sentinel_one: Add support for threat event data stream.

Added support for ingesting data through the SentinelOne Threat Event data stream, enabling the collection and parsing of threat-related events for accurate ingestion and processing of security insights. Tested on the live samples collected through the SentinelOne API.

Author: mohitjha-elastic

packages/sentinel_one/_dev/benchmark/rally/threat_event-benchmark.yml

@@ -0,0 +1,14 @@
+---
+description: Benchmark 100000 sentinel_one.threat_event events ingested
+data_stream:
+ name: threat_event
+corpora:
+ generator:
+ total_events: 100000
+ template:
+ type: gotext
+ path: ./threatevent-benchmark/template.ndjson
+ config:
+ path: ./threatevent-benchmark/config.yml
+ fields:
+ path: ./threatevent-benchmark/fields.yml

packages/sentinel_one/_dev/benchmark/rally/threatevent-benchmark/config.yml

@@ -0,0 +1,192 @@
+fields:
+ - name: activeContentFileId
+ cardinality: 1000
+ - name: activeContentHash
+ cardinality: 1000
+ - name: activeContentPath
+ cardinality: 1000
+ - name: agentDomain
+ cardinality: 1000
+ - name: agentGroupId
+ cardinality: 1000
+ - name: agentId
+ cardinality: 1000
+ - name: agentIp
+ cardinality: 1000
+ - name: agentMachineType
+ cardinality: 1000
+ - name: agentName
+ cardinality: 1000
+ - name: agentNetworkStatus
+ cardinality: 1000
+ - name: agentOs
+ enum:
+ - linux
+ - windows
+ - macos
+ - unix
+ - android
+ - ios
+ - name: agentUuid
+ cardinality: 1000
+ - name: agentVersion
+ cardinality: 1000
+ - name: connectionStatus
+ cardinality: 1000
+ - name: direction
+ cardinality: 1000
+ - name: dnsRequest
+ cardinality: 1000
+ - name: dnsResponse
+ cardinality: 1000
+ - name: dstIp
+ cardinality: 1000
+ - name: dstPort
+ range:
+ min: 0
+ max: 65535
+ - name: eventType
+ cardinality: 1000
+ - name: fileFullName
+ cardinality: 1000
+ - name: fileId
+ cardinality: 1000
+ - name: fileMd5
+ cardinality: 1000
+ - name: fileSha1
+ cardinality: 1000
+ - name: fileSha256
+ cardinality: 1000
+ - name: fileSize
+ range:
+ min: 1
+ max: 1000
+ cardinality: 100
+ - name: fileType
+ cardinality: 1000
+ - name: hasActiveContent
+ - name: id
+ range:
+ min: 100000000000000000
+ max: 999999999999999999
+ cardinality: 100000
+ - name: indicatorCategory
+ cardinality: 1000
+ - name: indicatorDescription
+ cardinality: 1000
+ - name: indicatorMetadata
+ cardinality: 1000
+ - name: indicatorName
+ cardinality: 1000
+ - name: loginsBaseType
+ cardinality: 1000
+ - name: loginsUserName
+ cardinality: 1000
+ - name: md5
+ cardinality: 1000
+ - name: networkMethod
+ cardinality: 1000
+ - name: networkSource
+ cardinality: 1000
+ - name: networkUrl
+ cardinality: 1000
+ - name: objectType
+ cardinality: 1000
+ - name: oldFileMd5
+ cardinality: 1000
+ - name: oldFileName
+ cardinality: 1000
+ - name: oldFileSha1
+ cardinality: 1000
+ - name: oldFileSha256
+ cardinality: 1000
+ - name: parentPid
+ range:
+ min: 0
+ max: 10000
+ - name: parentProcessGroupId
+ cardinality: 1000
+ - name: parentProcessName
+ cardinality: 1000
+ - name: parentProcessUniqueKey
+ cardinality: 1000
+ - name: pid
+ range:
+ min: 0
+ max: 10000
+ - name: processCmd
+ cardinality: 1000
+ - name: processDisplayName
+ cardinality: 1000
+ - name: processGroupId
+ cardinality: 1000
+ - name: processImagePath
+ cardinality: 1000
+ - name: processImageSha1Hash
+ cardinality: 1000
+ - name: processIntegrityLevel
+ cardinality: 1000
+ - name: processIsMalicious
+ - name: processIsRedirectedCommandProcessor
+ cardinality: 1000
+ - name: processIsWow64
+ cardinality: 1000
+ - name: processName
+ cardinality: 1000
+ - name: processRoot
+ cardinality: 1000
+ - name: processSessionId
+ cardinality: 1000
+ - name: processSubSystem
+ cardinality: 1000
+ - name: processUniqueKey
+ cardinality: 1000
+ - name: processUserName
+ cardinality: 1000
+ - name: protocol
+ cardinality: 1000
+ - name: publisher
+ cardinality: 1000
+ - name: registryClassification
+ cardinality: 1000
+ - name: registryId
+ cardinality: 1000
+ - name: registryPath
+ cardinality: 1000
+ - name: relatedToThreat
+ - name: rpid
+ cardinality: 1000
+ - name: sha1
+ cardinality: 1000
+ - name: sha256
+ cardinality: 1000
+ - name: signatureSignedInvalidReason
+ cardinality: 1000
+ - name: signedStatus
+ cardinality: 1000
+ - name: siteId
+ cardinality: 1000
+ - name: siteName
+ cardinality: 1000
+ - name: srcIp
+ cardinality: 1000
+ - name: srcPort
+ range:
+ min: 0
+ max: 65535
+ - name: storyline
+ cardinality: 1000
+ - name: taskName
+ cardinality: 1000
+ - name: taskPath
+ cardinality: 1000
+ - name: threatStatus
+ cardinality: 1000
+ - name: tid
+ cardinality: 1000
+ - name: trueContext
+ cardinality: 1000
+ - name: user
+ cardinality: 1000
+ - name: verifiedStatus
+ cardinality: 1000

packages/sentinel_one/_dev/benchmark/rally/threatevent-benchmark/fields.yml

@@ -0,0 +1,186 @@
+- name: activeContentFileId
+ type: keyword
+- name: activeContentHash
+ type: keyword
+- name: activeContentPath
+ type: keyword
+- name: agentDomain
+ type: keyword
+- name: agentGroupId
+ type: keyword
+- name: agentId
+ type: keyword
+- name: agentInfected
+ type: boolean
+- name: agentIp
+ type: ip
+- name: agentIsActive
+ type: boolean
+- name: agentIsDecommissioned
+ type: boolean
+- name: agentMachineType
+ type: keyword
+- name: agentName
+ type: keyword
+- name: agentNetworkStatus
+ type: keyword
+- name: agentOs
+ type: keyword
+- name: agentUuid
+ type: keyword
+- name: agentVersion
+ type: keyword
+- name: connectionStatus
+ type: keyword
+- name: createdAt
+ type: date
+- name: direction
+ type: keyword
+- name: dnsRequest
+ type: keyword
+- name: dnsResponse
+ type: keyword
+- name: dstIp
+ type: ip
+- name: dstPort
+ type: long
+- name: eventType
+ type: keyword
+- name: fileFullName
+ type: keyword
+- name: fileId
+ type: keyword
+- name: fileMd5
+ type: keyword
+- name: fileSha1
+ type: keyword
+- name: fileSha256
+ type: keyword
+- name: fileSize
+ type: long
+- name: fileType
+ type: keyword
+- name: hasActiveContent
+ type: boolean
+- name: id
+ type: keyword
+- name: indicatorCategory
+ type: keyword
+- name: indicatorDescription
+ type: keyword
+- name: indicatorMetadata
+ type: keyword
+- name: indicatorName
+ type: keyword
+- name: loginsBaseType
+ type: keyword
+- name: loginsUserName
+ type: keyword
+- name: md5
+ type: keyword
+- name: networkMethod
+ type: keyword
+- name: networkSource
+ type: keyword
+- name: networkUrl
+ type: keyword
+- name: objectType
+ type: keyword
+- name: oldFileMd5
+ type: keyword
+- name: oldFileName
+ type: keyword
+- name: oldFileSha1
+ type: keyword
+- name: oldFileSha256
+ type: keyword
+- name: parentPid
+ type: long
+- name: parentProcessGroupId
+ type: keyword
+- name: parentProcessIsMalicious
+ type: boolean
+- name: parentProcessName
+ type: keyword
+- name: parentProcessUniqueKey
+ type: keyword
+- name: pid
+ type: long
+- name: processCmd
+ type: keyword
+- name: processDisplayName
+ type: keyword
+- name: processGroupId
+ type: keyword
+- name: processImagePath
+ type: keyword
+- name: processImageSha1Hash
+ type: keyword
+- name: processIntegrityLevel
+ type: keyword
+- name: processIsMalicious
+ type: boolean
+- name: processIsRedirectedCommandProcessor
+ type: keyword
+- name: processIsWow64
+ type: keyword
+- name: processName
+ type: keyword
+- name: processRoot
+ type: keyword
+- name: processSessionId
+ type: keyword
+- name: processStartTime
+ type: date
+- name: processSubSystem
+ type: keyword
+- name: processUniqueKey
+ type: keyword
+- name: processUserName
+ type: keyword
+- name: protocol
+ type: keyword
+- name: publisher
+ type: keyword
+- name: registryClassification
+ type: keyword
+- name: registryId
+ type: keyword
+- name: registryPath
+ type: keyword
+- name: relatedToThreat
+ type: boolean
+- name: rpid
+ type: keyword
+- name: sha1
+ type: keyword
+- name: sha256
+ type: keyword
+- name: signatureSignedInvalidReason
+ type: keyword
+- name: signedStatus
+ type: keyword
+- name: siteId
+ type: keyword
+- name: siteName
+ type: keyword
+- name: srcIp
+ type: ip
+- name: srcPort
+ type: long
+- name: storyline
+ type: keyword
+- name: taskName
+ type: keyword
+- name: taskPath
+ type: keyword
+- name: threatStatus
+ type: keyword
+- name: tid
+ type: keyword
+- name: trueContext
+ type: keyword
+- name: user
+ type: keyword
+- name: verifiedStatus
+ type: keyword