From b37ff5785e6d5882c2c2702f85ec6905a4985126 Mon Sep 17 00:00:00 2001
From: RandyRandleman <bigt2002@gmail.com>
Date: Wed, 25 Aug 2021 23:27:49 +0000
Subject: [PATCH 1/5] S1

---
 evtx/Maps/SentinelOne-Operational_26.map | 37 ++++++++++++
 evtx/Maps/SentinelOne-Operational_31.map | 55 ++++++++++++++++++
 evtx/Maps/SentinelOne-Operational_32.map | 47 +++++++++++++++
 evtx/Maps/SentinelOne-Operational_81.map | 73 ++++++++++++++++++++++++
 4 files changed, 212 insertions(+)
 create mode 100644 evtx/Maps/SentinelOne-Operational_26.map
 create mode 100644 evtx/Maps/SentinelOne-Operational_31.map
 create mode 100644 evtx/Maps/SentinelOne-Operational_32.map
 create mode 100644 evtx/Maps/SentinelOne-Operational_81.map

diff --git a/evtx/Maps/SentinelOne-Operational_26.map b/evtx/Maps/SentinelOne-Operational_26.map
new file mode 100644
index 00000000..ed2a8b9d
--- /dev/null
+++ b/evtx/Maps/SentinelOne-Operational_26.map
@@ -0,0 +1,37 @@
+Author: Tony Knutson
+Description: File Quarantine Already Quarantined
+EventId: 26
+Channel: "SentinelOne/Operational"
+Provider: SentinelOne
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%FilePath%"
+    Values:
+      -
+        Name: FilePath
+        Value: "/Event/EventData/Data[@Name=\"FilePath\"]"
+
+# Documentation:
+#
+#- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#   <System>
+#    	<Provider Name="SentinelOne" Guid="{GUID ID}" />
+#    	<EventID>26</EventID>
+#    	<Version>0</Version>
+#    	<Level>3</Level>
+#    	<Task>1</Task>
+#    	<Opcode>0</Opcode>
+#    	<Keywords>0x8000000000000000</Keywords>
+#    	<TimeCreated SystemTime="YYYY-MM-DDTHH:MM:00.0000Z" />
+#  	<EventRecordID>491</EventRecordID>
+#  	<Correlation />
+#  	<Execution ProcessID="12020" ThreadID="8276" />
+#  	<Channel>SentinelOne/Operational</Channel>
+#  	<Computer>COMPUTERNAME</Computer>
+#  	<Security UserID="SID" />
+#    </System>
+#    <EventData>
+#       <Data Name="FilePath">PATH TO THE FILE</Data>
+#    </EventData>
+#  </Event>
diff --git a/evtx/Maps/SentinelOne-Operational_31.map b/evtx/Maps/SentinelOne-Operational_31.map
new file mode 100644
index 00000000..869a331f
--- /dev/null
+++ b/evtx/Maps/SentinelOne-Operational_31.map
@@ -0,0 +1,55 @@
+Author: Tony Knutson
+Description: Sentinel Threat Detected
+EventId: 31
+Channel: "SentinelOne/Operational"
+Provider: SentinelOne
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "Program: %Name%"
+    Values:
+      -
+        Name: Name
+        Value: "/Event/EventData/Data[@Name=\"Name\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "%Path%"
+    Values:
+      -
+        Name: Path
+        Value: "/Event/EventData/Data[@Name=\"Path\"]"
+  -
+    Property: PayloadData3
+    PropertyValue: "%DetectionEngine%"
+    Values:
+      -
+        Name: DetectionEngine
+        Value: "/Event/EventData/Data[@Name=\"DetectionEngine\"]"
+
+# Documentation:
+#
+# Example Event Data:
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#  <System>
+#  <Provider Name="SentinelOne" Guid="{GUID}" />
+#  <EventID>31</EventID>
+#  <Version>0</Version>
+#  <Level>3</Level>
+#  <Task>1</Task>
+#  <Opcode>0</Opcode>
+#  <Keywords>0x8000000000000000</Keywords>
+#  <TimeCreated SystemTime="YYYY-MM-DD hh:mm:ss.0000" />
+#  <EventRecordID>305</EventRecordID>
+#  <Correlation />
+#  <Execution ProcessID="1132" ThreadID="2472" />
+#  <Channel>SentinelOne/Operational</Channel>
+#  <Computer>COMPUTERNAME</Computer>
+#  <Security UserID="S-1-5-18" />
+#  </System>
+# <EventData>
+#  <Data Name="TrueContextID">745B8EA53F832640</Data>
+#  <Data Name="Name">name</Data>
+#  <Data Name="Path">PATH</Data>
+#  <Data Name="DetectionEngine">windows.reputation</Data>
+#  </EventData>
+#  </Event>
diff --git a/evtx/Maps/SentinelOne-Operational_32.map b/evtx/Maps/SentinelOne-Operational_32.map
new file mode 100644
index 00000000..c24b39e7
--- /dev/null
+++ b/evtx/Maps/SentinelOne-Operational_32.map
@@ -0,0 +1,47 @@
+Author: Tony Knutson
+Description: Sentinel Mitigation Report
+EventId: 32
+Channel: "SentinelOne/Operational"
+Provider: SentinelOne
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "Action: %Action%"
+    Values:
+      -
+        Name: Action
+        Value: "/Event/EventData/Data[@Name=\"Action\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "Result: %Result%"
+    Values:
+      -
+        Name: Result
+        Value: "/Event/EventData/Data[@Name=\"Result\"]"
+
+# Documentation:
+#
+# Example Event Data:
+#- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#- <System>
+#  <Provider Name="SentinelOne" Guid="{GUID}" />
+#  <EventID>32</EventID>
+#  <Version>0</Version>
+#  <Level>3</Level>
+#  <Task>1</Task>
+#  <Opcode>0</Opcode>
+#  <Keywords>0x8000000000000000</Keywords>
+#  <TimeCreated SystemTime="YYYY-MM-DD hh:mm:ss" />
+#  <EventRecordID>253</EventRecordID>
+#  <Correlation />
+#  <Execution ProcessID="1132" ThreadID="2472" />
+#  <Channel>SentinelOne/Operational</Channel>
+#  <Computer>COMPUTER NAME</Computer>
+#  <Security UserID="S-1-5-18" />
+#  </System>
+#- <EventData>
+#  <Data Name="TrueContextID">D69E3E5659219301</Data>
+#  <Data Name="Action">Quarantine</Data>
+#  <Data Name="Result">Success</Data>
+#  </EventData>
+#  </Event>
diff --git a/evtx/Maps/SentinelOne-Operational_81.map b/evtx/Maps/SentinelOne-Operational_81.map
new file mode 100644
index 00000000..bc83c63d
--- /dev/null
+++ b/evtx/Maps/SentinelOne-Operational_81.map
@@ -0,0 +1,73 @@
+Author: Tony Knutson
+Description: Sentinel Scan Ended
+EventId: 81
+Channel: "SentinelOne/Operational"
+Provider: SentinelOne
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "ScanStartTime: %ScanStartTime%"
+    Values:
+      -
+        Name: ScanStartTime
+        Value: "/Event/EventData/Data[@Name=\"ScanStartTime\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "ScanStopTime: %ScanStopTime%"
+    Values:
+      -
+        Name: ScanStopTime
+        Value: "/Event/EventData/Data[@Name=\"ScanStopTime\"]"
+  -
+    Property: PayloadData3
+    PropertyValue: "ScannedPath: %ScannedPath%"
+    Values:
+      -
+        Name: ScannedPath
+        Value: "/Event/EventData/Data[@Name=\"ScannedPath\"]"
+  -
+    Property: PayloadData4
+    PropertyValue: "%Result%"
+    Values:
+      -
+        Name: Result
+        Value: "/Event/EventData/Data[@Name=\"Result\"]"
+  -
+    Property: PayloadData5
+    PropertyValue: "MaliciousCount: %MaliciousCount%"
+    Values:
+      -
+        Name: MaliciousCount
+        Value: "/Event/EventData/Data[@Name=\"MaliciousCount\"]"
+
+# Documentation:
+#
+# Example Event Data:
+#- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#- <System>
+#  <Provider Name="SentinelOne" Guid="{GUID}" />
+#  <EventID>81</EventID>
+#  <Version>0</Version>
+#  <Level>4</Level>
+#  <Task>1</Task>
+#  <Opcode>0</Opcode>
+#  <Keywords>0x8000000000000000</Keywords>
+#  <TimeCreated SystemTime="YYYY-MM-DD hh:mm:ss" />
+#  <EventRecordID>333</EventRecordID>
+#  <Correlation />
+#  <Execution ProcessID="1132" ThreadID="2428" />
+#  <Channel>SentinelOne/Operational</Channel>
+#  <Computer>COMPUTER NAME</Computer>
+#  <Security UserID="S-1-5-18" />
+# </System>
+#- <EventData>
+#  <Data Name="ScanStartTime">YYYY-MM-DD hh:mm:ss</Data>
+#  <Data Name="ScanEndTime">YYYY-MM-DD hh:mm:ss</Data>
+#  <Data Name="ScannedPath">All Volumes</Data>
+#  <Data Name="TriggerType">Management</Data>
+#  <Data Name="ScannedCount">NN</Data>
+#  <Data Name="MaliciousCount">NN</Data>
+# <Data Name="ExcludedMaliciousCount">NN</Data>
+#  <Data Name="Status">Completed</Data>
+# </EventData>
+#  </Event>

From 17b02c53c316756e70722d35082e79c6649b7fdb Mon Sep 17 00:00:00 2001
From: Andrew Rathbun <36825567+rathbuna@users.noreply.github.com>
Date: Wed, 25 Aug 2021 19:37:28 -0400
Subject: [PATCH 2/5] Update SentinelOne-Operational_26.map

---
 evtx/Maps/SentinelOne-Operational_26.map | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/evtx/Maps/SentinelOne-Operational_26.map b/evtx/Maps/SentinelOne-Operational_26.map
index ed2a8b9d..87c8c3b4 100644
--- a/evtx/Maps/SentinelOne-Operational_26.map
+++ b/evtx/Maps/SentinelOne-Operational_26.map
@@ -13,8 +13,10 @@ Maps:
         Value: "/Event/EventData/Data[@Name=\"FilePath\"]"
 
 # Documentation:
+# N/A
 #
-#- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+# Example Event Data:
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 #   <System>
 #    	<Provider Name="SentinelOne" Guid="{GUID ID}" />
 #    	<EventID>26</EventID>

From e755452c3ab804740cbbe16e5713fa1fb57d5b05 Mon Sep 17 00:00:00 2001
From: Andrew Rathbun <36825567+rathbuna@users.noreply.github.com>
Date: Wed, 25 Aug 2021 19:38:32 -0400
Subject: [PATCH 3/5] Update SentinelOne-Operational_31.map

---
 evtx/Maps/SentinelOne-Operational_31.map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/evtx/Maps/SentinelOne-Operational_31.map b/evtx/Maps/SentinelOne-Operational_31.map
index 869a331f..693427ce 100644
--- a/evtx/Maps/SentinelOne-Operational_31.map
+++ b/evtx/Maps/SentinelOne-Operational_31.map
@@ -27,6 +27,7 @@ Maps:
         Value: "/Event/EventData/Data[@Name=\"DetectionEngine\"]"
 
 # Documentation:
+# N/A
 #
 # Example Event Data:
 # <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

From fcaecf86a2f5fce5dc1dde51fcd986e8857afb43 Mon Sep 17 00:00:00 2001
From: Andrew Rathbun <36825567+rathbuna@users.noreply.github.com>
Date: Wed, 25 Aug 2021 19:41:48 -0400
Subject: [PATCH 4/5] Update SentinelOne-Operational_32.map

---
 evtx/Maps/SentinelOne-Operational_32.map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/evtx/Maps/SentinelOne-Operational_32.map b/evtx/Maps/SentinelOne-Operational_32.map
index c24b39e7..54a44eb2 100644
--- a/evtx/Maps/SentinelOne-Operational_32.map
+++ b/evtx/Maps/SentinelOne-Operational_32.map
@@ -20,6 +20,7 @@ Maps:
         Value: "/Event/EventData/Data[@Name=\"Result\"]"
 
 # Documentation:
+# N/A
 #
 # Example Event Data:
 #- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

From b4f6e7bbf6f0352c232a87276aabc8e75987100c Mon Sep 17 00:00:00 2001
From: Andrew Rathbun <36825567+rathbuna@users.noreply.github.com>
Date: Wed, 25 Aug 2021 19:42:30 -0400
Subject: [PATCH 5/5] Update SentinelOne-Operational_81.map

---
 evtx/Maps/SentinelOne-Operational_81.map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/evtx/Maps/SentinelOne-Operational_81.map b/evtx/Maps/SentinelOne-Operational_81.map
index bc83c63d..9f98816b 100644
--- a/evtx/Maps/SentinelOne-Operational_81.map
+++ b/evtx/Maps/SentinelOne-Operational_81.map
@@ -41,6 +41,7 @@ Maps:
         Value: "/Event/EventData/Data[@Name=\"MaliciousCount\"]"
 
 # Documentation:
+# N/A
 #
 # Example Event Data:
 #- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">