[Defend Workflow][Question]How to generate Data to test Analyzer for Sentinelone alert.

[sukhwindersingh-qasource]

Describe the bug: [Question]How to generate Data to test Analyzer for Sentinelone alert.

Build Details:

VERSION: 8.13.0 BC2
BUILD: 71815
COMMIT: c2fc8da128504d437897970d142efd4d06970c0b

Preconditions

• Kibana should be running.
• We have added the SentinelOne Intergration in an policy
• We have also added the SentinelOne Cloud Funnel in the same policy
• Installed the agent.
• We have generated the malware alert for the same by creating a rule with below configuration,

Steps to Reproduce

• Navigate to Alerts tab
• Click on the analyzer of the alert generated by the above rule

Screen-Cast

https://github.com/elastic/kibana/assets/108654988/0d12ad20-de4c-4eca-9fe0-237da3cf7c85

Query

• So could you please let us know that how to create a rule to test Analyzer for Sentinelone alert.
  • what index pattern we have to use ?
  • what query we have to use ?
• Will the malware alert we triggered not have the required analyzer? Since the event category is 'malware,' whereas an event category of 'process' is necessary for the analyzer.

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

[muskangulati-qasource]

Reviewed and assigned to @dasansol92

[dasansol92]

@tomsonpl could you help on these queries? Thanks!

[tomsonpl]

@sukhwindersingh-qasource hey, I haven't specified any strict query... but some tips that can help you are:

• can you try loosing the index to logs-sentinel* ? and skip the observer.serial_number?
• run nslookup amazon.com on the virtual machine with s1 agent. that will create the malware
• try to look for the PAST data in the timelines instead of the alerts

Hope this helps, feel free to reach out to me, we can try doing it together 👍

[sukhwindersingh-qasource]

Hi @tomsonpl, Thank you for your assistance. As we discussed on Slack, changes were made to the SentinelOne Cloud Funnel. The bucket name was updated to - name: sentinel_one. Following these changes, we are now able to test the analyzer for SentinelOne alerts.

Below are the observations :

https://github.com/elastic/kibana/assets/108654988/ddca536c-f115-46bb-99c4-f4a48d9a5d94

Hence we are closing this ticket. Thanks !