v1.1.3

Implementation Details

• Add sha256 support
• Severity set to default Unknown
• Updated relations based on detection type and replaced related_to
• Changed query params to match DAP ingestion
• Fixed timestamp format
• Changed product name
• Reworked /refer/observables

v1.1.2

Implementation Details

• A workaround has been introduced for health check endpoint.

v1.1.1

Implementation Details

• Added corresponding message in case of missing KID.
• Fixed vulnerabilities and optimised code.
• Updated Readme to match use-case set of observables
• Raise authorization error when expired api_key is used on /refer/observables.
• Outdated "Cisco SecureX Threat Response" identifier.

v1.1.0

Implementation Details

• Excluded sha256 and md5 observable types
• Added sightings relations to hostname and s1_agent_id
• Updated old dependencies with vulnerabilities
• Updated time ranges
• Fixed querying for incorrect value of observable gives authorization error
• Fixed authorization error returned when querying for a value including comma
• Fixed missing "file_name" and "process_name" relations while searching for "process_args"
• Rewrote set of observables to meet the latest requirements
• Removed fileless validatio
• Made exact match case insensitive for sha1, hostname and s1_agent_id
• Adjust targets to match requested observable
• Changed health endpoint expiration check

v1.0.7

Implementation Details

• Added new observable type: file_name
• Relations for Sighting reworked
• Added for s1_agent_id observable type

v1.0.6

Implementation Details

• Omit current observed type in sighting relations
• Fix internal error (500) in cases when there weren't any indicators in threat response from SentinelOne

v1.0.5

Implementation Details

• Add time range to the /observe/observables endpoint
• Add new observables to observe: md5, sha256, s1_agent_id, hostname, process_args, process_name, file_path
• Add process_args, process_name to a target mapping
• Add Parent_Of relation to 'relations'
• Fix return of empty file_path in File_Path_Of; now they will be omitted
• Fix multiples of the same returned indicators; now they will be unique

v1.0.2

Implementation Details

• Updated hashes in Pipfile.lock

v1.0.1

Implementation Details

• Updated external_ids field type
• Updated tips

v1.0.0

Implementation Details

Implemented Relay Endpoints

• POST /health

  • Authenticates to the underlying external service to check that provided credentials are valid and the service is available at the moment.

• POST /observe/observables

  • Accepts a list of observables and filters out unsupported ones.
  • Makes a series of requests to the underlying external service to query for some cyber threat intelligence data on each supported observable.
  • Maps the fetched data into appropriate CTIM entities.
  • Returns a list per each of the following CTIM entities (if any extracted):
    • Indicator
    • Sighting
    • Relationship

• POST /refer/observables

  • Accepts a list of observables and filters out unsupported ones.
  • Makes a series of requests to the underlying external service to query for some cyber threat intelligence data on each supported observable.
  • Maps the fetched data into appropriate CTIM entities.

Supported Types of Observables

• md5
• sha1
• sha256
• ip
• ipv6
• url
• hostname

CTIM Mapping Specifics

Each response from the SentinelOne API for the supported observables generates the following CTIM entities:

• Sighting
• Indicator
• Relationship