Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Request] Update SentinelOne bi-directional response actions instructions with new requirements for setting up the SIEM rule #5637

Closed
paul-tavares opened this issue Jul 31, 2024 · 0 comments
Closed

[Request] Update SentinelOne bi-directional response actions instructions with new requirements for setting up the SIEM rule #5637

paul-tavares opened this issue Jul 31, 2024 · 0 comments
Assignees
@joepeeples
Labels
Effort: Medium Issues that take moderate but not substantial time to complete Feature: Response actions also includes response console Team: EDR Workflows Formerly Defend Workflows, Onboarding and Lifecycle Management v8.16.0

Comments

@paul-tavares
Copy link
Contributor

paul-tavares commented Jul 31, 2024
edited by joepeeples
Loading

Description

Update the SentinelOne bi-directional response actions setup with new SIEM rule setup instructions.

The current instructions for setting up SentinelOne restricted the user when setting up the SIEM rule to only use logs-sentinel_one.alert* as the index. With the new changes, any SentinelOne data that contains a sentinel_one.[type].agent.id is now supported.

For example: A user can now use data from the threats, activity and agent (in addition to the current alerts) to promote S1 events to SIEM alerts.

Background & resources

Which documentation set does this change impact?

ESS and serverless

ESS release

8.16

Serverless release

Week of August 20 — tracked in PR #5659 (Serverless-pub field emptied on this issue to avoid duplicating)

Feature differences

The setup of the SIEM rule is different now.
also - the observer.serial_number field is no longer supported.

API docs impact

The SIEM rule for SentinelOne can now be setup using any of the following index patterns and agent id fields:

Index Pattern Agent Id Field
logs-sentinel_one.alert* sentinel_one.alert.agent.id
logs-sentinel_one.threat* sentinel_one.threat.agent.id
logs-sentinel_one.activity* sentinel_one.activity.agent.id
logs-sentinel_one.agent* sentinel_one.agent.agent.id

Here is an example rule setup that we are using in development:

image

Prerequisites, privileges, feature flags

No response
@paul-tavares paul-tavares added Team: EDR Workflows Formerly Defend Workflows, Onboarding and Lifecycle Management Feature: Response actions also includes response console v8.16.0 labels Jul 31, 2024
@joepeeples joepeeples self-assigned this Jul 31, 2024
@joepeeples joepeeples mentioned this issue Aug 2, 2024
Merged
@joepeeples joepeeples mentioned this issue Aug 22, 2024
Merged
@mergify mergify bot mentioned this issue Sep 18, 2024
Merged
@joepeeples joepeeples added the Effort: Medium Issues that take moderate but not substantial time to complete label Sep 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joepeeples joepeeples

Labels
Effort: Medium Issues that take moderate but not substantial time to complete Feature: Response actions also includes response console Team: EDR Workflows Formerly Defend Workflows, Onboarding and Lifecycle Management v8.16.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@paul-tavares @joepeeples