Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
SentinelOne Raw Events (Cloud Funnel) | ✅ | ✅ | sentinelone_raw_events | NDJSON | S3 | ||
SentinelOne Threats | ✅ | ✅ | sentinelone_threat | NDJSON | API | ||
SentinelOne Agents | ✅ | sentinelone_agents | NDJSON | API | |||
SentinelOne Custom Rule Alerts | ✅ | sentinelone_customrule_alerts_logs | NDJSON | API |
Overview
SentinelOne offers solutions that deliver real-time endpoint protection, detection and response, and monitors IoT frameworks for vulnerabilities. These solutions also provide features and leverage the cloud for scalability.
Hunters collect data from SentinelOne and ingest it into our database. The database is then populated in the Hunters portal and correlated to other related detected threats from SentinelOne and other sources.
Supported data types
Raw Events (Cloud Funnel)
Table name: sentinelone_raw_events
The SentinelOne raw events log, often referred to as the cloud funnel, is a comprehensive repository that captures and stores granular details of all activities monitored by SentinelOne's endpoint security platform. This log is pivotal for organizations looking to deeply analyze and understand the nature of threats, breaches, and system interactions within their network (supporting both v1 and v2).
Threats
Table name: sentinelone_threat
The SentinelOne Threats log is an essential feature of SentinelOne's endpoint security platform, offering a detailed record of detected cybersecurity threats. It provides immediate insights into the nature, severity, and timing of threats such as malware and ransomware, along with information on affected endpoints. This streamlined log facilitates rapid threat identification and response, helping organizations to bolster their defenses and mitigate risks efficiently.
Agents
Table name: sentinelone_agents
The SentinelOne Agents log tracks the performance and security activities of SentinelOne's endpoint agents within a network. It offers insights into agent health, updates, and responses to threats, helping teams ensure endpoint security and operational integrity. This log is key for maintaining optimal functionality and security coverage across all deployed agents.
Custom Rule Alerts
Table name: sentinelone_customrule_alerts_logs
SentinelOne Custom Rule Alerts logs track alerts triggered by custom rules defined by the organization. These custom rules are tailored to meet specific security policies or to detect unique threats relevant to the organization's operational context. When an activity matches the criteria set by a custom rule, an alert is generated and logged, providing detailed information about the event. This includes the nature of the match, the time it occurred, and the entities involved.
Send data to Hunters
📘Note
Hunters currently supports collection using the SentinelOne API in version 2.1, and Cloud Funnel events collection using S3 storage.
Connect SentinelOne Raw Events
Cloud Funnel events should be collected from your network to a shared storage service (e.g. to an S3 bucket) shared with Hunters.
To connect SentinelOne Raw Events (Cloud Funnel):
Follow this guide to create an AWS S3 bucket.
Provide SentinelOne with reading and writing permissions to the bucket using AWS' ACL tool.
📘Note
Consult with SentinelOne documentation to obtain their Canonical ID.
From your SentinelOne Admin Console, enable Cloud Funnel Streaming into the previously created AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Connect SentinelOne Threats, Agents, and Custom Rule Alert logs
Hunters supports the collection of SentinelOne Threats, Agents and Custom Rule Alert logs using API.
To connect SentinelOne logs:
Contact SentinelOne Support to retrieve your API host name. This should be the hostname portion of your SentinelOne domain. For example, if the domain is
u1234-s123.sentinelone.net, the hostname isu1234-s123To retrieve your API token, follow these steps:
Log in to the SentinelOne Management Console as an administrator.
Navigate to Settings > Users and click on your username.
Click Edit.
Navigate to Edit User > API Token.
Click Generate.
Click Copy to record the value for the API token that appears in a new window.
Click Download.
Complete the process on the Hunters platform, following this guide.
⚠️ Attention
The SentinelOne Cloud Connector generates a new token every six months. When you generate or regenerate a token, SentinelOne displays the expiration date for the token.
If a token is already generated, the window displays Revoke or Regenerate buttons. Clicking Revoke removes the authorization by the existing token. Clicking Regenerate removes the authorization by the existing token and creates a new API token. If you revoke or regenerate a token, any scripts that use the token will stop working.
Expected format
Logs are expected in JSON format.
SentinelOne Threats Schema
{
"agentDetectionInfo": {
"accountId": "String",
"accountName": "String",
"agentDetectionState": null,
"agentDomain": "String",
"agentIpV4": "String",
"agentIpV6": "",
"agentLastLoggedInUserName": "String",
"agentMitigationMode": "String",
"agentOsName": "String",
"agentOsRevision": "String",
"agentRegisteredAt": "2021-11-22T20:42:36.012930Z",
"agentUuid": "String",
"agentVersion": "String",
"externalIp": "String",
"groupId": "String",
"groupName": "String",
"siteId": "String",
"siteName": "String"
},
"agentRealtimeInfo": {
"accountId": "String",
"accountName": "String",
"activeThreats": 140,
"agentComputerName": "String",
"agentDecommissionedAt": null,
"agentDomain": "String",
"agentId": "String",
"agentInfected": true,
"agentIsActive": true,
"agentIsDecommissioned": false,
"agentMachineType": "String",
"agentMitigationMode": "String",
"agentNetworkStatus": "String",
"agentOsName": "String",
"agentOsRevision": "String",
"agentOsType": "String",
"agentUuid": "String",
"agentVersion": "String",
"groupId": "String",
"groupName": "String",
"networkInterfaces": [
{
"id": "String",
"inet": [
"String"
],
"inet6": [],
"name": "String",
"physical": "String"
}
],
"operationalState": "na",
"rebootRequired": false,
"scanAbortedAt": null,
"scanFinishedAt": "2021-11-22T23:03:33.321830Z",
"scanStartedAt": "2021-11-22T20:43:45.884845Z",
"scanStatus": "finished",
"siteId": "String",
"siteName": "String",
"storageName": null,
"storageType": null,
"userActionsNeeded": []
},
"containerInfo": {
"id": null,
"image": null,
"labels": null,
"name": null
},
"id": "String",
"indicators": [
{
"category": "String",
"description": "String",
"ids": [
int
],
"tactics": [
{
"name": "String",
"source": "String",
"techniques": []
}
]
}
],
"kubernetesInfo": {
"cluster": null,
"controllerKind": null,
"controllerLabels": null,
"controllerName": null,
"namespace": null,
"namespaceLabels": null,
"node": null,
"pod": null,
"podLabels": null
},
"mitigationStatus": [],
"threatInfo": {
"analystVerdict": "String",
"analystVerdictDescription": "String",
"automaticallyResolved": false,
"browserType": null,
"certificateId": "",
"classification": "String",
"classificationSource": "String",
"cloudFilesHashVerdict": "String",
"collectionId": "String",
"confidenceLevel": "String",
"createdAt": "2021-12-12T23:00:07.386997Z",
"detectionEngines": [
{
"key": "String",
"title": "String"
}
],
"detectionType": "String",
"engines": [
"String"
],
"externalTicketExists": false,
"externalTicketId": null,
"failedActions": false,
"fileExtension": "String",
"fileExtensionType": "String",
"filePath": "String",
"fileSize": 833536,
"fileVerificationType": "String",
"identifiedAt": "2021-12-12T23:00:07.085000Z",
"incidentStatus": "String",
"incidentStatusDescription": "String",
"initiatedBy": "String",
"initiatedByDescription": "String",
"initiatingUserId": null,
"initiatingUsername": null,
"isFileless": false,
"isValidCertificate": false,
"maliciousProcessArguments": "String",
"md5": null,
"mitigatedPreemptively": false,
"mitigationStatus": "String",
"mitigationStatusDescription": "String",
"originatorProcess": "String",
"pendingActions": false,
"processUser": "String",
"publisherName": "",
"reachedEventsLimit": false,
"rebootRequired": false,
"sha1": "String",
"sha256": null,
"storyline": "String",
"threatId": "String",
"threatName": "String",
"updatedAt": "2021-12-12T23:00:07.383888Z"
},
"whiteningOptions": [
"String",
"String"
]
}
SentinelOne Agents Schema
{
"accountId": "String",
"accountName": "String",
"activeDirectory": {
"computerDistinguishedName": null,
"computerMemberOf": [],
"lastUserDistinguishedName": null,
"lastUserMemberOf": []
},
"activeThreats": 1,
"agentVersion": "String",
"allowRemoteShell": true,
"appsVulnerabilityStatus": "String",
"cloudProviders": {},
"computerName": "String",
"consoleMigrationStatus": "N/A",
"coreCount": 16,
"cpuCount": 16,
"cpuId": "String",
"createdAt": "2021-04-06T14:59:22.791311Z",
"detectionState": null,
"domain": "String",
"encryptedApplications": false,
"externalId": "",
"externalIp": "String",
"firewallEnabled": false,
"firstFullModeTime": null,
"groupId": "String",
"groupIp": "String",
"groupName": "String",
"id": "String",
"inRemoteShellSession": false,
"infected": true,
"installerType": "String",
"isActive": true,
"isDecommissioned": false,
"isPendingUninstall": false,
"isUninstalled": false,
"isUpToDate": true,
"lastActiveDate": "2021-12-13T15:30:53.053654Z",
"lastIpToMgmt": "String",
"lastLoggedInUserName": "String",
"licenseKey": "",
"locationEnabled": true,
"locationType": "String",
"locations": [
{
"id": "String",
"name": "String",
"scope": "String"
}
],
"machineType": "String",
"mitigationMode": "String",
"mitigationModeSuspicious": "String",
"modelName": "String",
"networkInterfaces": [
{
"gatewayIp": "String",
"gatewayMacAddress": "String",
"id": "String",
"inet": [
"String"
],
"inet6": [],
"name": "String",
"physical": "String"
}
],
"networkQuarantineEnabled": false,
"networkStatus": "connected",
"operationalState": "na",
"operationalStateExpiration": null,
"osArch": "String",
"osName": "String",
"osRevision": "String",
"osStartTime": "2021-12-09T12:25:11Z",
"osType": "String",
"osUsername": null,
"rangerStatus": "Enabled",
"rangerVersion": "String",
"registeredAt": "2021-04-06T14:59:22.787465Z",
"remoteProfilingState": "disabled",
"remoteProfilingStateExpiration": null,
"scanAbortedAt": "2021-04-06T15:00:55.635228Z",
"scanFinishedAt": "2021-04-06T15:31:20.877585Z",
"scanStartedAt": "2021-04-06T15:12:03.592336Z",
"scanStatus": "finished",
"siteId": "String",
"siteName": "Default site",
"storageName": null,
"storageType": null,
"threatRebootRequired": false,
"totalMemory": 65469,
"updatedAt": "2021-12-13T15:17:31.832317Z",
"userActionsNeeded": [],
"uuid": "String"
}
SentinelOne Raw Events V1 Schema
{
"@timestamp": 1648857182252,
"meta": {
"traceId": "String",
"accountId": "String",
"osFamily": "String",
"computerName": "String",
"agentVersion": "String",
"siteId": "String",
"osRevision": "String",
"osName": "String",
"uuid": "String",
"seqId": Int,
"machineType": "String",
"mgmtUrl": "String"
},
"event": {
"sha1": "String",
"path": "String",
"osSourceParent": {
"trueContext": {
"key": {
"value": "String"
}
},
"counters": {
"dnsLookups": Int,
"crossProcess": Int,
"fileModification": Int,
"netConnOut": Int,
"moduleLoad": Int,
"fileDeletion": Int,
"crossProcessDupThreadHandle": Int,
"registryModification": Int,
"osChildProcess": Int,
"modelChildProcess": Int,
"crossProcessOpenProcess": Int,
"fileCreation": Int,
"exeModification": Int,
"crossProcessOutOfGroup": Int,
"netConnIn": Int,
"crossProcessDupProcessHandle": Int,
"crossProcessRemoteThread": Int
},
"interactive": "String",
"subsystem": "String",
"sessionId": Int,
"executable": {
"owner": {
"name": "String",
"sid": "String"
},
"node": {
"key": {
"value": "String"
}
},
"path": "String",
"creationTime": {
"millisecondsSinceEpoch": "18446732429235951616"
},
"signature": {
"signed": {
"valid": {},
"identity": "String"
}
},
"hashes": {
"sha1": "String",
"sha256": "String",
"md5": "String"
},
"fileLocation": "String",
"isKernelModule": "String",
"isDir": "String",
"sizeBytes": "String"
},
"excluded": "String",
"node": {
"key": {
"value": "String"
}
},
"isRedirectedCommandProcessor": "String",
"root": "String",
"name": "String",
"fullPid": {
"pid": Int,
"startTime": {
"millisecondsSinceEpoch": "1648815760866"
}
},
"isWow64": "True",
"commandLine": "String",
"integrityLevel": "String",
"user": {
"name": "String",
"sid": "String"
}
},
"source": {
"parent": {
"parent": {
"excluded": "String",
"node": {
"key": {
"value": "String"
}
},
"isRedirectedCommandProcessor": "String",
"root": "String",
"interactive": "String",
"name": "String",
"subsystem": "String",
"fullPid": {
"pid": Int,
"startTime": {
"millisecondsSinceEpoch": "1648815760866"
}
},
"isWow64": "String",
"sessionId": Int,
"commandLine": "String",
"integrityLevel": "String"
},
"trueContext": {
"key": {
"value": "String"
}
},
"counters": {
"dnsLookups": Int,
"crossProcess": Int,
"fileModification": Int,
"netConnOut": Int,
"moduleLoad": Int,
"fileDeletion": Int,
"crossProcessDupThreadHandle": Int,
"registryModification": Int,
"osChildProcess": Int,
"modelChildProcess": Int,
"crossProcessOpenProcess": Int,
"fileCreation": Int,
"exeModification": Int,
"crossProcessOutOfGroup": Int,
"netConnIn": Int,
"crossProcessDupProcessHandle": Int,
"crossProcessRemoteThread": Int
},
"interactive": "String",
"subsystem": "String",
"sessionId": Int,
"executable": {
"owner": {
"name": "String",
"sid": "String"
},
"node": {
"key": {
"value": "String"
}
},
"path": "String",
"creationTime": {
"millisecondsSinceEpoch": "18446732429235951616"
},
"signature": {
"signed": {
"valid": {},
"identity": "String"
}
},
"hashes": {
"sha1": "String",
"sha256": "String",
"md5": "String"
},
"fileLocation": "String",
"isKernelModule": "String",
"isDir": "String",
"sizeBytes": "3000"
},
"excluded": "String",
"node": {
"key": {
"value": "String"
}
},
"isRedirectedCommandProcessor": "String",
"root": "String",
"name": "String",
"fullPid": {
"pid": Int,
"startTime": {
"millisecondsSinceEpoch": "1648857181656"
}
},
"isWow64": "String",
"commandLine": "String",
"integrityLevel": "String",
"user": {
"name": "String",
"sid": "String"
}
},
"trueContext": {
"key": {
"value": "String"
}
},
"counters": {
"dnsLookups": Int,
"crossProcess": Int,
"fileModification": Int,
"netConnOut": Int,
"moduleLoad": Int,
"fileDeletion": Int,
"crossProcessDupThreadHandle": Int,
"registryModification": Int,
"osChildProcess": Int,
"modelChildProcess": Int,
"crossProcessOpenProcess": Int,
"fileCreation": Int,
"exeModification": Int,
"crossProcessOutOfGroup": Int,
"netConnIn": Int,
"crossProcessDupProcessHandle": Int,
"crossProcessRemoteThread": Int
},
"interactive": "String",
"subsystem": "String",
"sessionId": Int,
"executable": {
"owner": {
"name": "String",
"sid": "String"
},
"node": {
"key": {
"value": "String"
}
},
"path": "String",
"creationTime": {
"millisecondsSinceEpoch": "18446732429235951616"
},
"signature": {
"signed": {
"valid": {},
"identity": "String"
}
},
"hashes": {
"sha1": "String",
"sha256": "String",
"md5": "String"
},
"fileLocation": "String",
"isKernelModule": "String",
"isDir": "String",
"sizeBytes": "97112"
},
"excluded": "String",
"node": {
"key": {
"value": "String"
}
},
"isRedirectedCommandProcessor": "String",
"root": "String",
"name": "String",
"fullPid": {
"pid": Int,
"startTime": {
"millisecondsSinceEpoch": "1648857182240"
}
},
"isWow64": "String",
"commandLine": "String",
"integrityLevel": "String",
"user": {
"name": "String",
"sid": "String"
}
},
"type": "String",
"md5": "String"
}
}
SentinelOne Raw Events V2 Schema
{
"tgt.process.displayName": "sh",
"src.process.parent.isStorylineRoot": false,
"event.category": "process",
"src.process.parent.image.sha1": "1231231231231231231231231231231231231234",
"site.id": "1234512345123451234",
"src.process.parent.displayName": "splunkd",
"tgt.process.storyline.id": "12341234-1234-1234-1234-123412341234",
"tgt.process.isNative64Bit": false,
"src.process.parent.subsystem": "SUBSYSTEM_UNKNOWN",
"src.process.user": "splunk",
"src.process.indicatorRansomwareCount": 0,
"src.process.crossProcessDupRemoteProcessHandleCount": 0,
"src.process.tgtFileCreationCount": 123456,
"src.process.indicatorInjectionCount": 0,
"src.process.moduleCount": 0,
"src.process.parent.name": "splunkd",
"i.version": "preprocess-lib-1.0",
"sca:atlantisIngestTime": 1670123451234,
"src.process.indicatorReconnaissanceCount": 0,
"src.process.storyline.id": "12341234-1234-1234-1234-123412341234",
"src.process.childProcCount": 256898,
"mgmt.url": "asdfg-123.asdf.net",
"tgt.process.subsystem": "SUBSYSTEM_UNKNOWN",
"src.process.crossProcessOpenProcessCount": 0,
"src.process.subsystem": "SUBSYSTEM_UNKNOWN",
"meta.event.name": "PROCESSCREATION",
"src.process.parent.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
"src.process.indicatorExploitationCount": 0,
"src.process.parent.storyline.id": "12341234-1234-1234-1234-123412341234",
"tgt.process.image.path": "/bin/sh",
"src.process.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
"i.scheme": "edr",
"tgt.process.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
"site.name": "Linux",
"src.process.netConnInCount": 0,
"event.time": 1670123451234,
"timestamp": "2022-12-13T00:00:00.000Z",
"account.id": "1234123412341231234",
"dataSource.name": "Asdf",
"endpoint.name": "splunk-splunk.splunk.splunk.com",
"src.process.image.sha1": "1231231231231231231231231231231231231234",
"src.process.isStorylineRoot": false,
"src.process.parent.image.path": "/opt/splunk/bin/splunkd",
"src.process.pid": 12345,
"tgt.file.isSigned": "unsigned",
"src.process.cmdline": " [splunkd pid=12345] splunkd --under-systemd --systemd-delegate=yes -p 8080 [process-runner]",
"sca:ingestTime": 1670123456,
"dataSource.category": "security",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"src.process.parent.isRedirectCmdProcessor": false,
"tgt.process.image.sha1": "1231231231231231231231231231231231231234",
"src.process.crossProcessCount": 0,
"src.process.signedStatus": "unsigned",
"event.id": "01234567890012345678900123456",
"src.process.parent.cmdline": " splunkd",
"src.process.image.path": "/opt/splunk/bin/splunkd",
"src.process.tgtFileModificationCount": 123456,
"src.process.indicatorEvasionCount": 0,
"src.process.netConnOutCount": 0,
"tgt.process.pid": 1234,
"src.process.crossProcessDupThreadHandleCount": 0,
"tgt.process.name": "sh",
"endpoint.os": "linux",
"src.process.tgtFileDeletionCount": 0,
"tgt.process.signedStatus": "unsigned",
"src.process.startTime": 1670123456789,
"mgmt.id": "12345",
"os.name": "Linux",
"tgt.process.cmdline": " /bin/sh",
"src.process.displayName": "splunkd",
"src.process.parent.sessionId": 0,
"src.process.isNative64Bit": false,
"src.process.uid": "12341234-1234-1234-1234-123412341234",
"src.process.indicatorBootConfigurationUpdateCount": 0,
"src.process.indicatorInfostealerCount": 0,
"process.unique.key": "12341234-1234-1234-1234-123412341234",
"tgt.process.uid": "12341234-1234-1234-1234-123412341234",
"tgt.process.isStorylineRoot": false,
"src.process.parent.uid": "12341234-1234-1234-1234-123412341234",
"agent.version": "1.2.3.4",
"src.process.sessionId": 0,
"src.process.netConnCount": 0,
"mgmt.osRevision": "CentOS",
"group.id": "12341234-1234-1234-1234-123412341234",
"tgt.process.startTime": 1670123456789,
"src.process.isRedirectCmdProcessor": false,
"src.process.parent.startTime": 1670123456789,
"src.process.dnsCount": 0,
"endpoint.type": "server",
"trace.id": "0123456789123412344324",
"src.process.name": "splunkd",
"agent.uuid": "12341234-1234-1234-1234-123412341234",
"tgt.process.user": "splunk",
"src.process.indicatorGeneralCount": 0,
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 0,
"tgt.process.sessionId": 0,
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "unsigned",
"src.process.parent.user": "splunk",
"tgt.process.isRedirectCmdProcessor": false,
"event.type": "Process Creation",
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.pid": 12345
}
SentinelOne Custom Rule Alerts Schema
{
"agentDetectionInfo": {
"accountId": "123",
"machineType": "server",
"name": "12331",
"osFamily": "windows",
"osName": "Windows Server 2008 R2 Standard",
"osRevision": "7601 SP1",
"siteId": "142124",
"uuid": "ddaee07585344c369100a97cf33ba6f5",
"version": "4.6.11.191"
},
"agentRealtimeInfo": {
"id": "1520045665412642457",
"infected": false,
"isActive": true,
"isDecommissioned": false,
"machineType": "server",
"name": "124",
"os": "windows",
"uuid": "ddaee07585344c369100a97cf33ba6f5"
},
"alertInfo": {
"alertId": "1860181617018868498",
"analystVerdict": "Undefined",
"createdAt": "2024-01-11T13:28:28.184000Z",
"dnsRequest": null,
"dnsResponse": null,
"dstIp": null,
"dstPort": null,
"dvEventId": "2CECC1F68C3145829B98B745138DE7BB_6",
"eventType": "PROCESSCREATION",
"hitType": "Events",
"incidentStatus": "Unresolved",
"indicatorCategory": null,
"indicatorDescription": null,
"indicatorName": null,
"isEdr": true,
"loginAccountDomain": null,
"loginAccountSid": null,
"loginIsAdministratorEquivalent": null,
"loginIsSuccessful": null,
"loginsUserName": null,
"loginType": null,
"modulePath": null,
"moduleSha1": null,
"netEventDirection": null,
"registryKeyPath": null,
"registryOldValue": null,
"registryOldValueType": null,
"registryPath": null,
"registryValue": null,
"reportedAt": "2024-01-11T13:28:48.999766Z",
"source": "STAR",
"srcIp": null,
"srcMachineIp": null,
"srcPort": null,
"tiIndicatorComparisonMethod": null,
"tiIndicatorSource": null,
"tiIndicatorType": null,
"tiIndicatorValue": null,
"updatedAt": "2024-01-11T13:28:48.999766Z"
},
"containerInfo": {
"id": null,
"image": null,
"labels": null,
"name": null
},
"kubernetesInfo": {
"cluster": null,
"controllerKind": null,
"controllerLabels": null,
"controllerName": null,
"namespace": null,
"namespaceLabels": null,
"node": null,
"pod": null,
"podLabels": null
},
"ruleInfo": {
"description": "Ruleasdas",
"id": "1670429568698766898",
"name": "Ruleasdas",
"queryLang": "1.0",
"queryType": "events",
"s1ql": "( SQLSQL )",
"scopeLevel": "global",
"severity": "Medium",
"treatAsThreat": "Suspicious"
},
"sourceParentProcessInfo": {
"commandline": "C:\\Windows\\system32\\svchost.exe -k netsvcs",
"effectiveUser": null,
"fileHashMd5": null,
"fileHashSha1": null,
"fileHashSha256": null,
"filePath": "C:\\Windows\\system32\\svchost.exe",
"fileSignerIdentity": "MICROSOFT WINDOWS",
"integrityLevel": "system",
"loginUser": null,
"name": "svchost.exe",
"pid": "924",
"pidStarttime": "2023-10-18T22:11:06.096000Z",
"realUser": null,
"storyline": "123123213123",
"subsystem": "sys_win32",
"uniqueId": "asdasdasd",
"user": "NT AUTHORITY\\SYSTEM"
},
"sourceProcessInfo": {
"commandline": "taskeng.asd:Service:",
"effectiveUser": null,
"fileHashMd5": "asdasd",
"fileHashSha1": "asdasd",
"fileHashSha256": "asdasd",
"filePath": "C:\\Windows\\system32\\taskeng.exe",
"fileSignerIdentity": "MICROSOFT WINDOWS",
"integrityLevel": "system",
"loginUser": null,
"name": "taskeng.exe",
"pid": "5116",
"pidStarttime": "2024-01-11T12:30:00.002000Z",
"realUser": null,
"storyline": "91208D7C233580F3",
"subsystem": "sys_win32",
"uniqueId": "asdsad",
"user": "NT AUTHORITY\\SYSTEM"
},
"targetProcessInfo": {
"tgtFileCreatedAt": "1970-01-01T00:00:00Z",
"tgtFileHashSha1": null,
"tgtFileHashSha256": null,
"tgtFileId": null,
"tgtFileIsSigned": "signed",
"tgtFileModifiedAt": "1970-01-01T00:00:00Z",
"tgtFileOldPath": null,
"tgtFilePath": null,
"tgtProcCmdLine": "sadasdsadas",
"tgtProcessStartTime": "2024-01-11T12:30:00.174000Z",
"tgtProcImagePath": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"tgtProcIntegrityLevel": "system",
"tgtProcName": "powershell.exe",
"tgtProcPid": "5484",
"tgtProcSignedStatus": "signed",
"tgtProcStorylineId": "26729186740863C9",
"tgtProcUid": "331E3E6937ED7B3F"
}
}