SentinelOne Singularity Identity

Overview

SentinelOne Singularity Identity is a cybersecurity solution that provides identity protection and zero-trust security by continuously monitoring and analyzing user behaviors to detect and prevent potential threats.

Vendor: SentinelOne
Supported environment: Cloud
Detection based on: Telemetry
Detection based on: Alert

Warning

Important note - This format is currently in beta. We highly value your feedback to improve its performance.

Configure

This setup guide will show you how to pull events produced by SentinelOne Singularity Identity on Sekoia.io.

Generate API token

Log in the SentinelOne Singularity console
On the left panel, click Settings
Click Users
On the left, click Service Users
Click Actions, then click Create New Service User
Type a name, a description and Select the expiration duration for the Service User
Click Next
Select the scope of the access with the viewer role. We recommend using the site scope.
Click Create User
Copy and save the APIToken then click Close

Create the intake in Sekoia.io

Go to the intake page and create a new intake from the format SentinelOne Identity. Copy the intake key.

Event Categories

The following table lists the data source offered by this integration.

Data Source	Description
`Application logs`	activites performed on SentinelOne infrastructure are logged

In details, the following table denotes the type of events produced by this integration.

Name	Values
Kind	`alert`
Category	`intrusion_detection`
Type	`info`

Transformed Events Samples after Ingestion

This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.

test_alert_1.jsontest_alert_10.jsontest_alert_11.jsontest_alert_12.jsontest_alert_13.jsontest_alert_14.jsontest_alert_15.jsontest_alert_2.jsontest_alert_3.jsontest_alert_4.jsontest_alert_5.jsontest_alert_6.jsontest_alert_7.jsontest_alert_8.jsontest_alert_9.json

{
    "message": "{\n  \"id\": \"ba485919-e4c1-4496-9e2f-feb320f6841a\",\n  \"name\": \"Domain Controller Discovery Detected\",\n  \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\",\n  \"detectedAt\": \"2024-11-22T05:35:09.000Z\",\n  \"attackSurfaces\": [\n    \"IDENTITY\"\n  ],\n  \"detectionSource\": {\n    \"product\": \"Identity\"\n  },\n  \"status\": \"NEW\",\n  \"assignee\": null,\n  \"classification\": \"ENUMERATION\",\n  \"confidenceLevel\": \"MALICIOUS\",\n  \"firstSeenAt\": \"2024-11-22T05:35:09.000Z\",\n  \"lastSeenAt\": \"2024-11-22T05:35:09.000Z\",\n  \"process\": {\n    \"cmdLine\": \"C:\\\\Windows\\\\system32\\\\net1 group \\\"Domain Controllers\\\" /domain\",\n    \"file\": {\n      \"path\": \"c:\\\\windows\\\\system32\\\\net1.exe\",\n      \"sha1\": null,\n      \"sha256\": \"18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398\",\n      \"md5\": null\n    },\n    \"parentName\": null\n  },\n  \"result\": null,\n  \"storylineId\": null\n}",
    "event": {
        "category": "intrusion_detection",
        "end": "2024-11-22T05:35:09Z",
        "kind": "alert",
        "provider": "Identity",
        "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.",
        "start": "2024-11-22T05:35:09Z",
        "type": "info"
    },
    "@timestamp": "2024-11-22T05:35:09Z",
    "observer": {
        "product": "Singularity Identity",
        "vendor": "SentinelOne"
    },
    "process": {
        "command_line": "C:\\Windows\\system32\\net1 group \"Domain Controllers\" /domain",
        "executable": "c:\\windows\\system32\\net1.exe",
        "hash": {
            "sha256": "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398"
        },
        "name": "net1.exe"
    },
    "related": {
        "hash": [
            "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398"
        ]
    },
    "sentinelone": {
        "identity": {
            "attackSurfaces": [
                "IDENTITY"
            ],
            "classification": "ENUMERATION",
            "confidenceLevel": "MALICIOUS",
            "id": "ba485919-e4c1-4496-9e2f-feb320f6841a",
            "name": "Domain Controller Discovery Detected",
            "status": "NEW"
        }
    }
}

{
    "message": "{\"id\": \"01935322-7b49-71f0-89e0-f52562c26e53\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:09:48.731Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:09:48.731Z\", \"lastSeenAt\": \"2024-11-22T09:09:48.731Z\", \"process\": null, \"result\": null, \"storylineId\": null}",
    "event": {
        "category": "intrusion_detection",
        "end": "2024-11-22T09:09:48.731000Z",
        "kind": "alert",
        "provider": "Identity",
        "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.",
        "start": "2024-11-22T09:09:48.731000Z",
        "type": "info"
    },
    "@timestamp": "2024-11-22T09:09:48.731000Z",
    "observer": {
        "product": "Singularity Identity",
        "vendor": "SentinelOne"
    },
    "sentinelone": {
        "identity": {
            "attackSurfaces": [
                "IDENTITY"
            ],
            "classification": "UNKNOWN",
            "confidenceLevel": "MALICIOUS",
            "id": "01935322-7b49-71f0-89e0-f52562c26e53",
            "name": "Brute force attack - Mass Account Lockout",
            "status": "NEW"
        }
    }
}

{
    "message": "{\"id\": \"01935310-d00e-7616-81b9-fcb227ebb13d\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}",
    "event": {
        "category": "intrusion_detection",
        "end": "2024-11-22T08:45:51Z",
        "kind": "alert",
        "provider": "Identity",
        "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.",
        "start": "2024-11-22T08:45:51Z",
        "type": "info"
    },
    "@timestamp": "2024-11-22T08:45:51Z",
    "observer": {
        "product": "Singularity Identity",
        "vendor": "SentinelOne"
    },
    "process": {
        "command_line": "Sharphound.exe",
        "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe",
        "hash": {
            "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
        },
        "name": "sharphound.exe"
    },
    "related": {
        "hash": [
            "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
        ]
    },
    "sentinelone": {
        "identity": {
            "attackSurfaces": [
                "IDENTITY"
            ],
            "classification": "ENUMERATION",
            "confidenceLevel": "MALICIOUS",
            "id": "01935310-d00e-7616-81b9-fcb227ebb13d",
            "name": "Domain Controller Discovery Detected",
            "status": "NEW"
        }
    }
}

{
    "message": "{\"id\": \"01935310-eb28-7a57-9c27-87843b2cec61\", \"name\": \"AD Service Account Enumeration Detected\", \"description\": \"This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}",
    "event": {
        "category": "intrusion_detection",
        "end": "2024-11-22T08:45:51Z",
        "kind": "alert",
        "provider": "Identity",
        "reason": "This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.",
        "start": "2024-11-22T08:45:51Z",
        "type": "info"
    },
    "@timestamp": "2024-11-22T08:45:51Z",
    "observer": {
        "product": "Singularity Identity",
        "vendor": "SentinelOne"
    },
    "process": {
        "command_line": "Sharphound.exe",
        "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe",
        "hash": {
            "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
        },
        "name": "sharphound.exe"
    },
    "related": {
        "hash": [
            "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
        ]
    },
    "sentinelone": {
        "identity": {
            "attackSurfaces": [
                "IDENTITY"
            ],
            "classification": "ENUMERATION",
            "confidenceLevel": "MALICIOUS",
            "id": "01935310-eb28-7a57-9c27-87843b2cec61",
            "name": "AD Service Account Enumeration Detected",
            "status": "NEW"
        }
    }
}

{
    "message": "{\"id\": \"01935310-c715-72c9-bbd9-dc1ff6a7ff1e\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}",
    "event": {
        "category": "intrusion_detection",
        "end": "2024-11-22T08:45:50Z",
        "kind": "alert",
        "provider": "Identity",
        "reason": "This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.",
        "start": "2024-11-22T08:45:50Z",
        "type": "info"
    },
    "@timestamp": "2024-11-22T08:45:50Z",
    "observer": {
        "product": "Singularity Identity",
        "vendor": "SentinelOne"
    },
    "process": {
        "command_line": "Sharphound.exe",
        "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe",
        "hash": {
            "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
        },
        "name": "sharphound.exe"
    },
    "related": {
        "hash": [
            "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
        ]
    },
    "sentinelone": {
        "identity": {
            "attackSurfaces": [
                "IDENTITY"
            ],
            "classification": "ENUMERATION",
            "confidenceLevel": "MALICIOUS",
            "id": "01935310-c715-72c9-bbd9-dc1ff6a7ff1e",
            "name": "AD Domain Computer Enumeration Detected",
            "status": "NEW"
        }
    }
}

{
    "message": "{\"id\": \"01935310-cb9b-770e-96ee-632d4d21520b\", \"name\": \"AD ACL Enumeration\", \"description\": \"This event is generated when a command used to query or read the ACL's\\\\ Permission of any object in Active Directory.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}",
    "event": {
        "category": "intrusion_detection",
        "end": "2024-11-22T08:45:50Z",
        "kind": "alert",
        "provider": "Identity",
        "reason": "This event is generated when a command used to query or read the ACL's\\ Permission of any object in Active Directory.",
        "start": "2024-11-22T08:45:50Z",
        "type": "info"
    },
    "@timestamp": "2024-11-22T08:45:50Z",
    "observer": {
        "product": "Singularity Identity",
        "vendor": "SentinelOne"
    },
    "process": {
        "command_line": "Sharphound.exe",
        "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe",
        "hash": {
            "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
        },
        "name": "sharphound.exe"
    },
    "related": {
        "hash": [
            "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
        ]
    },
    "sentinelone": {
        "identity": {
            "attackSurfaces": [
                "IDENTITY"
            ],
            "classification": "ENUMERATION",
            "confidenceLevel": "MALICIOUS",
            "id": "01935310-cb9b-770e-96ee-632d4d21520b",
            "name": "AD ACL Enumeration",
            "status": "NEW"
        }
    }
}

{
    "message": "{\"id\": \"01935310-d4ba-7131-9e08-defa8b3aeb52\", \"name\": \"Domain Users Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}",
    "event": {
        "category": "intrusion_detection",
        "end": "2024-11-22T08:45:50Z",
        "kind": "alert",
        "provider": "Identity",
        "reason": "This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.",
        "start": "2024-11-22T08:45:50Z",
        "type": "info"
    },
    "@timestamp": "2024-11-22T08:45:50Z",
    "observer": {
        "product": "Singularity Identity",
        "vendor": "SentinelOne"
    },
    "process": {
        "command_line": "Sharphound.exe",
        "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe",
        "hash": {
            "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
        },
        "name": "sharphound.exe"
    },
    "related": {
        "hash": [
            "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
        ]
    },
    "sentinelone": {
        "identity": {
            "attackSurfaces": [
                "IDENTITY"
            ],
            "classification": "ENUMERATION",
            "confidenceLevel": "MALICIOUS",
            "id": "01935310-d4ba-7131-9e08-defa8b3aeb52",
            "name": "Domain Users Enumeration Detected",
            "status": "NEW"
        }
    }
}

{
    "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}",
    "event": {
        "category": "intrusion_detection",
        "end": "2024-11-22T08:45:50Z",
        "kind": "alert",
        "provider": "Identity",
        "reason": "This events is raised when a LDAP search Query is detected from the endpoint.",
        "start": "2024-11-22T08:45:50Z",
        "type": "info"
    },
    "@timestamp": "2024-11-22T08:45:50Z",
    "observer": {
        "product": "Singularity Identity",
        "vendor": "SentinelOne"
    },
    "process": {
        "command_line": "Sharphound.exe",
        "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe",
        "hash": {
            "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
        },
        "name": "sharphound.exe"
    },
    "related": {
        "hash": [
            "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
        ]
    },
    "sentinelone": {
        "identity": {
            "attackSurfaces": [
                "IDENTITY"
            ],
            "classification": "ENUMERATION",
            "confidenceLevel": "MALICIOUS",
            "id": "01935310-dc47-75de-8925-5f026bd5a705",
            "name": "LDAP Search Detected",
            "status": "NEW"
        }
    }
}

{
    "message": "{\"id\": \"01935359-3eda-7903-93fc-af6a0e5d0a8f\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:37.779Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:37.779Z\", \"lastSeenAt\": \"2024-11-22T10:09:37.779Z\", \"process\": null, \"result\": null, \"storylineId\": null}",
    "event": {
        "category": "intrusion_detection",
        "end": "2024-11-22T10:09:37.779000Z",
        "kind": "alert",
        "provider": "Identity",
        "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.",
        "start": "2024-11-22T10:09:37.779000Z",
        "type": "info"
    },
    "@timestamp": "2024-11-22T10:09:37.779000Z",
    "observer": {
        "product": "Singularity Identity",
        "vendor": "SentinelOne"
    },
    "sentinelone": {
        "identity": {
            "attackSurfaces": [
                "IDENTITY"
            ],
            "classification": "UNKNOWN",
            "confidenceLevel": "MALICIOUS",
            "id": "01935359-3eda-7903-93fc-af6a0e5d0a8f",
            "name": "Brute force attack - Mass Account Lockout",
            "status": "NEW"
        }
    }
}

{
    "message": "{\"id\": \"01935358-ee81-7eb7-b57f-022c6f0019a9\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:17.184Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:17.184Z\", \"lastSeenAt\": \"2024-11-22T10:09:17.184Z\", \"process\": null, \"result\": null, \"storylineId\": null}",
    "event": {
        "category": "intrusion_detection",
        "end": "2024-11-22T10:09:17.184000Z",
        "kind": "alert",
        "provider": "Identity",
        "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.",
        "start": "2024-11-22T10:09:17.184000Z",
        "type": "info"
    },
    "@timestamp": "2024-11-22T10:09:17.184000Z",
    "observer": {
        "product": "Singularity Identity",
        "vendor": "SentinelOne"
    },
    "sentinelone": {
        "identity": {
            "attackSurfaces": [
                "IDENTITY"
            ],
            "classification": "UNKNOWN",
            "confidenceLevel": "MALICIOUS",
            "id": "01935358-ee81-7eb7-b57f-022c6f0019a9",
            "name": "Brute force attack - Mass Account Lockout",
            "status": "NEW"
        }
    }
}

{
    "message": "{\"id\": \"0193534d-63c1-7497-b854-b883425af3f5\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:54:58.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:54:58.000Z\", \"lastSeenAt\": \"2024-11-22T09:54:58.000Z\", \"process\": {\"cmdLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\", \"file\": {\"path\": \"c:\\\\windows\\\\system32\\\\cmd.exe\", \"sha1\": null, \"sha256\": \"4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}",
    "event": {
        "category": "intrusion_detection",
        "end": "2024-11-22T09:54:58Z",
        "kind": "alert",
        "provider": "Identity",
        "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.",
        "start": "2024-11-22T09:54:58Z",
        "type": "info"
    },
    "@timestamp": "2024-11-22T09:54:58Z",
    "observer": {
        "product": "Singularity Identity",
        "vendor": "SentinelOne"
    },
    "process": {
        "command_line": "\"C:\\Windows\\system32\\cmd.exe\"",
        "executable": "c:\\windows\\system32\\cmd.exe",
        "hash": {
            "sha256": "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22"
        },
        "name": "cmd.exe"
    },
    "related": {
        "hash": [
            "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22"
        ]
    },
    "sentinelone": {
        "identity": {
            "attackSurfaces": [
                "IDENTITY"
            ],
            "classification": "ENUMERATION",
            "confidenceLevel": "MALICIOUS",
            "id": "0193534d-63c1-7497-b854-b883425af3f5",
            "name": "Domain Controller Discovery Detected",
            "status": "NEW"
        }
    }
}

{
    "message": "{\"id\": \"01935347-abf7-7457-8467-e3443470e6f3\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}",
    "event": {
        "category": "intrusion_detection",
        "end": "2024-11-22T09:45:51Z",
        "kind": "alert",
        "provider": "Identity",
        "reason": "This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.",
        "start": "2024-11-22T09:45:51Z",
        "type": "info"
    },
    "@timestamp": "2024-11-22T09:45:51Z",
    "observer": {
        "product": "Singularity Identity",
        "vendor": "SentinelOne"
    },
    "process": {
        "command_line": "Sharphound.exe",
        "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe",
        "hash": {
            "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
        },
        "name": "sharphound.exe"
    },
    "related": {
        "hash": [
            "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
        ]
    },
    "sentinelone": {
        "identity": {
            "attackSurfaces": [
                "IDENTITY"
            ],
            "classification": "ENUMERATION",
            "confidenceLevel": "MALICIOUS",
            "id": "01935347-abf7-7457-8467-e3443470e6f3",
            "name": "AD Domain Computer Enumeration Detected",
            "status": "NEW"
        }
    }
}

{
    "message": "{\"id\": \"01935347-b05a-7d28-a929-5294ee16628a\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}",
    "event": {
        "category": "intrusion_detection",
        "end": "2024-11-22T09:45:51Z",
        "kind": "alert",
        "provider": "Identity",
        "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.",
        "start": "2024-11-22T09:45:51Z",
        "type": "info"
    },
    "@timestamp": "2024-11-22T09:45:51Z",
    "observer": {
        "product": "Singularity Identity",
        "vendor": "SentinelOne"
    },
    "process": {
        "command_line": "Sharphound.exe",
        "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe",
        "hash": {
            "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
        },
        "name": "sharphound.exe"
    },
    "related": {
        "hash": [
            "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
        ]
    },
    "sentinelone": {
        "identity": {
            "attackSurfaces": [
                "IDENTITY"
            ],
            "classification": "ENUMERATION",
            "confidenceLevel": "MALICIOUS",
            "id": "01935347-b05a-7d28-a929-5294ee16628a",
            "name": "Domain Controller Discovery Detected",
            "status": "NEW"
        }
    }
}

{
    "message": "{\"id\": \"01935342-d073-7ed0-8c5e-2373fc013310\", \"name\": \"Default Admin Account Usage\", \"description\": \"This event is raised for default administrator account logon anywhere in the domain.\", \"detectedAt\": \"2024-11-22T09:45:07.655Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:07.655Z\", \"lastSeenAt\": \"2024-11-22T09:45:07.655Z\", \"process\": null, \"result\": null, \"storylineId\": null}",
    "event": {
        "category": "intrusion_detection",
        "end": "2024-11-22T09:45:07.655000Z",
        "kind": "alert",
        "provider": "Identity",
        "reason": "This event is raised for default administrator account logon anywhere in the domain.",
        "start": "2024-11-22T09:45:07.655000Z",
        "type": "info"
    },
    "@timestamp": "2024-11-22T09:45:07.655000Z",
    "observer": {
        "product": "Singularity Identity",
        "vendor": "SentinelOne"
    },
    "sentinelone": {
        "identity": {
            "attackSurfaces": [
                "IDENTITY"
            ],
            "classification": "UNKNOWN",
            "confidenceLevel": "MALICIOUS",
            "id": "01935342-d073-7ed0-8c5e-2373fc013310",
            "name": "Default Admin Account Usage",
            "status": "NEW"
        }
    }
}

{
    "message": "{\"id\": \"01935322-cc3a-76cc-890b-a1c2d1b815d4\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:10:09.467Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:10:09.467Z\", \"lastSeenAt\": \"2024-11-22T09:10:09.467Z\", \"process\": null, \"result\": null, \"storylineId\": null}",
    "event": {
        "category": "intrusion_detection",
        "end": "2024-11-22T09:10:09.467000Z",
        "kind": "alert",
        "provider": "Identity",
        "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.",
        "start": "2024-11-22T09:10:09.467000Z",
        "type": "info"
    },
    "@timestamp": "2024-11-22T09:10:09.467000Z",
    "observer": {
        "product": "Singularity Identity",
        "vendor": "SentinelOne"
    },
    "sentinelone": {
        "identity": {
            "attackSurfaces": [
                "IDENTITY"
            ],
            "classification": "UNKNOWN",
            "confidenceLevel": "MALICIOUS",
            "id": "01935322-cc3a-76cc-890b-a1c2d1b815d4",
            "name": "Brute force attack - Mass Account Lockout",
            "status": "NEW"
        }
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name	Type	Description
`@timestamp`	`date`	Date/time when the event originated.
`event.category`	`keyword`	Event category. The second categorization field in the hierarchy.
`event.end`	`date`	event.end contains the date when the event ended or when the activity was last observed.
`event.kind`	`keyword`	The kind of the event. The highest categorization field in the hierarchy.
`event.provider`	`keyword`	Source of the event.
`event.reason`	`keyword`	Reason why this event happened, according to the source
`event.start`	`date`	event.start contains the date when the event started or when the activity was first observed.
`event.type`	`keyword`	Event type. The third categorization field in the hierarchy.
`observer.product`	`keyword`	The product name of the observer.
`observer.vendor`	`keyword`	Vendor name of the observer.
`process.command_line`	`wildcard`	Full command line that started the process.
`process.executable`	`keyword`	Absolute path to the process executable.
`process.hash.md5`	`keyword`	MD5 hash.
`process.hash.sha1`	`keyword`	SHA1 hash.
`process.hash.sha256`	`keyword`	SHA256 hash.
`process.name`	`keyword`	Process name.
`process.parent.name`	`keyword`	Process name.
`sentinelone.identity.attackSurfaces`	`keyword`
`sentinelone.identity.classification`	`keyword`
`sentinelone.identity.confidenceLevel`	`keyword`
`sentinelone.identity.id`	`keyword`
`sentinelone.identity.name`	`keyword`
`sentinelone.identity.result`	`keyword`
`sentinelone.identity.status`	`keyword`
`sentinelone.identity.storyLineId`	`keyword`

For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.

Detection section

The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.

No related built-in rules was found. This message is automatically generated.