SentinelOne

Description

Connector to connect to SentinelOne EDR (https://www.sentinelone.com/). This plugin currently features:

  • Query: Perform a PowerQuery to SentinelOne and get statistics in DeepHunter.

  • Sync STAR rules (create, update and delete STAR rules in SentinelOne when threat hunting analytics are created, updated or deleted in DeepHunter)

  • get threats from SentinelOne and display them in the timeline view

  • get machine details from SentinelOne and display them in the machine details view

  • get user owner from a machine name

  • get applications

  • get network connections

  • get token expiration date

Star rules synchronization

DeepHunter synchronizes the query of threat hunting analytics with STAR rules in SentinelOne, when the STAR rule flag is set.

STAR rules are created with the following default properties:

Creation

Update

Scope

Global

Global

PowerQuery version

2.0

2.0

Severity

Defined in the settings

(existing value preserved)

Description

“Rule sync from DeeHunter”

(existing value preserved)

Rule Type

Single Event

Single Event

Status

Active

Active

expirationMode

Defined in the settings

(existing value preserved)

coolOffSettings

Defined in the settings

(existing value preserved)

treatAsThreat

Defined in the settings

(existing value preserved)

networkQuarantine

Defined in the settings

(existing value preserved)

The following logic is applied:

  • if a new threat hunting analytic is created with the STAR rule flag set in DeepHunter, a STAR rule will be created in SentinelOne

  • if a threat hunting analytic with the STAR rule flag set is deleted in DeepHunter, the associated STAR rule will be deleted in SentinelOne

  • if a threat hunting analytic is updated in DeepHunter, with the STAR rule flag newly set, a corresponding STAR rule will be created in SentinelOne

  • if a threat hunting analytic is updated in DeepHunter, with the STAR rule flag removed (previously set), the associated STAR rule will be deleted in SentinelOne

  • if a threat hunting analytic is updated in DeepHunter, with the STAR rule flag set (previously set), the associated STAR rule will be updated in SentinelOne (see above table for updated fields)

Settings

S1_URL

  • Type: string

  • Description: S1_URL is the SentinelOne URL for your tenant and is used for any API call to SentinelOne.

  • Example:

S1_URL = 'https://yourtenant.sentinelone.net'

S1_TOKEN

  • Type: string

  • Description: Token used to authenticate against SentinelOne API. You can generate a token in the SentinelOne console. The token is valid for 30 days.

  • Example:

S1_TOKEN = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30'

XDR_URL and XDR_PARAMS

  • Type: string

  • Description: Address and parameters to use to point to SentinelOne frontend from the timeline view. Depending on the interface you have enabled (legacy frontend of new frontend), the URL and parameters are different.

  • Example:

# Legacy frontend
XDR_URL = 'https://xdr.eu1.sentinelone.net'
XDR_PARAMS = 'view=edr'
# New frontend
#XDR_URL = 'https://tenant.sentinelone.net'
#XDR_PARAMS = '_categoryId=eventSearch'

S1_THREATS_URL

  • Type: string

  • Description: Notice that S1_THREATS_URL is dnyamically rendered by the Django view using format to evaluate the correct hostname. This is why the {} string appears in the URL.

  • Example:

### Legacy URL for threats
#S1_THREATS_URL = #'https://tenant.sentinelone.net/incidents/threats?filter={"computerName__contains":"{}","timeTitle":"Last%203%20Months"}'
### New URL for threats
S1_THREATS_URL = 'https://tenant.sentinelone.net/incidents/unified-alerts?_categoryId=threatsAndAlerts&_scopeLevel=global&alertsTable.filters=assetName__FULLTEXT%3D{}&alertsTable.timeRange=LAST_3_MONTHS'

SYNC_STAR_RULES

  • Type: Boolean

  • Possible values: True or False

  • Description: if SYNC_STAR_RULES is set to True, STAR rules will be synchronized in SentinelOne when the STAR rule flag is set in DeepHunter queries and threat hunting analytics are created, updated or deleted. It can be set to False if you only want to use this flag in DeepHunter as information.

  • Example:

SYNC_STAR_RULES = True

STAR_RULES_PREFIX

  • Type: string

  • Description: Prefix used to name STAR rules in SentinelOne. For example, if the prefix is TH_ and you create a threat hunting analytic in DeepHunter named test_threat_hunting, the STAR rule in SentinelOne will be named TH_test_threat_hunting.

  • Example:

STAR_RULES_PREFIX = '' # example: "TH_"

STAR_RULES_DEFAULT_SEVERITY

  • Type: string

  • Description: The rule severity in your environment.

  • Possible values: Low|Medium|High|Critical

  • Example:

STAR_RULES_DEFAULT_SEVERITY = 'High'

STAR_RULES_DEFAULT_STATUS

  • Type: string

  • Description: Defines the rule is Enabled (Activated and sends alerts if triggered) or Disabled.

  • Possible values: Active|Draft

  • Example:

STAR_RULES_DEFAULT_STATUS = 'Active'

STAR_RULES_DEFAULT_EXPIRATION

  • Type: string

  • Description: If the rule is Temporary, enter the expiration delay (in days) for the rule. If set, it will automatically consider expirationMode is “Temporary”. Empty string to ignore

  • Example:

STAR_RULES_DEFAULT_EXPIRATION = ''

STAR_RULES_DEFAULT_COOLOFPERIOD

  • Type: integer (or empty string to ignore)

  • Description: Receive only one alert and suppress additional alerts when a rule is triggered multiple times during the cool-off period. Mitigation actions set in the rule will not be applied to suppressed alerts. Leave empty to ignore.

  • Example:

STAR_RULES_DEFAULT_COOLOFPERIOD = ''

STAR_RULES_DEFAULT_TREATASTHREAT

  • Type: string

  • Description: Defines the Treat as a threat auto response.

  • Possible values: Undefined(or empty)|Suspicious|Malicious

  • Example:

STAR_RULES_DEFAULT_TREATASTHREAT = ''

STAR_RULES_DEFAULT_NETWORK_QUARANTINE

  • Type: boolean

  • Description: Set to True to automatically quarantine the alerted endpoints.

  • Possible values: true|false

  • Example:

STAR_RULES_DEFAULT_NETWORK_QUARANTINE = 'false'

QUERY_ERROR_INFO

  • Type: string

  • Description: Regular expression to identify if the query error message is an informational message (INFO) instead of an ERROR. This can be used to filter out non-critical errors in the logs. If empty, all messages will be considered errors.

  • Example:

QUERY_ERROR_INFO = status['"]:\s?['"]FINISHED['"]