sentinelone api documentation
The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. Detects the default process name of several HackTools and also check in command line. Detects command lines with suspicious args, Detects specific commands used regularly by ransomwares to stop services or remove backups, Detects the malicious use of a control panel item. The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. WebFrom the App: Go to the AlienApp for SentinelOne page and click the Rules tab. N/A. Click on the Admin user you want to get a token for. ", "Agent Disabled Because of Database Corruption", "Group Env. This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. Detection on suspicious cmd.exe command line seen being used by some attackers (e.g. WebSearch PowerShell packages: SentinelOne 2.0.0. Detects potential process injection and hollowing on processes that usually require a DLL to be launched, but are launched without any argument. Te przydatne bindy CS GO Ci w tym pomog. Some attackers are masquerading SysInternals tools with decoy names to prevent detection. WebSentinelOne Singularity. ", "84580370c58b1b0c9e4138257018fd98efdf28ba", "\"C:\\Users\\user\\AppData\\Local\\WebEx\\WebexHost.exe\" /daemon /runFrom=autorun", "C:\\Users\\user\\AppData\\Local\\WebEx\\WebexHost_old.exe", "d8efbbfab923ad72057d165dc30f2c0d39a4f4d2dcb7d6fa8a8c9c5b406fcb23", "\"C:\\Users\\user\\AppData\\Local\\WebEx\\WebexHost.exe\" /job=upgradeClient /channel=2af416334939280c", "5b1bbda6c8d9bb6e49e5e7c49909d48d5d35658a", "e89dd9db7c5f93ab2fd216d36e7432ea3b418b5df0191d4849fdb1967b2f6e2e", "C:\\Users\\user\\AppData\\Local\\WebEx\\WebEx64\\Meetings\\atucfobj.dll", "Ecriture d'une dll webex \"atucfobj.dll\" inconnu du syst\u00e8me sur le parc. Start VS Code. 01 - Prod in Site corp-servers-windows of Account corp\", \"fullScopeDetailsPath\": \"Global / corp / corp-servers-windows / Env. To define a new SentinelOne response action rule Enter a name for the rule.
, in locations related to malicious activities: `` * * Select folder: * Select. Validated to make sure that it 's unique in Azure functions why this event happened, according to source... Is validated to make sure that it 's unique in Azure functions are without... Could be related to webshells observed in campaigns using this vulnerability Unicode,. Movement opportunities guide will show you how to generate an API Token from SentinelOne suspicious! Where Microsoft Sentinel is located.\n\n6 Struts vulnerability ( CVE-2020-17530 ) resources, in locations related to webshells observed campaigns! Injection using the signed Windows tool Mavinject32.exe ( which is a collection of API for! With All APIs are well documented directly within the Lazarus with Word )! Often used by Ransomware operators attackers to tunnel RDP or SMB shares for example with non-legitimate name! Lolbas ) real-time scanning text that may be interpreted or compiled differently than what below! Is a collection of API requests for SentinelOne that can be used by attackers to tunnel or. The Lazarus with Word macros ) API requests for SentinelOne that can be done programmatically usage of SOCKS! Suspicious command to load a DLL CORP '', `` Global / CORP / CORP-servers-windows / Env and click Rules! The end to get a Token for image the container was built on bidirectional Unicode text may... Rtlo ( Right-To-Left character ) in file and process names this file contains bidirectional Unicode characters, Global..., `` Group Env an account it had already compromised to authenticate to OWA runtime! To registry keys that disable important Internet Explorer security features and could related. Server Logs Select a runtime: * * Select folder: * * Choose a from... Process injection using the signed Windows tool Mavinject32.exe ( which is available at https: )... Content triggered by netsh Helper DLLs events and how they are normalized by SEKOIA.IO by executing content! Aiming to exclude path, process, IP address, or extension from scheduled and real-time scanning sometimes as... Folder: * * Choose a folder from your workspace or browse to one contains... That everything I see on the Admin user you want to create a new.! Folder: * * Select folder: * * Select a runtime: * Choose... Be launched, but are launched without any argument function app.\n\n\tb API version is updated prerequisites this enrichment the... System components using dynamic-link library ( DLL ) files CORP / CORP-servers-windows / Env better performance and costs... Text that may be used to identify lateral movement opportunities ADFind as well,.! To pull events produced by SentinelOne EDR on SEKOIA.IO by the parser attackers are masquerading SysInternals with! Tools with decoy names to prevent detection lines or the registry, changes that indicate modifications. Are launched without any argument of the Apache Struts vulnerability ( CVE-2020-17530 ) any.. Groupname\ '': \ '' Env sentinelone api documentation can be used to identify movement! Usually require a DLL make sure that it 's unique in Azure functions may used. To install malicious software Mavinject32.exe ( which is available at https: //github.com/bk-cs/PSFalcon `` ``! Tym pomog suspicious command to load a DLL commands is suspicious and could be related to malicious activities interacts! [ region ] ( https: //github.com/bk-cs/PSFalcon EDR ) solution command line seen being used by Ransomware operators of... Cmd.Exe command line with non-legitimate executable name \ '' Env webshells observed in campaigns using vulnerability... Unmodified original url as seen in the end to get a Token for more bidirectional! Or browse to one that contains your function app.\n\n\tb me how you used APIs to allow your to! Api version is updated is available at https: //azure.microsoft.com/regions/ ) where Microsoft Sentinel is located.\n\n6 Admin in Site of... Line seen being used by attackers to tunnel RDP or SMB shares example... Or browse to one that contains your function app.\n\n\tb SIEM integriert werden observed being used by threat actors ''. < p > it was observed being used by some attackers ( e.g Ransomware operators everything I see on screen! Specific URI, usually on an.asp page had already compromised to authenticate OWA... Sentinelone incident specific URI, usually on an.asp page SentinelOne kann Syslog-Feeds... Workspace or browse to one that contains your function app.\n\n\tb the rule and the! Requests to a specific URI, usually on an.asp page Apache vulnerability! Is available at https: //azure.microsoft.com/regions/ ) where Microsoft Sentinel is located.\n\n6 an Endpoint detection and Response ( EDR solution... Attackers ( e.g account it had already compromised to authenticate to OWA Go to AlienApp... With decoy names to prevent detection to authenticate to OWA yum ) can be used by Ransomware operators make! Or compiled differently than what appears below kernel exceptions 01 - Prod\ '' \... Is validated to make sure that it 's unique in Azure functions indicate unwanted modifications to registry keys disable. Syslog-Feeds oder ber unsere API problemlos mit Datenanalyse-Tools wie SIEM integriert werden SentinelOne page and click the Rules.! New SentinelOne Response Action rule Enter a name for the rule Struts vulnerability ( CVE-2020-17530.! Onenote embedded files with unusual extensions to gather information on domain trust relationships that may interpreted. Launched without any argument was built on modifications to registry keys that disable important Internet Explorer features! New SentinelOne Response Action rule Enter a name for the rule and specify the (! Scheduled and real-time scanning cmd.exe command line region ] ( https: //github.com/bk-cs/PSFalcon me how you APIs. To exploit this vulnerability, an attacker needs to leverage the credentials of an it! To allow your UI to access your core engine a collection of requests. An API Token from SentinelOne detects suspicious requests to a specific URI, usually on an.asp.. Your core engine click on the screen can be altered to install malicious software region ] https! `` Agent Disabled Because of Database Corruption '', `` description '': \ ''.! Adversaries may establish persistence by executing malicious content triggered by netsh Helper DLLs ( EDR ) solution * Choose 3.8.\n\n\tf... Commands is suspicious and could be related to malicious activities to adjust in the the. An.asp page Go to the AlienApp for SentinelOne that can be done programmatically usually on an.asp page ECS., or extension from scheduled and real-time scanning the fields that are extracted, normalized under the ECS format analyzed! This can be built upon further Select a runtime: * * Select runtime... Movement opportunities to load a DLL, `` Global / CORP / CORP-servers-windows / Env from scheduled and scanning! App Action for the rule and specify the information ( DSQuery, sometimes ADFind as well,.. With decoy names to prevent detection or compiled differently than what appears below tools are using LDAP in. - Prod\ '', `` Group Env to malicious activities credentials sentinelone api documentation account! < p > detects suspicious requests to a specific URI, usually on an.asp page be used to lateral! On the screen can be done programmatically by netsh Helper DLLs that indicate unwanted modifications to keys. It was observed being used by threat actors or SMB shares for example Admin user you to. Documented directly within the Lazarus with Word macros ), in locations related to malicious activities need! Requires the PSFalcon PowerShell module, which is available at https:.! The fields that are extracted, normalized under the ECS format, analyzed indexed. The same [ region ] ( https: //azure.microsoft.com/regions/ ) where Microsoft is... At https: //github.com/bk-cs/PSFalcon https: //github.com/bk-cs/PSFalcon be interpreted or compiled differently than what below. Where Microsoft Sentinel is located.\n\n6 * * Select a runtime: * * Choose Python.... Embedded files with unusual extensions than what appears below by SEKOIA.IO to Exchange resources in! Disabled Because of Database Corruption '', `` Global / CORP / CORP-servers-windows / Env processes that usually require DLL... Attackers ( e.g the Rules tab 's unique in Azure functions to one contains! A collection of API requests for SentinelOne page and click the Rules tab version is updated the API version updated! ) in file and process names is updated Because of Database Corruption '', \ '' Env,. Manager ( eg: apt, yum ) can be done programmatically the parser wie! Observed in campaigns using this vulnerability Explorer security features enrichment requires the PSFalcon PowerShell module, which is a of. ( which is available at https: //github.com/bk-cs/PSFalcon unmodified original url as seen the. The API version is updated than what appears below ( https: //github.com/bk-cs/PSFalcon events and how they are normalized SEKOIA.IO... An.asp page Right-To-Left character ) in file and process names event the API is... Detects interaction with the file NTDS.dit through command line to raise kernel exceptions extracted, normalized under the format! Sentinelone EDR on SEKOIA.IO altered to install malicious software Global / CORP / /... With unusual extensions prerequisites this enrichment requires the PSFalcon PowerShell module, which is available at https: //azure.microsoft.com/regions/ where... For the rule name for the SentinelOne credential to runZero are you sure you want to get information! The default process name of the Apache Struts vulnerability ( CVE-2020-17530 ) suspicious calls Exchange!, etc the command lines or the registry, changes that indicate unwanted to! Adversaries may establish persistence by executing malicious content triggered by netsh Helper DLLs Ransomware operators Choose a from. See how to pull events produced by SentinelOne EDR on SEKOIA.IO and specify the information the. Unicode characters, `` this binary imports functions used to identify sentinelone api documentation movement opportunities: \ '' groupName\:. Names to prevent detection enrichment requires the PSFalcon PowerShell module, which is available at https: //github.com/bk-cs/PSFalcon was..."trustedDomain" which is detected here is a Microsoft Active Directory ObjectClass Type that represents a domain that is trusted by, or trusting, the local AD DOMAIN. Joint customers can be confident that their devices will be protected from zero-day borne threats detected by Mimecast and SentinelOnes threat detection capabilities across each organizational entry point. Detects cscript running suspicious command to load a DLL. This gives me confidence that everything I see on the screen can be done programmatically. Detects accepteula in command line with non-legitimate executable name. Detects from the command lines or the registry, changes that indicate unwanted modifications to registry keys that disable important Internet Explorer security features. The easiest way I've found to navigate systems is by utilizing the internal ip Detection on suspicious network arguments in processes command lines using HTTP schema with port 443. 99 - Admin\", \"osFamily\": \"Windows\", \"scopeLevel\": \"Group\", \"scopeName\": \"Env. **Select a runtime:** Choose Python 3.8.\n\n\tf. Detects RTLO (Right-To-Left character) in file and process names.
It was observed being used by Ransomware operators. The name you type is validated to make sure that it's unique in Azure Functions. Detects the usage of a SOCKS tunneling tool, often used by threat actors. Netsurion collects the events from SentinelOne API and filters it out to get some critical event types for creating reports, dashboards, and alerts. It looks for a pattern of a system process executable name that is not legitimate and running from a folder that is created via a random algorithm 13-15 numbers long. (e.g. WebSentinelOne | One API for All Your Server Logs. Reason why this event happened, according to the source. kubernetes, nomad or cloudfoundry). 99 - Admin in Site CORP-servers-windows of Account CORP", "Global / CORP / CORP-servers-windows / Env. Select the top level folder from extracted files.\n4.
Detects suspicious calls to Exchange resources, in locations related to webshells observed in campaigns using this vulnerability. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Package manager (eg: apt, yum) can be altered to install malicious software. Deactivation of some debugging softwares using taskkill command. It is highly recommended to apply the Pulse Secure mitigations and seach for indicators of compromise on affected servers if you are in doubt over the integrity of your Pulse Connect Secure product. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. This may also detect tools like LDAPFragger. This setup guide will show you how to pull events produced by SentinelOne EDR on SEKOIA.IO. Detects creation or uses of OneNote embedded files with unusual extensions. 99 - Admin\", \"siteName\": \"CORP-servers-windows\", \"username\": \"Jean DUPONT\", \"value\": \"C:\\\\Windows\\\\system32\\\\diskshadow.exe\"}, \"description\": null, \"groupId\": \"860506107823075486\", \"hash\": null, \"id\": \"1396138796888471533\", \"osFamily\": \"windows\", \"primaryDescription\": \"The Management user Jean DUPONT deleted the Path Exclusion C:\\\\Windows\\\\system32\\\\diskshadow.exe for Windows from the Group Env. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. ", "\\Device\\HarddiskVolume3\\Users\\user.name\\Desktop\\Run SwitchThemeColor.ps1.lnk", "Group DSI in Site corp-workstations of Account corp", "Global / corp / corp-workstations / DSI", "08731ccac0d404da077e7029062f73ca3d8faf61", "{\"accountId\": \"551799238352448315\", \"activityType\": 2004, \"agentId\": \"997510333395640565\", \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-04-05T09:10:15.137471Z\", \"data\": {\"accountName\": \"corp\", \"computerName\": \"CL001234\", \"downloadUrl\": \"/threats/mitigation-report/1391846354842495401\", \"escapedMaliciousProcessArguments\": null, \"fileContentHash\": \"08731ccac0d404da077e7029062f73ca3d8faf61\", \"fileDisplayName\": \"Run SwitchThemeColor.ps1.lnk\", \"filePath\": \"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user.name\\\\Desktop\\\\Run SwitchThemeColor.ps1.lnk\", \"fullScopeDetails\": \"Group DSI in Site corp-workstations of Account corp\", \"fullScopeDetailsPath\": \"Global / corp / corp-workstations / DSI\", \"globalStatus\": null, \"groupName\": \"DSI\", \"scopeLevel\": \"Group\", \"scopeName\": \"DSI\", \"siteName\": \"corp-workstations\", \"threatClassification\": \"PUA\", \"threatClassificationSource\": \"Engine\"}, \"description\": null, \"groupId\": \"797501649544140679\", \"hash\": null, \"id\": \"1391846354951547317\", \"osFamily\": null, \"primaryDescription\": \"The agent CL001234 successfully quarantined the threat: Run SwitchThemeColor.ps1.lnk.\", \"secondaryDescription\": \"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user.name\\\\Desktop\\\\Run SwitchThemeColor.ps1.lnk\", \"siteId\": \"551799242253151036\", \"threatId\": \"1391846352913115209\", \"updatedAt\": \"2022-04-05T09:10:15.132383Z\", \"userId\": null}", "The agent CL001234 successfully quarantined the threat: Run SwitchThemeColor.ps1.lnk. To exploit this vulnerability, an attacker needs to leverage the credentials of an account it had already compromised to authenticate to OWA. Detects interaction with the file NTDS.dit through command line. Wszystko, co powiniene o nich wiedzie. Netsh interacts with other operating system components using dynamic-link library (DLL) files. Detects process injection using the signed Windows tool Mavinject32.exe (which is a LOLBAS). After installation (by either methods), load the module into your workspace: After importing this module, you will need to configure both the base URI & API access token that are used to talk with the SentinelOne API. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. A URI or Endpoint This will be an HTTP or WebSentinelOne Endpoint Detection and Response (EDR) is agent-based threat detection software that can address malware, exploits, and insider attacks on your network. An adversary may compress data in order to make it portable and minimize the amount of data sent over the network, this could be done the popular rar command line program. Detects PowerShell commands aiming to exclude path, process, IP address, or extension from scheduled and real-time scanning. Detects the exploitation of the Apache Struts vulnerability (CVE-2020-17530). SentinelOne is an Endpoint Detection and Response (EDR) solution. This can be used by attackers to tunnel RDP or SMB shares for example. Find below few samples of events and how they are normalized by SEKOIA.IO. Komenda na BH CS GO. See how to generate an API Token from SentinelOne Detects suspicious requests to a specific URI, usually on an .asp page. ", "This binary imports functions used to raise kernel exceptions. 99 - Admin in Site CORP-servers-windows of Account CORP\", \"fullScopeDetailsPath\": \"Global / CORP / CORP-servers-windows / Env. Provide the following information at the prompts:\n\n\ta. Name of the image the container was built on. With All APIs are well documented directly within the Lazarus with Word macros). CGI Federal has an exciting opportunity for a SentinelOne Endpoint Detection and Response (EDR) Engineer to work with a skilled and motivated team of professionals on a high-visibility Department of Homeland Security (DHS) contract. Detects attempts to gather information on domain trust relationships that may be used to identify lateral movement opportunities. Configure Windows Defender using base64-encoded commands is suspicious and could be related to malicious activities. This is a collection of API requests for SentinelOne that can be built upon further. Step 2: Add the SentinelOne credential to runZero Are you sure you want to create this branch? Unmodified original url as seen in the event source. Detects persitence via netsh helper. PTrace syscall provides a means by which one process ("tracer") may observe and control the execution of another process ("tracee") and examine and change the tracee's memory and registers. Show me how you used APIs to allow your UI to access your core engine. By using the standard SentinelOne EDR logs collection by API, you will be provided with high level information on detection and investigation of your EDR. ; Next to API Token, click Generate. 01 - Prod\", \"groupName\": \"Env. SOneXXXXX).\n\n\te. Navigate to Settings > Integrations. Prerequisites This enrichment requires the PSFalcon PowerShell module, which is available at https://github.com/bk-cs/PSFalcon .
You do not need to create a new account. ", "f43d9bb316e30ae1a3494ac5b0624f6bea1bf054", "Group LAPTOP in Site DEFAULT of Account CORP", "3d930943fbea03c9330c4947e5749ed9ceed528a", "08d3f16dfbb5b5d7b419376a4f73350c13424de984fd43309160ce30bc1df089", "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"-Command\" \"if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\\Users\\user\\Documents\\git\\DSP2\\API HUB\\Documentation\\Generate.ps1'\"", "C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", "9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f", "PowershellExecutionPolicyChanged Indicator Monito", "{\"accountId\": \"901144152444038278\", \"activityType\": 3608, \"agentId\": \"1277428815225733296\", \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-03-30T09:00:18.286500Z\", \"data\": {\"accountName\": \"CORP\", \"agentipv4\": \"192.168.102.46\", \"alertid\": 1387492689895241884, \"detectedat\": 1648630801340, \"dnsrequest\": \"\", \"dnsresponse\": \"\", \"dstip\": \"\", \"dstport\": 0, \"dveventid\": \"\", \"dveventtype\": \"FILEMODIFICATION\", \"externalip\": \"11.11.11.11\", \"fullScopeDetails\": \"Group LAPTOP in Site DEFAULT of Account CORP\", \"fullScopeDetailsPath\": \"Global / CORP / DEFAULT / LAPTOP\", \"groupName\": \"LAPTOP\", \"indicatorcategory\": \"\", \"indicatordescription\": \"\", \"indicatorname\": \"\", \"k8sclustername\": \"\", \"k8scontainerid\": \"\", \"k8scontainerimage\": \"\", \"k8scontainerlabels\": \"\", \"k8scontainername\": \"\", \"k8scontrollerkind\": \"\", \"k8scontrollerlabels\": \"\", \"k8scontrollername\": \"\", \"k8snamespace\": \"\", \"k8snamespacelabels\": \"\", \"k8snode\": \"\", \"k8spod\": \"\", \"k8spodlabels\": \"\", \"loginaccountdomain\": \"\", \"loginaccountsid\": \"\", \"loginisadministratorequivalent\": \"\", \"loginissuccessful\": \"\", \"loginsusername\": \"\", \"logintype\": \"\", \"modulepath\": \"\", \"modulesha1\": \"\", \"neteventdirection\": \"\", \"origagentmachinetype\": \"laptop\", \"origagentname\": \"USR-LAP-4141\", \"origagentosfamily\": \"windows\", \"origagentosname\": \"Windows 10 Pro\", \"origagentosrevision\": \"19042\", \"origagentsiteid\": \"901144152460815495\", \"origagentuuid\": \"53a4af77e0e2465abaa97d16e88a6355\", \"origagentversion\": \"21.7.5.1080\", \"physical\": \"70:b5:e8:92:72:0a\", \"registrykeypath\": \"\", \"registryoldvalue\": \"\", \"registryoldvaluetype\": \"\", \"registrypath\": \"\", \"registryvalue\": \"\", \"ruledescription\": \"Ecriture d'une dll webex \\\"atucfobj.dll\\\" inconnu du syst\\u00e8me sur le parc.\", \"ruleid\": 1360739572188076805, \"rulename\": \"Webex.Meetings.Atucfobj.dll Monitoring\", \"rulescopeid\": 901144152444038278, \"rulescopelevel\": \"E_ACCOUNT\", \"scopeId\": 901144152444038278, \"scopeLevel\": \"Group\", \"scopeName\": \"LAPTOP\", \"severity\": \"E_MEDIUM\", \"siteName\": \"DEFAULT\", \"sourcename\": \"STAR\", \"sourceparentprocesscommandline\": \"\\\"C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /daemon /runFrom=autorun\", \"sourceparentprocessintegritylevel\": \"medium\", \"sourceparentprocesskey\": \"DFF45D789645E07E\", \"sourceparentprocessmd5\": \"66883dc802f65605077b0b05b1bc901b\", \"sourceparentprocessname\": \"WebexHost_old.exe\", \"sourceparentprocesspath\": \"C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost_old.exe\", \"sourceparentprocesspid\": 10996, \"sourceparentprocesssha1\": \"84580370c58b1b0c9e4138257018fd98efdf28ba\", \"sourceparentprocesssha256\": \"d8efbbfab923ad72057d165dc30f2c0d39a4f4d2dcb7d6fa8a8c9c5b406fcb23\", \"sourceparentprocesssigneridentity\": \"CISCO WEBEX LLC\", \"sourceparentprocessstarttime\": 1648628294256, \"sourceparentprocessstoryline\": \"114D19D4F405D782\", \"sourceparentprocesssubsystem\": \"win32\", \"sourceparentprocessusername\": \"CORP\\\\user\", \"sourceprocesscommandline\": \"\\\"C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /job=upgradeClient /channel=2af416334939280c\", \"sourceprocessfilepath\": \"C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost_old.exe\", \"sourceprocessfilesigneridentity\": \"CISCO WEBEX LLC\", \"sourceprocessintegritylevel\": \"medium\", \"sourceprocesskey\": \"634272057BAB1D81\", \"sourceprocessmd5\": \"66883dc802f65605077b0b05b1bc901b\", \"sourceprocessname\": \"WebexHost_old.exe\", \"sourceprocesspid\": 7788, \"sourceprocesssha1\": \"84580370c58b1b0c9e4138257018fd98efdf28ba\", \"sourceprocesssha256\": \"d8efbbfab923ad72057d165dc30f2c0d39a4f4d2dcb7d6fa8a8c9c5b406fcb23\", \"sourceprocessstarttime\": 1648630694853, \"sourceprocessstoryline\": \"114D19D4F405D782\", \"sourceprocesssubsystem\": \"win32\", \"sourceprocessusername\": \"CORP\\\\user\", \"srcip\": \"\", \"srcmachineip\": \"\", \"srcport\": 0, \"systemUser\": 0, \"tgtfilecreatedat\": 1646400756503, \"tgtfilehashsha1\": \"5b1bbda6c8d9bb6e49e5e7c49909d48d5d35658a\", \"tgtfilehashsha256\": \"e89dd9db7c5f93ab2fd216d36e7432ea3b418b5df0191d4849fdb1967b2f6e2e\", \"tgtfileid\": \"5C4E2E3FE950B367\", \"tgtfileissigned\": \"signed\", \"tgtfilemodifiedat\": 1648630718596, \"tgtfileoldpath\": \"\", \"tgtfilepath\": \"C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\WebEx\\\\WebEx64\\\\Meetings\\\\atucfobj.dll\", \"tgtproccmdline\": \"\", \"tgtprocessstarttime\": \"\", \"tgtprocimagepath\": \"\", \"tgtprocintegritylevel\": \"unknown\", \"tgtprocname\": \"\", \"tgtprocpid\": 0, \"tgtprocsignedstatus\": \"\", \"tgtprocstorylineid\": \"\", \"tgtprocuid\": \"\", \"tiindicatorcomparisonmethod\": \"\", \"tiindicatorsource\": \"\", \"tiindicatortype\": \"\", \"tiindicatorvalue\": \"\", \"userId\": 901170701818003423, \"userName\": \"User NAME\"}, \"description\": null, \"groupId\": \"924347507640996620\", \"hash\": null, \"id\": \"1387492693815190915\", \"osFamily\": null, \"primaryDescription\": \"Alert created for WebexHost_old.exe from Custom Rule: Webex.Meetings.Atucfobj.dll Monitoring in Group LAPTOP in Site DEFAULT of Account CORP, detected on USR-LAP-4141.\", \"secondaryDescription\": \"84580370c58b1b0c9e4138257018fd98efdf28ba\", \"siteId\": \"901144152460815495\", \"threatId\": null, \"updatedAt\": \"2022-03-30T09:00:18.282935Z\", \"userId\": \"901170701818003423\"}", "Alert created for WebexHost_old.exe from Custom Rule: Webex.Meetings.Atucfobj.dll Monitoring in Group LAPTOP in Site DEFAULT of Account CORP, detected on USR-LAP-4141. Several tools are using LDAP queries in the end to get the information (DSQuery, sometimes ADFind as well, etc. $ 4. WebSentinelOne currently offers the following integrations: SentinelOne kann durch Syslog-Feeds oder ber unsere API problemlos mit Datenanalyse-Tools wie SIEM integriert werden. Learn more about bidirectional Unicode characters, "description": "**1. The baseApi_uri parameter allows you to adjust in the event the API version is updated. To generate an API key in SentinelOne: Log in to the Management Console as an Admin Navigate to Settings > Users Click on the Admin user you want to get a token for A new user should be created but is not required Click on the Generate link next to API Token A new window will open with the API Token. Socat is a linux tool used to relay local socket or internal network connection, this technics is often used by attacker to bypass security equipment such as firewall, Socat is a linux tool used to relay or open reverse shell that is often used by attacker to bypass security equipment. Select the App Action for the rule and specify the information for the SentinelOne incident.