Added/updated dashboards and updated the readme

README.md

@@ -1,5 +1,5 @@
-#  Security Data Lake Add-On for Splunk
-The Security Data Lake Add-On for Splunk provides integration with [Singularity DataLake](https://www.sentinelone.com/platform/xdr-ingestion/) and [DataSet](https://www.dataset.com) by [SentinelOne](https://sentinelone.com). The key functions allow two-way integration:
+#  Singularity Data Lake Add-On for Splunk
+The Singularity Data Lake Add-On for Splunk provides integration with [Singularity DataLake](https://www.sentinelone.com/platform/xdr-ingestion/) and [DataSet](https://www.dataset.com) by [SentinelOne](https://sentinelone.com). The key functions allow two-way integration:
 - SPL custom command to query directly from the Splunk UI.
 - Inputs to index alerts as CIM-compliant, or any user-defined query results.
 - Alert action to send events from Splunk.
@@ -60,7 +60,7 @@ The add-on uses Splunk encrypted secrets storage, so admins require `admin_all_o
 
 3. Optionally, configure logging level and proxy information on the associated tabs.
 4. Click Save.
-5. The included Security Data Lake by Example dashboard can be used to confirm connectivity and also shows example searches to get started.
+5. The included Singularity Data Lake by Example dashboard can be used to confirm connectivity and also shows example searches to get started.
 
 ## SPL Command
 The `| dataset` command allows queries against the [DataSet APIs](https://app.scalyr.com/help/api) directly from Splunk's search bar.

Splunk Dashboards/dataset_by_example.xml

@@ -1,5 +1,5 @@
 <form version="1.1">
-  <label>Security Data Lake by Example</label>
+  <label>Singularity Data Lake by Example</label>
   <init>
     <set token="myMaxCount">maxcount=10</set>
     <set token="baseQuery"></set>
@@ -12,7 +12,6 @@
     <input type="checkbox" token="hideAPItest">
       <label></label>
       <choice value="1">Show Connection Test Results</choice>
-      <initialValue>1</initialValue>
       <change>
         <condition value="1">
           <eval token="my_boolean">"1"</eval>
@@ -24,6 +23,26 @@
       <delimiter> </delimiter>
     </input>
   </fieldset>
+  <row depends="false">
+    <panel>
+      <html>
+        <style>
+          #baseQuery        .splunk-textinput input{  width: 600px; !important; }
+          #basePowerQuery   .splunk-textinput input{  width: 1000px; !important; }
+          #baseFacetQuery   .splunk-textinput input{  width: 1000px; !important; }
+          #splunkAggregate  .splunk-textinput input{  width: 1000px; !important; }
+          .dashboard-panel h2{
+            background:#6B0AEA !important;
+            color:white !important;
+            text-align: left !important;
+            font-weight: bold !important;
+            border-top-right-radius: 15px;
+            border-top-left-radius: 15px;
+          }
+        </style>
+      </html>
+    </panel>
+  </row>
   <row>
     <panel>
       <title>Searching Your Data in DataSet</title>
@@ -71,7 +90,7 @@
         <li>
             <b>Timeseries Query</b> - This will calculate numeric values over time. For repeated queries, summaries allow precomputed results (fastest).</li>
       </ol>
-      Depending on your use case, you may have a need for any or all of these.
+      Depending on your use case, you may have a need for any or all of these.  
       <h1>Let's get started searching! </h1>
     </html>
     </panel>
@@ -101,7 +120,7 @@
         <fieldForLabel>serverHost</fieldForLabel>
         <fieldForValue>serverHost</fieldForValue>
         <search>
-          <query>| dataset method=facet field=serverHost search="serverHost=* "
+          <query>| dataset method=facet field=serverHost search="serverHost=* " 
 | spath
 | rename value as serverHost
 |  table serverHost count
@@ -126,30 +145,14 @@
         <label>Base DataSet query</label>
         <default>$baseQuery$</default>
       </input>
-      <html>
-        <style>
-          #baseQuery        .splunk-textinput input{  width: 600px; !important; }
-          #basePowerQuery   .splunk-textinput input{  width: 1000px; !important; }
-          #baseFacetQuery   .splunk-textinput input{  width: 1000px; !important; }
-          #splunkAggregate  .splunk-textinput input{  width: 1000px; !important; }
-          .dashboard-panel h2{
-            background:#0000ff !important;
-            color:white !important;
-            text-align: left !important;
-            font-weight: bold !important;
-            border-top-right-radius: 15px;
-            border-top-left-radius: 15px;
-          }
-        </style>
-      </html>
     </panel>
   </row>
   <row>
     <panel>
       <table>
         <title>SPL:  | dataset method=query search="$baseQuery$" $myMaxCount$  | spath</title>
         <search>
-          <query>| dataset method=query search="$baseQuery$" $myMaxCount$
+          <query>| dataset method=query search="$baseQuery$" $myMaxCount$ 
 |  spath</query>
           <earliest>$myTime.earliest$</earliest>
           <latest>$myTime.latest$</latest>
@@ -260,4 +263,4 @@
       </chart>
     </panel>
   </row>
-</form>
+</form>

Splunk Dashboards/ingestion_summary.xml

@@ -2,10 +2,10 @@
   <label>Ingestion Summary</label>
   <description>This dashboard is provided to estimate daily ingestion for various sources of data in Splunk.</description>
   <search id="base_search">
-    <query>index="_internal" source="*metrics.log" group="per_sourcetype_thruput"
+    <query>index="_internal" source="*metrics.log" group="per_sourcetype_thruput" 
 | bucket _time span=1d
 | eval GB=kb/1024/1024
-| stats sum(GB) as "GB Ingest" avg(GB) as "Average GB" max(GB) as "Max GB" avg(eps) as "Events per Second" by _time, series
+| stats sum(GB) as "GB Ingest" avg(GB) as "Average GB" max(GB) as "Max GB" avg(eps) as "Events per Second" by _time, series 
 | stats sum("GB Ingest") as "Total Ingest(GB)", avg("GB Ingest") as "Daily Avg Ingest(GB)", max("GB Ingest") as "Daily Max Ingest(GB)" by series
 | eval "Total Ingest(GB)"=round('Total Ingest(GB)',4), "Daily Avg Ingest(GB)"=round('Daily Avg Ingest(GB)',4), "Daily Max Ingest(GB)"=round('Daily Max Ingest(GB)',4), "Events per Second"=round('Events per Second',4)
 | rename series as sourcetype
@@ -23,7 +23,24 @@
       </default>
     </input>
   </fieldset>
-  <row>
+<row depends="false">
+  <panel>
+    <html>
+      <style>
+        #$powerQuery$   .splunk-textinput input{  width: 1000px; !important; }
+        .dashboard-panel h2{
+          background:#6B0AEA !important;
+          color:white !important;
+          text-align: left !important;
+          font-weight: bold !important;
+          border-top-right-radius: 15px;
+          border-top-left-radius: 15px;
+        }
+      </style>
+    </html>
+  </panel>
+</row>
+<row>
     <panel>
       <title>Ingestion by sourcetype</title>
       <chart>
@@ -59,4 +76,4 @@
       </table>
     </panel>
   </row>
-</form>
+</form>

Splunk Dashboards/sentinelone_use_case_query_examples.xml

@@ -23,26 +23,29 @@
         <label>Max rows of data to return</label>
         <choice value="os.name matches '^Windows' AND event.category = 'file' AND tgt.file.path contains 'temp' AND tgt.file.isExecutable = 'true' AND src.process.verifiedStatus != 'verified' AND src.process.publisher != 'MICROSOFT WINDOWS'">A non-Windows process writes files to the temp directory</choice>
         <choice value="(src.process.displayName = 'Windows host process (Rundll32)' OR src.process.displayName = 'Microsoft(C) Register Server') AND src.process.displayName contains ('javascript', 'mshtml', 'runhtmlapplication')">Rundll or Regsvr executes a script</choice>
-        <choice value="event.category = 'file' AND tgt.file.path contains 'windows\\temp' AND tgt.file.path matches '(bat|cmd)$' AND NOT tgt.file.path contains ('{', '}')">Bat or cmd files are dropped directly to a temp folder </choice>
+        <choice value="event.category = 'file' AND tgt.file.path contains 'windows\\temp' AND tgt.file.path matches '(bat|cmd)$' AND NOT tgt.file.path contains ('{', '}')">Bat or cmd files are dropped directly to a temp folder</choice>
         <choice value="(src.process.verifiedStatus != 'verified' AND src.process.publisher != 'MICROSOFT WINDOWS' AND tgt.process.verifiedStatus = 'verified' AND tgt.process.publisher  != 'MICROSOFT WINDOWS' AND event.category='cross_process') OR (indicator.name='RemoteLibraryInjection' AND (indicator.metadata contains ('lsass.exe', 'explorer.exe', 'svchost.exe')))">A non-Windows process injects to a Windows process</choice>
         <choice value="(src.process.displayName = 'Windows host process (Rundll32)' AND NOT src.process.image.path matches ('system32\\\\rundll32\\.exe$', 'syswow64\\\\rundll32\\.exe$')) OR (src.process.displayName = 'Microsoft(C) Register Server' AND NOT src.process.image.path matches ('system32\\\\regsvr32\\.exe$', 'syswow64\\\\regsvr32\\.exe$')) OR (src.process.displayName = 'Windows Command Processor' AND NOT src.process.image.path matches ('system32\\\\cmd\\.exe$', 'syswow64\\\\cmd\\.exe$')) OR (src.process.displayName = 'Windows PowerShell' AND NOT src.process.image.path matches 'powershell\\.exe$')">LOLBins command processors masquerade under a different name and path</choice>
         <choice value="(src.process.displayName = 'Windows host process (Rundll32)' OR src.process.displayName = 'Microsoft(C) Register Server') AND src.process.cmdline contains ('http', 'https')">Rundll or Regsvr run content from a remote server</choice>
-        <choice value="src.process.image.path contains 'powershell' AND src.process.cmdline matches '.*([A-Za-z0-9+\/]{4})*([A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=).*'
-">Suspicious Powershell with base64 in the commandline</choice>
+        <choice value="src.process.image.path contains 'powershell' AND src.process.cmdline matches '.*([A-Za-z0-9+\/]{4})*([A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=).*' ">Suspicious Powershell with base64 in the commandline</choice>
         <choice value="event.category = 'file' AND tgt.file.type contains 'dll' AND tgt.file.path contains '\\windows' AND ((tgt.file.isSigned = 'signed' AND src.process.verifiedStatus != 'verified') OR tgt.file.isSigned != 'signed') AND tgt.file.path matches 'windows\\\\sys(tem32|wow64)\\\\'">New unsigned DLL is dropped in the Windows directory (possible DLL hijack attempt)</choice>
         <choice value="event.type = 'Process Creation' AND ((src.process.cmdline contains 'copy' AND (src.process.cmdline contains '\\Windows\\NTDS\\NTDS\.dit' or src.process.cmdline contains  '\\Windows\\System32\\config\\SYSTEM ')) OR (src.process.cmdline contains 'save' and src.process.cmdline contains 'HKLM\\SYSTEM ' ) OR (src.process.name = 'ntdsutil.exe' AND src.process.cmdline contains 'ac i ntds') or (src.process.name = 'mklink.exe' AND src.process.cmdline contains 'HarddiskVolumeShadowCopy')) AND NOT src.process.cmdline contains 'Get-psSDP.ps1'">NTDS Copy</choice>
         <choice value="event.type = 'Process Creation' AND src.process.name cnotains 'fsutil' AND src.process.cmdline contains ' usn ' AND src.process.cmdline contains ' deletejournal'">Removal of indicators on Host</choice>
         <choice value="event.tpe = 'Process Creation' AND src.process.cmdline matches '\\sa\\s.*\\s-hp\\S+\\s' AND src.process.cmdline matches '\\sa\\s.*\\s-m[0-5]+\\s'">Suspicious data compression</choice>
-        <choice value="src.process.name = 'netsh.exe' AND src.process.cmdline continas 'enable=Yes' AND (src.process.cmdline contains 'remote desktop' OR src.process.cmdline contains 'file and printer sharing')">Allow SMB and RDP on Defender Firewall </choice>
+        <choice value="src.process.name = 'netsh.exe' AND src.process.cmdline continas 'enable=Yes' AND (src.process.cmdline contains 'remote desktop' OR src.process.cmdline contains 'file and printer sharing')">Allow SMB and RDP on Defender Firewall</choice>
         <choice value="(tgt.file.path contains 'System.Management.Automation' AND NOT src.process.name in ('powershell.exe', 'poershell_ise.exe')) AND NOT (src.process.publisher in ('MICROSOFT DYNAMIC CODE PUBLISHER', 'MICROSOFT CORPORATION', 'MICROSOFT WINDOWS') AND src.process.verifiedStatus = 'verified')">Unmanaged Powershell</choice>
         <choice value="event.type = 'Process Creation' AND src.process.name contains 'mshta.exe' AND src.process.cmdline contains ('javascript:', 'about:', '&lt;script&gt;', 'vbscript:Execute')">Signed Binary Proxy Execution: mshta</choice>
-        <choice value="event.type = 'Process Creation' AND src.process.name contains 'regsvr32.exe' AND src.process.cmdline contains 's /u /n /i:http' AND src.process.cmdline contains 'scrobj'">Signed Binary Proxy Execution: regsvr32 </choice>
+        <choice value="event.type = 'Process Creation' AND src.process.name contains 'regsvr32.exe' AND src.process.cmdline contains 's /u /n /i:http' AND src.process.cmdline contains 'scrobj'">Signed Binary Proxy Execution: regsvr32</choice>
         <choice value="event.type = 'Process Creation' AND src.process.name contains'rundll32.exe' AND (src.process.cmdline contains 'mshtml,RunHTMLApplication' OR src.process.cmdline contains 'javascript:')">Signed Binary Proxy Execution: Rundll32</choice>
         <choice value="event.type = 'Process Creation' AND src.process.parent.displayName contains 'powershell' AND tgt.process.cmdline matches '`[cdeghijklmopqsuwxyz]'">Powershell Unnecessary Escaping</choice>
         <choice value="event.type = 'Process Creation' AND src.process.name contains 'cmstp.exe' AND src.process.cmdline contains ' /s'">Signed Binary Proxy Execution: CMSTP</choice>
         <choice value="registry.keyPath contains 'Services\DHCPServer\Parameters\Callout">DHCP CalloutDLL</choice>
         <default>os.name matches '^Windows' AND event.category = 'file' AND tgt.file.path contains 'temp' AND tgt.file.isExecutable = 'true' AND src.process.verifiedStatus != 'verified' AND src.process.publisher != 'MICROSOFT WINDOWS'</default>
         <initialValue>os.name matches '^Windows' AND event.category = 'file' AND tgt.file.path contains 'temp' AND tgt.file.isExecutable = 'true' AND src.process.verifiedStatus != 'verified' AND src.process.publisher != 'MICROSOFT WINDOWS'</initialValue>
+        <change>
+          <set token="useCase">$label$</set>
+        </change>
+
       </input>
       <html>
         <style>
@@ -60,22 +63,26 @@
     </panel>
   </row>
   <row>
-    <html><b>SentinelOne Search:</b> $baseQuery$</html>
+    <panel>
+      <html>
+        <b>Use Case:</b> $useCase$ <br/>
+        <b>SentinelOne Search:</b> $baseQuery$
+      </html>
+    </panel>
   </row>
   <row>
     <panel>
       <table>
         <title>SPL:  | dataset method=powerquery search="$baseQuery$ | columns endpoint.name | group count=count() by endpoint.name" | spath | table endpoint.name, count</title>
         <search>
-          <query>| dataset method=powerquery search="$baseQuery$ | columns endpoint.name | group count=count() by endpoint.name" | spath | table endpoint.name, count</query>
+          <query>| dataset account=xdr method=powerquery search="$baseQuery$ | columns endpoint.name | group count=count() by endpoint.name" | spath | table endpoint.name, count</query>
           <earliest>$myTime.earliest$</earliest>
           <latest>$myTime.latest$</latest>
           <sampleRatio>1</sampleRatio>
         </search>
-        <option name="count">5</option>
+        <option name="count">10</option>
         <option name="drilldown">none</option>
-        <option name="refresh.display">progressbar</option>
       </table>
     </panel>
   </row>
-</form>
+</form>