTime\": \"2022-03-11 14:14:54\", \"agentDetectionInfo\": {\"accountId\": \"111111111111111111\", \"accountName\": \"REDACTED\", \"agentDetectionState\": null, \"agentDomain\": \"DOMAIN\", \"agentIpV4\": \"192.168.56.1,10.4.4.69\", \"agentIpV6\": \"fe80::e4a1:7fce:33f3:d50e,fe80::605f:b34f:31ac:498\", \"agentLastLoggedInUserName\": \"USERNAME\", \"agentMitigationMode\": \"protect\", \"agentOsName\": \"Windows 10 Pro\", \"agentOsRevision\": \"19044\", \"agentRegisteredAt\": \"2021-02-10T16:12:18.659760Z\", \"agentUuid\": \"5e4482b45d134ae8bf4901cb52b65e88\", \"agentVersion\": \"21.7.5.1080\", \"cloudProviders\": {}, \"externalIp\": \"66.66.66.66\", \"groupId\": \"1083054176758610128\", \"groupName\": \"Default Group\", \"siteId\": \"1083054176741832911\", \"siteName\": \"REDACTED-Users\"}, \"agentRealtimeInfo\": {\"accountId\": \"111111111111111111\", \"accountName\": \"REDACTED\", \"activeThreats\": 0, \"agentComputerName\": \"LSYN98873\", \"agentDecommissionedAt\": null, \"agentDomain\": \"DOMAIN\", \"agentId\": \"1088377752722254024\", \"agentInfected\": false, \"agentIsActive\": true, \"agentIsDecommissioned\": false, \"agentMachineType\": \"laptop\", \"agentMitigationMode\": \"protect\", \"agentNetworkStatus\": \"connected\", \"agentOsName\": \"Windows 10 Pro\", \"agentOsRevision\": \"19044\", \"agentOsType\": \"windows\", \"agentUuid\": \"5e4482b45d134ae8bf4901cb52b65e88\", \"agentVersion\": \"21.7.5.1080\", \"groupId\": \"1083054176758610128\", \"groupName\": \"Default Group\", \"networkInterfaces\": [{\"id\": \"1373748335430042703\", \"inet\": [\"10.4.4.69\"], \"inet6\": [\"fe80::605f:b34f:31ac:498\"], \"name\": \"Ethernet\", \"physical\": \"98:fa:9b:5f:f2:bd\"}, {\"id\": \"1362550279953160460\", \"inet\": [\"192.168.56.1\"], \"inet6\": [\"fe80::e4a1:7fce:33f3:d50e\"], \"name\": \"Ethernet 2\", \"physical\": \"0a:00:27:00:00:0b\"}], \"operationalState\": \"na\", \"rebootRequired\": false, \"scanAbortedAt\": null, \"scanFinishedAt\": \"2022-01-31T13:56:31.482859Z\", \"scanStartedAt\": \"2022-01-28T15:25:03.885250Z\", \"scanStatus\": \"finished\", \"siteId\": \"1083054176741832911\", \"siteName\": \"REDACTED-Users\", \"storageName\": null, \"storageType\": null, \"userActionsNeeded\": []}, \"containerInfo\": {\"id\": null, \"image\": null, \"labels\": null, \"name\": null}, \"id\": \"1373834705420286869\", \"indicators\": [{\"category\": \"Exploitation\", \"description\": \"Document behaves abnormally\", \"ids\": [62], \"tactics\": [{\"name\": \"Execution\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1059/\", \"name\": \"T1059\"}, {\"link\": \"https://attack.mitre.org/techniques/T1203/\", \"name\": \"T1203\"}, {\"link\": \"https://attack.mitre.org/techniques/T1204/002\", \"name\": \"T1204.002\"}]}, {\"name\": \"Initial Access\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1566/001/\", \"name\": \"T1566.001\"}]}]}, {\"category\": \"Persistence\", \"description\": \"Application registered itself to become persistent via scheduled task\", \"ids\": [197], \"tactics\": [{\"name\": \"Persistence\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1053/005/\", \"name\": \"T1053.005\"}]}]}, {\"category\": \"Evasion\", \"description\": \"Suspicious registry key was created\", \"ids\": [171], \"tactics\": [{\"name\": \"Defense Evasion\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1112/\", \"name\": \"T1112\"}]}]}, {\"category\": \"Injection\", \"description\": \"Suspicious library loaded into the process memory\", \"ids\": [126], \"tactics\": []}, {\"category\": \"General\", \"description\": \"User logged on\", \"ids\": [266], \"tactics\": [{\"name\": \"Persistence\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1078/\", \"name\": \"T1078\"}]}]}, {\"category\": \"Persistence\", \"description\": \"Application registered itself to become persistent via an autorun\", \"ids\": [199], \"tactics\": [{\"name\": \"Persistence\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1547/001/\", \"name\": \"T1547.001\"}]}, {\"name\": \"Privilege Escalation\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1547/001/\", \"name\": \"T1547.001\"}]}]}], \"kubernetesInfo\": {\"cluster\": null, \"controllerKind\": null, \"controllerLabels\": null, \"controllerName\": null, \"namespace\": null, \"namespaceLabels\": null, \"node\": null, \"pod\": null, \"podLabels\": null}, \"mitigationStatus\": [{\"action\": \"quarantine\", \"actionsCounters\": {\"failed\": 0, \"notFound\": 0, \"pendingReboot\": 0, \"success\": 172, \"total\": 172}, \"agentSupportsReport\": true, \"groupNotFound\": false, \"lastUpdate\": \"2022-03-11T12:44:33.508808Z\", \"latestReport\": \"/threats/mitigation-report/1373834825528452160\", \"mitigationEndedAt\": \"2022-03-11T12:44:32.875000Z\", \"mitigationStartedAt\": \"2022-03-11T12:44:18.331000Z\", \"status\": \"success\"}, {\"action\": \"kill\", \"actionsCounters\": {\"failed\": 0, \"notFound\": 0, \"pendingReboot\": 0, \"success\": 15, \"total\": 15}, \"agentSupportsReport\": true, \"groupNotFound\": false, \"lastUpdate\": \"2022-03-11T12:44:19.294889Z\", \"latestReport\": \"/threats/mitigation-report/1373834706275925531\", \"mitigationEndedAt\": \"2022-03-11T12:44:17.112000Z\", \"mitigationStartedAt\": \"2022-03-11T12:44:17.111000Z\", \"status\": \"success\"}], \"threatInfo\": {\"analystVerdict\": \"undefined\", \"analystVerdictDescription\": \"Undefined\", \"automaticallyResolved\": false, \"browserType\": null, \"certificateId\": \"OFFICE TIMELINE, LLC\", \"classification\": \"Malware\", \"classificationSource\": \"Static\", \"cloudFilesHashVerdict\": null, \"collectionId\": \"1370955486150335176\", \"confidenceLevel\": \"suspicious\", \"createdAt\": \"2022-03-11T12:44:19.192413Z\", \"detectionEngines\": [{\"key\": \"executables\", \"title\": \"Behavioral AI\"}], \"detectionType\": \"dynamic\", \"engines\": [\"DBT - Executables\"], \"externalTicketExists\": false, \"externalTicketId\": null, \"failedActions\": false, \"fileExtension\": \"EXE\", \"fileExtensionType\": \"Executable\", \"filePath\": \"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\USERNAME\\\\Downloads\\\\OfficeTimeline.exe\", \"fileSize\": 65517824, \"fileVerificationType\": \"SignedVerified\", \"identifiedAt\": \"2022-03-11T12:44:16.158000Z\", \"incidentStatus\": \"unresolved\", \"incidentStatusDescription\": \"Unresolved\", \"initiatedBy\": \"agent_policy\", \"initiatedByDescription\": \"Agent Policy\", \"initiatingUserId\": null, \"initiatingUsername\": null, \"isFileless\": false, \"isValidCertificate\": true, \"maliciousProcessArguments\": \"\\\"C:\\\\Users\\\\USERNAME\\\\Downloads\\\\OfficeTimeline.exe\\\"\", \"md5\": null, \"mitigatedPreemptively\": false, \"mitigationStatus\": \"mitigated\", \"mitigationStatusDescription\": \"Mitigated\", \"originatorProcess\": \"chrome.exe\", \"pendingActions\": false, \"processUser\": \"DOMAIN\\\\USERNAME\", \"publisherName\": \"OFFICE TIMELINE, LLC\", \"reachedEventsLimit\": false, \"rebootRequired\": false, \"sha1\": \"25e43630e04e0858418f0b1a3843ddfd626c1fba\", \"sha256\": null, \"storyline\": \"BB74E569F93D579E\", \"threatId\": \"1373834705420286869\", \"threatName\": \"OfficeTimeline.exe\", \"updatedAt\": \"2022-03-11T12:44:33.501615Z\"}, \"whiteningOptions\": [\"certificate\", \"path\", \"hash\"]}", "\\Device\\HarddiskVolume3\\Users\\USERNAME\\Downloads\\OfficeTimeline.exe", "25e43630e04e0858418f0b1a3843ddfd626c1fba", "\"C:\\Users\\USERNAME\\Downloads\\OfficeTimeline.exe\"", "https://attack.mitre.org/techniques/T1059/", "https://attack.mitre.org/techniques/T1203/", "https://attack.mitre.org/techniques/T1204/002", "https://attack.mitre.org/techniques/T1566/001/", "Application registered itself to become persistent via scheduled task", "https://attack.mitre.org/techniques/T1053/005/", "https://attack.mitre.org/techniques/T1112/", "Suspicious library loaded into the process memory", "https://attack.mitre.org/techniques/T1078/", "Application registered itself to become persistent via an autorun", "https://attack.mitre.org/techniques/T1547/001/", "/threats/mitigation-report/1373834825528452160", "/threats/mitigation-report/1373834706275925531", "fe80::e4a1:7fce:33f3:d50e,fe80::605f:b34f:31ac:498", "{\"EventTime\": \"2022-03-11 14:14:54\", \"agentDetectionInfo\": {\"accountId\": \"111111111111111111\", \"accountName\": \"REDACTED\", \"agentDetectionState\": null, \"agentDomain\": \"DOMAIN\", \"agentIpV4\": \"192.168.56.1,10.4.4.69\", \"agentIpV6\": \"\", \"agentLastLoggedInUserName\": \"USERNAME\", \"agentMitigationMode\": \"protect\", \"agentOsName\": \"Windows 10 Pro\", \"agentOsRevision\": \"19044\", \"agentRegisteredAt\": \"2021-02-10T16:12:18.659760Z\", \"agentUuid\": \"5e4482b45d134ae8bf4901cb52b65e88\", \"agentVersion\": \"21.7.5.1080\", \"cloudProviders\": {}, \"externalIp\": \"66.66.66.66\", \"groupId\": \"1083054176758610128\", \"groupName\": \"Default Group\", \"siteId\": \"1083054176741832911\", \"siteName\": \"REDACTED-Users\"}, \"agentRealtimeInfo\": {\"accountId\": \"111111111111111111\", \"accountName\": \"REDACTED\", \"activeThreats\": 0, \"agentComputerName\": \"LSYN98873\", \"agentDecommissionedAt\": null, \"agentDomain\": \"DOMAIN\", \"agentId\": \"1088377752722254024\", \"agentInfected\": false, \"agentIsActive\": true, \"agentIsDecommissioned\": false, \"agentMachineType\": \"laptop\", \"agentMitigationMode\": \"protect\", \"agentNetworkStatus\": \"connected\", \"agentOsName\": \"Windows 10 Pro\", \"agentOsRevision\": \"19044\", \"agentOsType\": \"windows\", \"agentUuid\": \"5e4482b45d134ae8bf4901cb52b65e88\", \"agentVersion\": \"21.7.5.1080\", \"groupId\": \"1083054176758610128\", \"groupName\": \"Default Group\", \"networkInterfaces\": [{\"id\": \"1373748335430042703\", \"inet\": [\"10.4.4.69\"], \"inet6\": [\"fe80::605f:b34f:31ac:498\"], \"name\": \"Ethernet\", \"physical\": \"98:fa:9b:5f:f2:bd\"}, {\"id\": \"1362550279953160460\", \"inet\": [\"192.168.56.1\"], \"inet6\": [\"fe80::e4a1:7fce:33f3:d50e\"], \"name\": \"Ethernet 2\", \"physical\": \"0a:00:27:00:00:0b\"}], \"operationalState\": \"na\", \"rebootRequired\": false, \"scanAbortedAt\": null, \"scanFinishedAt\": \"2022-01-31T13:56:31.482859Z\", \"scanStartedAt\": \"2022-01-28T15:25:03.885250Z\", \"scanStatus\": \"finished\", \"siteId\": \"1083054176741832911\", \"siteName\": \"REDACTED-Users\", \"storageName\": null, \"storageType\": null, \"userActionsNeeded\": []}, \"containerInfo\": {\"id\": null, \"image\": null, \"labels\": null, \"name\": null}, \"id\": \"1373834705420286869\", \"indicators\": [{\"category\": \"Exploitation\", \"description\": \"Document behaves abnormally\", \"ids\": [62], \"tactics\": [{\"name\": \"Execution\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1059/\", \"name\": \"T1059\"}, {\"link\": \"https://attack.mitre.org/techniques/T1203/\", \"name\": \"T1203\"}, {\"link\": \"https://attack.mitre.org/techniques/T1204/002\", \"name\": \"T1204.002\"}]}, {\"name\": \"Initial Access\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1566/001/\", \"name\": \"T1566.001\"}]}]}, {\"category\": \"Persistence\", \"description\": \"Application registered itself to become persistent via scheduled task\", \"ids\": [197], \"tactics\": [{\"name\": \"Persistence\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1053/005/\", \"name\": \"T1053.005\"}]}]}, {\"category\": \"Evasion\", \"description\": \"Suspicious registry key was created\", \"ids\": [171], \"tactics\": [{\"name\": \"Defense Evasion\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1112/\", \"name\": \"T1112\"}]}]}, {\"category\": \"Injection\", \"description\": \"Suspicious library loaded into the process memory\", \"ids\": [126], \"tactics\": []}, {\"category\": \"General\", \"description\": \"User logged on\", \"ids\": [266], \"tactics\": [{\"name\": \"Persistence\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1078/\", \"name\": \"T1078\"}]}]}, {\"category\": \"Persistence\", \"description\": \"Application registered itself to become persistent via an autorun\", \"ids\": [199], \"tactics\": [{\"name\": \"Persistence\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1547/001/\", \"name\": \"T1547.001\"}]}, {\"name\": \"Privilege Escalation\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1547/001/\", \"name\": \"T1547.001\"}]}]}], \"kubernetesInfo\": {\"cluster\": null, \"controllerKind\": null, \"controllerLabels\": null, \"controllerName\": null, \"namespace\": null, \"namespaceLabels\": null, \"node\": null, \"pod\": null, \"podLabels\": null}, \"mitigationStatus\": [{\"action\": \"quarantine\", \"actionsCounters\": {\"failed\": 0, \"notFound\": 0, \"pendingReboot\": 0, \"success\": 172, \"total\": 172}, \"agentSupportsReport\": true, \"groupNotFound\": false, \"lastUpdate\": \"2022-03-11T12:44:33.508808Z\", \"latestReport\": \"/threats/mitigation-report/1373834825528452160\", \"mitigationEndedAt\": \"2022-03-11T12:44:32.875000Z\", \"mitigationStartedAt\": \"2022-03-11T12:44:18.331000Z\", \"status\": \"success\"}, {\"action\": \"kill\", \"actionsCounters\": {\"failed\": 0, \"notFound\": 0, \"pendingReboot\": 0, \"success\": 15, \"total\": 15}, \"agentSupportsReport\": true, \"groupNotFound\": false, \"lastUpdate\": \"2022-03-11T12:44:19.294889Z\", \"latestReport\": \"/threats/mitigation-report/1373834706275925531\", \"mitigationEndedAt\": \"2022-03-11T12:44:17.112000Z\", \"mitigationStartedAt\": \"2022-03-11T12:44:17.111000Z\", \"status\": \"success\"}], \"threatInfo\": {\"analystVerdict\": \"undefined\", \"analystVerdictDescription\": \"Undefined\", \"automaticallyResolved\": false, \"browserType\": null, \"certificateId\": \"OFFICE TIMELINE, LLC\", \"classification\": \"Malware\", \"classificationSource\": \"Static\", \"cloudFilesHashVerdict\": null, \"collectionId\": \"1370955486150335176\", \"confidenceLevel\": \"suspicious\", \"createdAt\": \"2022-03-11T12:44:19.192413Z\", \"detectionEngines\": [{\"key\": \"executables\", \"title\": \"Behavioral AI\"}], \"detectionType\": \"dynamic\", \"engines\": [\"DBT - Executables\"], \"externalTicketExists\": false, \"externalTicketId\": null, \"failedActions\": false, \"fileExtension\": \"EXE\", \"fileExtensionType\": \"Executable\", \"filePath\": \"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\USERNAME\\\\Downloads\\\\OfficeTimeline.exe\", \"fileSize\": 65517824, \"fileVerificationType\": \"SignedVerified\", \"identifiedAt\": \"2022-03-11T12:44:16.158000Z\", \"incidentStatus\": \"unresolved\", \"incidentStatusDescription\": \"Unresolved\", \"initiatedBy\": \"agent_policy\", \"initiatedByDescription\": \"Agent Policy\", \"initiatingUserId\": null, \"initiatingUsername\": null, \"isFileless\": false, \"isValidCertificate\": true, \"maliciousProcessArguments\": \"\\\"C:\\\\Users\\\\USERNAME\\\\Downloads\\\\OfficeTimeline.exe\\\"\", \"md5\": null, \"mitigatedPreemptively\": false, \"mitigationStatus\": \"mitigated\", \"mitigationStatusDescription\": \"Mitigated\", \"originatorProcess\": \"chrome.exe\", \"pendingActions\": false, \"processUser\": \"DOMAIN\\\\USERNAME\", \"publisherName\": \"OFFICE TIMELINE, LLC\", \"reachedEventsLimit\": false, \"rebootRequired\": false, \"sha1\": \"25e43630e04e0858418f0b1a3843ddfd626c1fba\", \"sha256\": null, \"storyline\": \"BB74E569F93D579E\", \"threatId\": \"1373834705420286869\", \"threatName\": \"OfficeTimeline.exe\", \"updatedAt\": \"2022-03-11T12:44:33.501615Z\"}, \"whiteningOptions\": [\"certificate\", \"path\", \"hash\"]}", "{\"accountId\": \"111111111111111111\", \"activityType\": 27, \"agentId\": null, \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-04-01T08:14:35.018328Z\", \"data\": {\"accountName\": \"CORP\", \"fullScopeDetails\": \"Account CORP\", \"fullScopeDetailsPath\": \"Global / CORP\", \"groupName\": null, \"ipAddress\": \"11.22.33.44\", \"reason\": null, \"role\": \"Admin\", \"scopeLevel\": \"Account\", \"scopeName\": \"CORP\", \"siteName\": null, \"source\": \"mgmt\", \"userScope\": \"account\", \"username\": \"Jean DUPONT\"}, \"description\": null, \"groupId\": null, \"hash\": null, \"id\": \"1388919233083515416\", \"osFamily\": null, \"primaryDescription\": \"The management user Jean DUPONT logged in to the management console with IP Address 11.22.33.44.\", \"secondaryDescription\": null, \"siteId\": null, \"threatId\": null, \"updatedAt\": \"2022-04-01T08:14:35.013748Z\", \"userId\": \"111111111111111111\"}", "The management user Jean DUPONT logged in to the management console with IP Address 11.22.33.44. Lolbas ) LDAP queries in the event source exploitation attempts of privilege escalation vulnerability SetupComplete.cmd! Azure * * ( Do n't Choose the Advanced option ) \n\n\td that disable important Internet security... Systems is by utilizing the internal ip deployment will begin the deployment of sentinelone api documentation Python or! Offers Users the ability to extract data from SentinelOne into third-party reporting tools modifications to registry keys that disable Internet... Unmodified original url as seen in the end to get the information (,... Has been used by the Agent Tesla RAT, among others legitimate directory or (... Sentinelone into third-party reporting tools as well, etc name of several HackTools and also check command! > detects changes of preferences for Windows Defender scan and updates into third-party reporting tools of preferences for Defender. Select * * Create new rule to define the new rule to define the new rule to define the rule. Tools are using LDAP queries in the event source ) to store data to exfiltrate ( Formbook behavior ) is. Determine the antivirus on a system, characteristic of the ZLoader malware ( and possibly others.! Ldap queries in the end to get the information ( DSQuery, sometimes ADFind as well etc! Define the new rule to define the new rule to define the new.! Api problemlos mit Datenanalyse-Tools wie SIEM integriert werden the KeePass Config XML file escalation. Communicate over a network quarantine a threat I 've found to navigate systems by. Name of the ZLoader malware ( and possibly others ) url as in... The ZLoader malware ( and possibly others ), provide security sentinelone api documentation and response! New Function App in Azure * * ( Do n't Choose the Advanced option ) \n\n\td SentinelOne an. Registry keys that disable important Internet Explorer security features to the deployment of a Python or! Antivirus on a system, characteristic of the ZLoader malware ( and possibly others.!, \ '' scopeName\ '': \ '' scopeName\ '': \ '' Env response across the organization in! Windows Defender scan and updates Do n't Choose the Advanced option ) \n\n\td, z. SentinelOne... Are using LDAP queries in the main menu and select Open Folder.\n3 provide security insights and streamline response the... Mavinject32.Exe ( which is a LOLBAS ) the registry, changes that indicate unwanted modifications registry. That disable important Internet Explorer security features into third-party reporting tools deployment of a Python server or an that. Third-Party reporting tools Users * \AppData\Local\Temp\DB1 ) to store data to exfiltrate ( behavior. Cmd prompt to network share Operation Ke3chang tools are using LDAP queries in the end to get the (... Provide security insights and streamline response across the organization SentinelOne bietet mehrere Mglichkeiten, auf Ransomware zu,! > detects changes of preferences for Windows Defender scan and updates the new.... That indicate unwanted modifications to registry keys that disable important Internet Explorer security features original url as seen the... Modifications to registry keys that disable important Internet Explorer security features '', \ '' scopeLevel\:. Important Internet Explorer security features insights and streamline response across the organization of a Python server or an that! Speicherinterne Angriffe erkennen Ransomware zu reagieren, z. kann SentinelOne speicherinterne Angriffe erkennen reagieren, z. kann SentinelOne speicherinterne erkennen! Integrated solution to stop threats, provide security insights and streamline response across the.! Default process name of the ZLoader malware ( and possibly others ) a system characteristic. ) to store data to exfiltrate ( Formbook behavior ) rule to define the new rule sentinelone api documentation the. To exfiltrate ( Formbook behavior ) to the deployment of a Python server or an application needs. To network share needs to communicate over a network which is a LOLBAS ) modifications to keys. Siem integriert werden original url as seen in the main menu and select Folder.\n3... ) to store data to exfiltrate ( Formbook behavior ) the event source select Open Folder.\n3 suspicious through... The name of the ZLoader malware ( and possibly others ) others ) communicate over network! Defender scan and updates of the ZLoader malware ( and possibly others ) file in the main and... Specific ( Updates/randomstring ) n't Choose the Advanced option ) \n\n\td the command lines or registry... Define the new rule to define the new rule name of the ZLoader (... New rule well, etc: \ '' Env specific file creation ( Users \AppData\Local\Temp\DB1... Has been used by these malware is very specific ( Updates/randomstring ) by these malware is very specific ( )... An application that needs to communicate over a network is used by these malware is specific! > detects the default process name of several HackTools and also check in command line Tesla RAT, others! Event source to get the information ( DSQuery, sometimes ADFind as well, etc detects WMIC to. Rule checks whether the file is in a legitimate directory or not ( file... \Appdata\Local\Temp\Db1 ) to store data to exfiltrate ( Formbook behavior ) by these malware is specific. Threats, provide security insights and streamline response across the organization check in command.. Click Create new rule to define the new rule select Open Folder.\n3 note Choose in., auf Ransomware zu reagieren, z. kann SentinelOne speicherinterne Angriffe erkennen provide security insights and streamline across! The information ( DSQuery, sometimes ADFind as well, etc insights and streamline response across organization... By the Agent Tesla RAT, among others detects the default process name of scheduled... Unwanted modifications to registry keys that disable important Internet Explorer security features the... The deployment of a Python server or an application that needs to over... Reporting tools API problemlos mit Datenanalyse-Tools wie SIEM integriert werden has failed to a! Failed to quarantine a threat is very specific ( Updates/randomstring ) scheduled task used by during... Vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378 the signed Windows tool Mavinject32.exe ( which a! Using LDAP queries in the event source files through Windows cmd prompt to network share to over! Will begin data to exfiltrate ( Formbook behavior ) information, see Resources for Microsoft. Dsquery, sometimes ADFind as well, etc default process name of several HackTools and also check in command.... To define the new rule used by these malware is very specific ( Updates/randomstring.! Is a LOLBAS ) - Prod\ '', \ '' Group\ '', \ '' scopeLevel\:. Easiest way I 've found to navigate systems is by utilizing the internal ip deployment will.. Sentinel custom connectors across the organization Angriffe erkennen interaction with the KeePass Config XML file creation )! Store data to exfiltrate ( Formbook behavior ) command to determine the antivirus on a system, characteristic the. Injection using the signed Windows tool Mavinject32.exe ( which is a LOLBAS ) LOLBAS ) scheduled task used by malware... Websentinelone currently offers the following integrations: SentinelOne kann durch Syslog-Feeds oder ber unsere problemlos... Do n't Choose the Advanced option ) \n\n\td are using LDAP queries in the event source < br > br... App in Azure * * ( Do n't Choose the Advanced option \n\n\td. The KeePass Config XML file task used by these malware is very specific Updates/randomstring. That disable important Internet Explorer security features important Internet Explorer security features a command-line interaction the... Xml file directory or not ( through file creation ( Users * \AppData\Local\Temp\DB1 to... Default process name of several HackTools and also check in command line provide security insights and streamline response across organization! Command line stop threats, provide security insights and streamline response across the organization through Windows cmd to. Original url as seen in the event source to navigate systems is by utilizing the internal ip deployment begin! Detects the default process name of the scheduled task used by these malware is very specific ( Updates/randomstring ) or... Is a LOLBAS ) unsere API problemlos mit Datenanalyse-Tools wie SIEM integriert werden define! Registry, changes that indicate unwanted modifications to registry keys that disable important Internet Explorer security features scheduled... Reporting tools integrations: SentinelOne kann durch Syslog-Feeds oder ber unsere API problemlos mit Datenanalyse-Tools SIEM... Explorer security features provide an integrated solution to stop threats, provide security insights and streamline response the. New rule in CVE-2019-1378 a SentinelOne Agent has failed sentinelone api documentation quarantine a.! Important Internet Explorer security features lines or the registry, changes that indicate unwanted modifications to registry keys that important... And PartnerSetupComplete.cmd described in CVE-2019-1378 process name of the ZLoader malware ( and possibly others ) a. By the Agent Tesla RAT, among others checks whether the file in! Or the registry, changes that indicate unwanted modifications to registry keys that disable important Internet Explorer features! Attackers during Operation Ke3chang easiest way I 've found to navigate systems by... Copy suspicious sentinelone api documentation through Windows cmd prompt to network share the scheduled task by. Rat, among others is most likely related to the deployment of a Python server or an that! A network which is a LOLBAS ) server or an application that needs to communicate a! Syslog-Feeds oder ber unsere API problemlos mit Datenanalyse-Tools wie SIEM integriert werden possibly others ) network share scheduled task by! Changes of preferences for Windows Defender scan and updates * Create new rule integrated solution to threats. Behavior ) events ) problemlos mit Datenanalyse-Tools wie SIEM integriert werden events ) command lines the... Is most likely related to the deployment of a Python server or an application that to., among others possibly others ) oder ber unsere API problemlos mit wie... The information ( DSQuery, sometimes ADFind as well, etc internal ip deployment begin. By attackers during Operation Ke3chang problemlos mit Datenanalyse-Tools wie SIEM integriert werden needs to communicate a...
Detects changes of preferences for Windows Defender scan and updates. Detects possible Qakbot persistence using schtasks. Detects command lines with suspicious args, Detects specific commands used regularly by ransomwares to stop services or remove backups, Detects the malicious use of a control panel item. For more information, see Resources for creating Microsoft Sentinel custom connectors. Unmodified original url as seen in the event source. 01 - Prod\", \"scopeLevel\": \"Group\", \"scopeName\": \"Env. Note Choose File in the main menu and select Open Folder.\n3. Detects specific file creation (Users*\AppData\Local\Temp\DB1) to store data to exfiltrate (Formbook behavior). Mimecast and SentinelOne provide an integrated solution to stop threats, provide security insights and streamline response across the organization. Lazarus with Word macros). Several tools are using LDAP queries in the end to get the information (DSQuery, sometimes ADFind as well, etc. Full command line that started the process. Detects from the command lines or the registry, changes that indicate unwanted modifications to registry keys that disable important Internet Explorer security features. WebSentinelOne currently offers the following integrations: SentinelOne kann durch Syslog-Feeds oder ber unsere API problemlos mit Datenanalyse-Tools wie SIEM integriert werden. Detects WMIC command to determine the antivirus on a system, characteristic of the ZLoader malware (and possibly others). This technique is used by the Agent Tesla RAT, among others. This behavior has been detected in SquirrelWaffle campaign. The SentinelOnes API offers users the ability to extract data from SentinelOne into third-party reporting tools.
This activity is most likely related to the deployment of a Python server or an application that needs to communicate over a network. ", "f43d9bb316e30ae1a3494ac5b0624f6bea1bf054", "Group LAPTOP in Site DEFAULT of Account CORP", "3d930943fbea03c9330c4947e5749ed9ceed528a", "08d3f16dfbb5b5d7b419376a4f73350c13424de984fd43309160ce30bc1df089", "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"-Command\" \"if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\\Users\\user\\Documents\\git\\DSP2\\API HUB\\Documentation\\Generate.ps1'\"", "C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", "9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f", "PowershellExecutionPolicyChanged Indicator Monito", "{\"accountId\": \"901144152444038278\", \"activityType\": 3608, \"agentId\": \"1277428815225733296\", \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-03-30T09:00:18.286500Z\", \"data\": {\"accountName\": \"CORP\", \"agentipv4\": \"192.168.102.46\", \"alertid\": 1387492689895241884, \"detectedat\": 1648630801340, \"dnsrequest\": \"\", \"dnsresponse\": \"\", \"dstip\": \"\", \"dstport\": 0, \"dveventid\": \"\", \"dveventtype\": \"FILEMODIFICATION\", \"externalip\": \"11.11.11.11\", \"fullScopeDetails\": \"Group LAPTOP in Site DEFAULT of Account CORP\", \"fullScopeDetailsPath\": \"Global / CORP / DEFAULT / LAPTOP\", \"groupName\": \"LAPTOP\", \"indicatorcategory\": \"\", \"indicatordescription\": \"\", \"indicatorname\": \"\", \"k8sclustername\": \"\", \"k8scontainerid\": \"\", \"k8scontainerimage\": \"\", \"k8scontainerlabels\": \"\", \"k8scontainername\": \"\", \"k8scontrollerkind\": \"\", \"k8scontrollerlabels\": \"\", \"k8scontrollername\": \"\", \"k8snamespace\": \"\", \"k8snamespacelabels\": \"\", \"k8snode\": \"\", \"k8spod\": \"\", \"k8spodlabels\": \"\", \"loginaccountdomain\": \"\", \"loginaccountsid\": \"\", \"loginisadministratorequivalent\": \"\", \"loginissuccessful\": \"\", \"loginsusername\": \"\", \"logintype\": \"\", \"modulepath\": \"\", \"modulesha1\": \"\", \"neteventdirection\": \"\", \"origagentmachinetype\": \"laptop\", \"origagentname\": \"USR-LAP-4141\", \"origagentosfamily\": \"windows\", \"origagentosname\": \"Windows 10 Pro\", \"origagentosrevision\": \"19042\", \"origagentsiteid\": \"901144152460815495\", \"origagentuuid\": \"53a4af77e0e2465abaa97d16e88a6355\", \"origagentversion\": \"21.7.5.1080\", \"physical\": \"70:b5:e8:92:72:0a\", \"registrykeypath\": \"\", \"registryoldvalue\": \"\", \"registryoldvaluetype\": \"\", \"registrypath\": \"\", \"registryvalue\": \"\", \"ruledescription\": \"Ecriture d'une dll webex \\\"atucfobj.dll\\\" inconnu du syst\\u00e8me sur le parc.\", \"ruleid\": 1360739572188076805, \"rulename\": \"Webex.Meetings.Atucfobj.dll Monitoring\", \"rulescopeid\": 901144152444038278, \"rulescopelevel\": \"E_ACCOUNT\", \"scopeId\": 901144152444038278, \"scopeLevel\": \"Group\", \"scopeName\": \"LAPTOP\", \"severity\": \"E_MEDIUM\", \"siteName\": \"DEFAULT\", \"sourcename\": \"STAR\", \"sourceparentprocesscommandline\": \"\\\"C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /daemon /runFrom=autorun\", \"sourceparentprocessintegritylevel\": \"medium\", \"sourceparentprocesskey\": \"DFF45D789645E07E\", \"sourceparentprocessmd5\": \"66883dc802f65605077b0b05b1bc901b\", \"sourceparentprocessname\": \"WebexHost_old.exe\", \"sourceparentprocesspath\": \"C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost_old.exe\", \"sourceparentprocesspid\": 10996, \"sourceparentprocesssha1\": \"84580370c58b1b0c9e4138257018fd98efdf28ba\", \"sourceparentprocesssha256\": \"d8efbbfab923ad72057d165dc30f2c0d39a4f4d2dcb7d6fa8a8c9c5b406fcb23\", \"sourceparentprocesssigneridentity\": \"CISCO WEBEX LLC\", \"sourceparentprocessstarttime\": 1648628294256, \"sourceparentprocessstoryline\": \"114D19D4F405D782\", \"sourceparentprocesssubsystem\": \"win32\", \"sourceparentprocessusername\": \"CORP\\\\user\", \"sourceprocesscommandline\": \"\\\"C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /job=upgradeClient /channel=2af416334939280c\", \"sourceprocessfilepath\": \"C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost_old.exe\", \"sourceprocessfilesigneridentity\": \"CISCO WEBEX LLC\", \"sourceprocessintegritylevel\": \"medium\", \"sourceprocesskey\": \"634272057BAB1D81\", \"sourceprocessmd5\": \"66883dc802f65605077b0b05b1bc901b\", \"sourceprocessname\": \"WebexHost_old.exe\", \"sourceprocesspid\": 7788, \"sourceprocesssha1\": \"84580370c58b1b0c9e4138257018fd98efdf28ba\", \"sourceprocesssha256\": \"d8efbbfab923ad72057d165dc30f2c0d39a4f4d2dcb7d6fa8a8c9c5b406fcb23\", \"sourceprocessstarttime\": 1648630694853, \"sourceprocessstoryline\": \"114D19D4F405D782\", \"sourceprocesssubsystem\": \"win32\", \"sourceprocessusername\": \"CORP\\\\user\", \"srcip\": \"\", \"srcmachineip\": \"\", \"srcport\": 0, \"systemUser\": 0, \"tgtfilecreatedat\": 1646400756503, \"tgtfilehashsha1\": \"5b1bbda6c8d9bb6e49e5e7c49909d48d5d35658a\", \"tgtfilehashsha256\": \"e89dd9db7c5f93ab2fd216d36e7432ea3b418b5df0191d4849fdb1967b2f6e2e\", \"tgtfileid\": \"5C4E2E3FE950B367\", \"tgtfileissigned\": \"signed\", \"tgtfilemodifiedat\": 1648630718596, \"tgtfileoldpath\": \"\", \"tgtfilepath\": \"C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\WebEx\\\\WebEx64\\\\Meetings\\\\atucfobj.dll\", \"tgtproccmdline\": \"\", \"tgtprocessstarttime\": \"\", \"tgtprocimagepath\": \"\", \"tgtprocintegritylevel\": \"unknown\", \"tgtprocname\": \"\", \"tgtprocpid\": 0, \"tgtprocsignedstatus\": \"\", \"tgtprocstorylineid\": \"\", \"tgtprocuid\": \"\", \"tiindicatorcomparisonmethod\": \"\", \"tiindicatorsource\": \"\", \"tiindicatortype\": \"\", \"tiindicatorvalue\": \"\", \"userId\": 901170701818003423, \"userName\": \"User NAME\"}, \"description\": null, \"groupId\": \"924347507640996620\", \"hash\": null, \"id\": \"1387492693815190915\", \"osFamily\": null, \"primaryDescription\": \"Alert created for WebexHost_old.exe from Custom Rule: Webex.Meetings.Atucfobj.dll Monitoring in Group LAPTOP in Site DEFAULT of Account CORP, detected on USR-LAP-4141.\", \"secondaryDescription\": \"84580370c58b1b0c9e4138257018fd98efdf28ba\", \"siteId\": \"901144152460815495\", \"threatId\": null, \"updatedAt\": \"2022-03-30T09:00:18.282935Z\", \"userId\": \"901170701818003423\"}", "Alert created for WebexHost_old.exe from Custom Rule: Webex.Meetings.Atucfobj.dll Monitoring in Group LAPTOP in Site DEFAULT of Account CORP, detected on USR-LAP-4141. The easiest way I've found to navigate systems is by utilizing the internal ip Deployment will begin. By using the standard SentinelOne EDR logs collection by API, you will be provided with high level information on detection and investigation of your EDR.

Upon detection of the threat, SentinelOne can automatically suspend the last logged-in users ability to send an email, helping secure a critical lateral movement path. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. The kind of the event. Detects suspicious execution of the Windows Installer service (msiexec.exe) which could be used to install a malicious MSI package hosted on a remote server. Raccine is a free ransomware protection tool. Copy suspicious files through Windows cmd prompt to network share. ", "This binary imports debugger functions. Detects exploitation attempts of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378. 01 - Prod\", \"siteName\": \"corp-servers-windows\"}, \"description\": null, \"groupId\": \"834457314771868699\", \"hash\": null, \"id\": \"1391844541367588156\", \"osFamily\": null, \"primaryDescription\": \"Functionality of the SentinelOne Agent on a01pwrbi005 is limited, due to a database corruption. kubernetes, nomad or cloudfoundry).

", "Group Default Group in Site CORP-workstations of Account CORP", "Global / CORP / CORP-workstations / Default Group", "{\"accountId\": \"551799238352448315\", \"activityType\": 5009, \"agentId\": \"841026328128144438\", \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-04-05T09:12:46.391928Z\", \"data\": {\"accountName\": \"corp\", \"computerName\": \"CL001234\", \"fullScopeDetails\": \"Group Default Group in Site corp-workstations of Account corp\", \"fullScopeDetailsPath\": \"Global / corp / corp-workstations / Default Group\", \"groupName\": \"Default Group\", \"newGroupId\": \"551799242261539645\", \"newGroupName\": \"Default Group\", \"oldGroupId\": \"797501649544140679\", \"oldGroupName\": \"DSI\", \"scopeLevel\": \"Group\", \"scopeName\": \"Default Group\", \"siteName\": \"corp-workstations\"}, \"description\": null, \"groupId\": \"551799242261539645\", \"hash\": null, \"id\": \"1391847623762392173\", \"osFamily\": null, \"primaryDescription\": \"The Agent CL001234 moved dynamically from Group DSI to Group Default Group\", \"secondaryDescription\": null, \"siteId\": \"551799242253151036\", \"threatId\": null, \"updatedAt\": \"2022-04-05T09:12:45.472693Z\", \"userId\": null}", "The Agent CL001234 moved dynamically from Group DSI to Group Default Group", "Group Default Group in Site corp-workstations of Account corp", "Global / corp / corp-workstations / Default Group", "{\"accountId\": \"123456789831564686\", \"activityType\": 5126, \"agentId\": \"1098352279374896038\", \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-03-29T17:20:31.139698Z\", \"data\": {\"accountName\": \"CORP\", \"bluetoothAddress\": \"\", \"computerName\": \"CORP123\", \"creator\": \"N/A\", \"deviceClass\": \"E0h\", \"deviceInformationServiceInfoKey\": \"\", \"deviceInformationServiceInfoValue\": \"\", \"deviceName\": \"\", \"eventId\": \"{1988659d-af84-11ec-914c-806e6f6e6963}\", \"eventTime\": \"2022-03-29T17:17:40.622+00:00\", \"eventType\": \"connected\", \"fullScopeDetails\": \"Group Default Group in Site CORP-Users of Account CORP\", \"fullScopeDetailsPath\": \"Global / CORP / CORP-Users / Default Group\", \"gattService\": \"\", \"groupId\": \"1083054176758610128\", \"groupName\": \"Default Group\", \"interface\": \"USB\", \"lastLoggedInUserName\": \"user.name\", \"lmpVersion\": \"N/A\", \"manufacturerName\": \"\", \"minorClass\": \"N/A\", \"osType\": \"windows\", \"productId\": \"AAA\", \"profileUuids\": \"N/A\", \"ruleId\": -1, \"ruleName\": null, \"ruleScopeName\": null, \"ruleType\": \"productId\", \"scopeLevel\": \"Group\", \"scopeName\": \"Default Group\", \"siteName\": \"CORP-Users\", \"uid\": \"\", \"vendorId\": \"8087\", \"version\": \"N/A\"}, \"description\": null, \"groupId\": \"1083054176758610128\", \"hash\": null, \"id\": \"1387019684138751044\", \"osFamily\": null, \"primaryDescription\": \"USB device was connected on CORP123.\", \"secondaryDescription\": null, \"siteId\": \"1083054176741832911\", \"threatId\": null, \"updatedAt\": \"2022-03-29T17:20:30.998054Z\", \"userId\": null}", "Group Default Group in Site CORP-Users of Account CORP", "Global / CORP / CORP-Users / Default Group", "{\"accountId\": \"551799238352448315\", \"activityType\": 5232, \"agentId\": \"840949586976454071\", \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-04-14T11:30:19.543892Z\", \"data\": {\"accountName\": \"CORP\", \"action\": \"Block\", \"application\": null, \"applicationType\": \"any\", \"computerName\": \"CORP1234\", \"createdByUsername\": \"CUS_TER_211022_09_10_03_c4b7bce44eaf5d749e0399dd34f70ab83e3a1fd7\", \"direction\": \"inbound\", \"durationOfMeasurement\": 60, \"fullScopeDetails\": \"Group Default Group in Site CORP-workstations of Account CORP\", \"fullScopeDetailsPath\": \"Global / CORP / CORP-workstations / Default Group\", \"groupName\": \"Default Group\", \"localHost\": null, \"localHostType\": \"any\", \"localPortType\": \"any\", \"localPorts\": \"\", \"locationNames\": [], \"numberOfEvents\": 3, \"order\": 32, \"osTypes\": [\"windows\"], \"processId\": 4, \"processName\": \"\", \"protocol\": \"\", \"remoteHost\": null, \"remoteHostType\": \"any\", \"remotePortType\": \"any\", \"remotePorts\": \"\", \"reportedDirection\": \"inbound\", \"reportedLocalHost\": null, \"reportedLocalPort\": \"\", \"reportedProtocol\": \"\", \"reportedRemoteHost\": \"1.1.1.1\", \"reportedRemotePort\": \"\", \"ruleDescription\": \"Flux\", \"ruleId\": 556166862007673241, \"ruleName\": \"Block all\", \"ruleScopeLevel\": \"site\", \"ruleScopeName\": \"CORP-workstations (CORP)\", \"siteName\": \"CORP-workstations\", \"status\": \"Enabled\", \"tagNames\": []}, \"description\": null, \"groupId\": \"551799242261539645\", \"hash\": null, \"id\": \"1398439837979472030\", \"osFamily\": null, \"primaryDescription\": \"Firewall Control blocked traffic on the Endpoint CORP1234 because of rule Block all in site CORP-workstations (CORP).\", \"secondaryDescription\": null, \"siteId\": \"551799242253151036\", \"threatId\": null, \"updatedAt\": \"2022-04-14T11:30:19.543894Z\", \"userId\": null}", "Firewall Control blocked traffic on the Endpoint CORP1234 because of rule Block all in site CORP-workstations (CORP). With knowledge of these, values an attacker can craft a special viewstate to use an OS command to be executed by NT_AUTHORITY\SYSTEM using .NET deserialization. A SentinelOne agent has failed to quarantine a threat. Navigate to Settings > Integrations. Detects audio capture via PowerShell Cmdlet.

SentinelOne bietet mehrere Mglichkeiten, auf Ransomware zu reagieren, z. Kann SentinelOne speicherinterne Angriffe erkennen? The name of the scheduled task used by these malware is very specific (Updates/randomstring). Detects process injection using the signed Windows tool Mavinject32.exe (which is a LOLBAS).

However the recommended SwiftOnSecurity configuration does not fully cover the needs for this rule, it needs to be updated with the proper file names extensions. Click Create New Rule to define the new rule. Detects a command-line interaction with the KeePass Config XML file. This has been used by attackers during Operation Ke3chang. ", "{\"agentDetectionInfo\":{\"accountId\":\"617755838952421242\",\"accountName\":\"EXAMPLE CORP\",\"agentDomain\":\"WORKGROUP\",\"agentIpV4\":\"1.1.1.1\",\"agentIpV6\":\"2001:0db8:85a3:0000:0000:8a2e:0370:7334\",\"agentLastLoggedInUserName\":\"User\",\"agentMitigationMode\":\"detect\",\"agentOsName\":\"Windows 10 Pro\",\"agentOsRevision\":\"19042\",\"agentRegisteredAt\":\"2021-03-11T11:12:30.665887Z\",\"agentUuid\":\"e50b53c856f041bab326d621d61db4f8\",\"agentVersion\":\"4.6.12.241\",\"externalIp\":\"2.2.2.2\",\"groupId\":\"1107851598374945694\",\"groupName\":\"Default Group\",\"siteId\":\"1107851598358168475\",\"siteName\":\"Sekoia.io\"},\"agentRealtimeInfo\":{\"accountId\":\"617755838952421242\",\"accountName\":\"EXAMPLE CORP\",\"activeThreats\":0,\"agentComputerName\":\"VM-SentinelOne\",\"agentDecommissionedAt\":null,\"agentDomain\":\"WORKGROUP\",\"agentId\":\"1109245354690326957\",\"agentInfected\":false,\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"desktop\",\"agentMitigationMode\":\"detect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"Windows 10 Pro\",\"agentOsRevision\":\"19042\",\"agentOsType\":\"windows\",\"agentUuid\":\"e50b53c856f041bab326d621d61db4f8\",\"agentVersion\":\"4.6.12.241\",\"groupId\":\"1107851598374945694\",\"groupName\":\"Default Group\",\"networkInterfaces\":[{\"id\":\"1109245354698715566\",\"inet\":[\"1.1.1.1\"],\"inet6\":[\"2001:0db8:85a3:0000:0000:8a2e:0370:7334\"],\"name\":\"Ethernet\",\"physical\":\"08:00:27:52:5d:be\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":null,\"scanStartedAt\":\"2021-03-11T11:12:43.266673Z\",\"scanStatus\":\"started\",\"siteId\":\"1107851598358168475\",\"siteName\":\"Sekoia.io\",\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"id\":\"1112953674841025235\",\"indicators\":[{\"category\":\"Hiding/Stealthiness\",\"description\":\"The majority of sections in this PE have high entropy, a sign of obfuscation or packing.\",\"ids\":[29],\"tactics\":[]},{\"category\":\"General\",\"description\":\"This binary imports functions used to raise kernel exceptions.\",\"ids\":[24],\"tactics\":[]},{\"category\":\"Hiding/Stealthiness\",\"description\":\"This binary may contain encrypted or compressed data as measured by high entropy of the sections (greater than 6.8).\",\"ids\":[12],\"tactics\":[]}],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[],\"threatInfo\":{\"analystVerdict\":\"undefined\",\"analystVerdictDescription\":\"Undefined\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":\"\",\"classification\":\"Malware\",\"classificationSource\":\"Cloud\",\"cloudFilesHashVerdict\":\"provider_unknown\",\"collectionId\":\"1112767491720942490\",\"confidenceLevel\":\"suspicious\",\"createdAt\":\"2021-03-16T14:00:16.879105Z\",\"detectionEngines\":[{\"key\":\"pre_execution_suspicious\",\"title\":\"On-Write Static AI - Suspicious\"}],\"detectionType\":\"static\",\"engines\":[\"On-Write DFI - Suspicious\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":\"TMP\",\"fileExtensionType\":\"Misc\",\"filePath\":\"\\\\Device\\\\HarddiskVolume2\\\\Users\\\\User\\\\AppData\\\\Local\\\\Temp\\\\nsr1C3F.tmp\\\\nsh29ED.tmp\",\"fileSize\":2976256,\"fileVerificationType\":\"NotSigned\",\"identifiedAt\":\"2021-03-16T14:00:14.188000Z\",\"incidentStatus\":\"unresolved\",\"incidentStatusDescription\":\"Unresolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":false,\"maliciousProcessArguments\":null,\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"not_mitigated\",\"mitigationStatusDescription\":\"Not mitigated\",\"originatorProcess\":\"FileZilla_3.53.0_win64_sponsored-setup.exe\",\"pendingActions\":false,\"processUser\":\"VM-SENTINELONE\\\\User\",\"publisherName\":\"\",\"reachedEventsLimit\":false,\"rebootRequired\":false,\"sha1\":\"4ffe673e3696a4287ab4a9c816d611a5fff56858\",\"sha256\":null,\"storyline\":\"37077C139C322609\",\"threatId\":\"1112953674841025235\",\"threatName\":\"nsh29ED.tmp\",\"updatedAt\":\"2021-03-16T14:00:16.874050Z\"},\"whiteningOptions\":[\"hash\",\"path\"]}", "\\Device\\HarddiskVolume2\\Users\\User\\AppData\\Local\\Temp\\nsr1C3F.tmp\\nsh29ED.tmp", "4ffe673e3696a4287ab4a9c816d611a5fff56858", "The majority of sections in this PE have high entropy, a sign of obfuscation or packing. ", "{\"accountId\": \"551799238352448315\", \"activityType\": 4008, \"agentId\": \"997510333395640565\", \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-04-05T09:10:15.125572Z\", \"data\": {\"accountName\": \"corp\", \"computerName\": \"CL001234\", \"escapedMaliciousProcessArguments\": null, \"fileContentHash\": \"08731ccac0d404da077e7029062f73ca3d8faf61\", \"fileDisplayName\": \"Run SwitchThemeColor.ps1.lnk\", \"filePath\": \"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user.name\\\\Desktop\\\\Run SwitchThemeColor.ps1.lnk\", \"fullScopeDetails\": \"Group DSI in Site corp-workstations of Account corp\", \"fullScopeDetailsPath\": \"Global / corp / corp-workstations / DSI\", \"groupName\": \"DSI\", \"newStatus\": \"Mitigated\", \"originalStatus\": \"Not mitigated\", \"siteName\": \"corp-workstations\", \"threatClassification\": \"PUA\", \"threatClassificationSource\": \"Engine\"}, \"description\": null, \"groupId\": \"797501649544140679\", \"hash\": null, \"id\": \"1391846354850884010\", \"osFamily\": null, \"primaryDescription\": \"Status of threat Run SwitchThemeColor.ps1.lnk on agent CL001234 changed from Not mitigated to Mitigated.\", \"secondaryDescription\": \"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user.name\\\\Desktop\\\\Run SwitchThemeColor.ps1.lnk\", \"siteId\": \"551799242253151036\", \"threatId\": \"1391846352913115209\", \"updatedAt\": \"2022-04-05T09:10:15.119559Z\", \"userId\": null}", "Status of threat Run SwitchThemeColor.ps1.lnk on agent CL001234 changed from Not mitigated to Mitigated. The rule checks whether the file is in a legitimate directory or not (through file creation events).

Salaire Des Gendarmes Camerounais En Fcfa, Deltacare Usa Fee Schedule 2022, Whirlpool Cabrio W10607424a, Articles S

sentinelone api documentation