ciscosecurity/tr-05-sentinelone

By ciscosecurity

Updated 22 days ago

SentinelOne Relay (Cisco Hosted)

Image
0

1.2K

v1.1.3

Implementation Details

  • Add sha256 support
  • Severity set to default Unknown
  • Updated relations based on detection type and replaced related_to
  • Changed query params to match DAP ingestion
  • Fixed timestamp format
  • Changed product name
  • Reworked /refer/observables

v1.1.2

Implementation Details

  • A workaround has been introduced for health check endpoint.

v1.1.1

Implementation Details

  • Added corresponding message in case of missing KID.
  • Fixed vulnerabilities and optimised code.
  • Updated Readme to match use-case set of observables
  • Raise authorization error when expired api_key is used on /refer/observables.
  • Outdated "Cisco SecureX Threat Response" identifier.

v1.1.0

Implementation Details

  • Excluded sha256 and md5 observable types
  • Added sightings relations to hostname and s1_agent_id
  • Updated old dependencies with vulnerabilities
  • Updated time ranges
  • Fixed querying for incorrect value of observable gives authorization error
  • Fixed authorization error returned when querying for a value including comma
  • Fixed missing "file_name" and "process_name" relations while searching for "process_args"
  • Rewrote set of observables to meet the latest requirements
  • Removed fileless validatio
  • Made exact match case insensitive for sha1, hostname and s1_agent_id
  • Adjust targets to match requested observable
  • Changed health endpoint expiration check

v1.0.7

Implementation Details

  • Added new observable type: file_name
  • Relations for Sighting reworked
  • Added for s1_agent_id observable type

v1.0.6

Implementation Details

  • Omit current observed type in sighting relations
  • Fix internal error (500) in cases when there weren't any indicators in threat response from SentinelOne

v1.0.5

Implementation Details

  • Add time range to the /observe/observables endpoint
  • Add new observables to observe: md5, sha256, s1_agent_id, hostname, process_args, process_name, file_path
  • Add process_args, process_name to a target mapping
  • Add Parent_Of relation to 'relations'
  • Fix return of empty file_path in File_Path_Of; now they will be omitted
  • Fix multiples of the same returned indicators; now they will be unique

v1.0.2

Implementation Details

  • Updated hashes in Pipfile.lock

v1.0.1

Implementation Details

  • Updated external_ids field type
  • Updated tips

v1.0.0

Implementation Details

Implemented Relay Endpoints
  • POST /health

    • Authenticates to the underlying external service to check that provided credentials are valid and the service is available at the moment.
  • POST /observe/observables

    • Accepts a list of observables and filters out unsupported ones.
    • Makes a series of requests to the underlying external service to query for some cyber threat intelligence data on each supported observable.
    • Maps the fetched data into appropriate CTIM entities.
    • Returns a list per each of the following CTIM entities (if any extracted):
      • Indicator
      • Sighting
      • Relationship
  • POST /refer/observables

    • Accepts a list of observables and filters out unsupported ones.
    • Makes a series of requests to the underlying external service to query for some cyber threat intelligence data on each supported observable.
    • Maps the fetched data into appropriate CTIM entities.
Supported Types of Observables
  • md5
  • sha1
  • sha256
  • ip
  • ipv6
  • url
  • hostname
CTIM Mapping Specifics

Each response from the SentinelOne API for the supported observables generates the following CTIM entities:

  • Sighting
  • Indicator
  • Relationship

Docker Pull Command

docker pull ciscosecurity/tr-05-sentinelone