Note
The purpose of this repo is for us to replicate detections for our own setup.
- Event Types: https://usea1-015.sentinelone.net/docs/en/example-json-files-with-edr-event-types-and-fields.html
- OCSF Schema: https://usea1-015.sentinelone.net/docs/en/ocsf-schema.html
Table of Contents
Important
- https://xdr.us1.sentinelone.net/
- The best place to start looking for detections are commands that are used alot and the following image is where you can find them.
{
"timestamp": "18:32:29.470",
"tgt.process.displayName": "nr-winpkg.exe",
"src.process.parent.isStorylineRoot": false,
"event.category": "process",
"src.process.parent.image.sha1": "9ef7039dadb490762d4446892b1c0323f06bd1c2",
"site.id": “123456789123456789”,
"src.process.parent.displayName": "Test123",
"src.process.image.binaryIsExecutable": true,
"tgt.process.storyline.id": "F8C44B7A0C80D2E7",
"tgt.process.isNative64Bit": false,
"src.process.parent.subsystem": "SYS_WIN32",
"src.process.user": "NT AUTHORITY\\SYSTEM",
"src.process.indicatorRansomwareCount": 0,
"src.process.crossProcessDupRemoteProcessHandleCount": 0,
"src.process.tgtFileCreationCount": 5621,
"src.process.indicatorInjectionCount": 0,
"src.process.moduleCount": 216402,
"src.process.parent.name": "acme-infra-service.exe",
"i.version": "preprocess-lib-1.0",
"sca:atlantisIngestTime": 1664811195133,
"src.process.image.md5": "7c99f420f8985a4ccf428f9fe2b090f0",
"src.process.indicatorReconnaissanceCount": 4179,
"src.process.storyline.id": "F8C44B7A0C80D2E7",
"src.process.childProcCount": 67359,
"mgmt.url": “asdf-123.sentinelone.org”,
"tgt.process.subsystem": "SYS_WIN32",
"src.process.crossProcessOpenProcessCount": 0,
"tgt.process.image.binaryIsExecutable": true,
"tgt.process.image.sha256": "b00b5e5d4e268b8dbd0af0749edb6626e686403c71f1c81ae08d18242046f29e",
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "PROCESSCREATION",
"src.process.parent.integrityLevel": "SYSTEM",
"tgt.process.publisher": "ACME, INC.",
"src.process.indicatorExploitationCount": 0,
"src.process.parent.storyline.id": "F8C44B7A0C80D2E7",
"tgt.process.verifiedStatus": "verified",
"tgt.process.image.path": "C:\\Program Files\\Acme\\acme-infra\\acme-integrations\\nr-winpkg.exe",
"src.process.integrityLevel": "SYSTEM",
"i.scheme": "edr",
"tgt.process.integrityLevel": "SYSTEM",
"site.name": “ASDF”,
"src.process.netConnInCount": 1,
"tgt.process.image.md5": "65f9131df4b7c909ae41add0fcd172fa",
"event.time": 1664811149470,
"account.id": “123456789123456789”,
"dataSource.name": "SentinelOne",
"endpoint.name": “asdf1”,
"src.process.image.sha1": "7f3981d9bf5d134065541387a77b9f651471fa0f",
"src.process.isStorylineRoot": false,
"src.process.parent.image.path": "C:\\Program Files\\Acme\\acme-infra\\acme-infra-service.exe",
"src.process.pid": 3596,
"tgt.file.isSigned": "signed",
"src.process.cmdline": "C:\\Program Files (x86)\\Microsoft\\important_stuff\\stuff.EXE\\”,
"src.process.publisher": "ACME, INC.",
"sca:ingestTime": 1664811195,
"dataSource.category": "security",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"src.process.parent.isRedirectCmdProcessor": false,
"tgt.process.image.sha1": "a1d7ac9e15c26535a7dec40bba21cda4de078504",
"src.process.crossProcessCount": 0,
"src.process.signedStatus": "signed",
"event.id": "01GEF7NPDYKJDP1X0XSQ9K7J2N_41",
"src.process.parent.cmdline": "\"C:\\Program Files\\Acme\\acme-infra\\acme-infra-service.exe\"",
"src.process.image.path": "C:\\Program Files\\Acme\\acme-infra\\acme-infra.exe",
"src.process.tgtFileModificationCount": 516119,
"src.process.indicatorEvasionCount": 2100,
"src.process.netConnOutCount": 7330,
"tgt.process.pid": 4720,
"src.process.crossProcessDupThreadHandleCount": 0,
"tgt.process.name": "nr-winpkg.exe",
"endpoint.os": "windows",
"src.process.tgtFileDeletionCount": 5621,
"tgt.process.signedStatus": "signed",
"src.process.startTime": 1662784606181,
"mgmt.id": “1337”,
"os.name": "Windows Server 2019 Datacenter",
"tgt.process.cmdline": "./nr-winpkg",
"src.process.displayName": "acme-infra.exe",
"src.process.parent.sessionId": 0,
"src.process.isNative64Bit": false,
"src.process.uid": "F59445BAF5BC03DA",
"src.process.parent.image.md5": "8c3eb2770d8eed24ce33d77f7668fea5",
"src.process.indicatorBootConfigurationUpdateCount": 0,
"src.process.indicatorInfostealerCount": 0,
"process.unique.key": "D0046CBAF5BC03DA",
"tgt.process.uid": "D0046CBAF5BC03DA",
"tgt.process.isStorylineRoot": false,
"src.process.parent.uid": "C19445BAF5BC03DA",
"agent.version": "22.1.2.217",
"src.process.parent.image.sha256": "f62c2d5c9e7605c75a0c8fcb9c2b506267ca0e6706766e033495d81dac4e302c",
"src.process.sessionId": 0,
"src.process.netConnCount": 7331,
"mgmt.osRevision": "17763",
"group.id": "asdf",
"tgt.process.startTime": 1664811149464,
"src.process.parent.publisher": "Acme, INC.",
"src.process.isRedirectCmdProcessor": false,
"src.process.verifiedStatus": "verified",
"src.process.parent.startTime": 1662784605701,
"src.process.dnsCount": 565,
"endpoint.type": "server",
"trace.id": "01GEF7NPDYKJDP1X0XSQ9K7J2N",
"src.process.name": "acme-infra.exe",
"agent.uuid": “asdf356783457dfds4456d65”,
"src.process.image.sha256": "058043b4d2b74a31dda6966a7a0c292a04e898bd4dabaefdc6b0eabf518c40d1",
"tgt.process.user": "NT AUTHORITY\\SYSTEM",
"src.process.indicatorGeneralCount": 4180,
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 146,
"packet.id": "62D7376456284C24A2067FE50BA5B7D7",
"tgt.process.sessionId": 0,
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "signed",
"src.process.parent.user": “asdf\\SYSTEM",
"tgt.process.isRedirectCmdProcessor": false,
"event.type": "Process Creation",
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.pid": 3132
}