Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SentinelOne parser function version 1.0.1 fails #11677

Closed
q0njg3m1 opened this issue Jan 17, 2025 · 13 comments
Closed

SentinelOne parser function version 1.0.1 fails #11677

q0njg3m1 opened this issue Jan 17, 2025 · 13 comments
Assignees
@v-sudkharat @v-visodadasi

Comments

@q0njg3m1
Copy link

Describe the bug
The SentinelOne parser function version 1.0.1 fails with the following error: "'extend' operator: Failed to resolve scalar expression named 'Data'".
@v-sudkharat
Copy link
Contributor

Hi @q0njg3m1, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

@v-sudkharat
Copy link
Contributor

@q0njg3m1, Could you please let us know which solution version your using?

@q0njg3m1
Copy link
Author

SentinelOne version 3.0.3. I just noticed that update 3.0.4 is available. I'll update it now and let you know if that fixes the issue. Thanks!

@q0njg3m1
Copy link
Author

It fails to update from the existing 3.0.3 to 3.0.4 with the following error:
Deployment template validation failed: 'The resource 'Microsoft.OperationalInsights/workspaces/law_name_here/providers/Microsoft.SecurityInsights/metadata/DataConnector-SentinelOne' at line '2040' and column '9' is defined multiple times in a template. Please see https://aka.ms/arm-syntax-resources for usage details.'

@v-sudkharat
Copy link
Contributor

@q0njg3m1, Our team has fixed the issue about the 3.0.4 solution deployment, it will get available in upcoming few days, so just updated the solution and then you can check for the parser.
Meantime, can you please share the SentinelOne logs with us on below shared mail ID to check for the missing column, based on the parser error it looks the data has been missing and due to that the parser could not get the required fields to run.
Mail ID - [email protected]
Thanks!

@q0njg3m1
Copy link
Author

Hi @v-sudkharat,

I'll share some sample logs in a few minutes. As you'll see from the logs there is no column named "Data" in the SentinelOne_CL table. All the columns that start with the letters "D" or "d" are: DataFields_s (string), description_s (string), detectionState_s (string), domain_s (string). Also here is a screenshot:

Image

Thanks!

@v-sudkharat
Copy link
Contributor

@q0njg3m1, Thanks for sharing it, will check on it and get back to you.

@v-sudkharat
Copy link
Contributor

Hi @q0njg3m1, Did you have configured the below Data connector to? and receiving the logs into the respective tables?

Image

The column name Data is a part of the SentinelOneActivities_CL Table: which may not be available in your workspace, which causes the Parser failure.

Image

Once your SentinelOne(Preview) data connector get configured, please re-run the parser and let us know if it still has issues.

Many Thanks!

@q0njg3m1
Copy link
Author

Hi @v-sudkharat,

No we are still using the old SentineOne data connector: SentinelOne (using Azure Functions).

We only have a single SentinelOne Custom Logs (CL) table in the workspace: SentineOne_CL and this is were the SentinelOne events are currently stored.
So I'm guessing the new SentinelOne data connector (SentinelOne (Preview)) uses these new tables instead of the old table.

Also it says in the new data connector description: "The data connector is built on Microsoft Sentinel Codeless Connector Platform.".
The old one was using Function Apps (Azure Functions) to pull the logs.
We have two SentinelOne consoles we are ingesting the logs from into a single workspace.
So we are using two function apps, one for each console.
How can we pull the logs from two SentinelOne consoles in a single workspace using the new Codeless Connector Platform data connector?

Image

Thanks!

@v-sudkharat
Copy link
Contributor

@q0njg3m1, Got it, the SentinelOneActivities_CL not having schema defined into the workspace is causing that issue.
Will try by checking with below workaround :

  1. Go to your solution :

Image

  1. Open the Sentinel One (Preview) Connector :

Image

  1. Without add any values or credentials, Click on Connect button:

Image

  1. After click on it, It show below error:

Image

  1. Now go the parser and click on Load the function code :

Image

  1. And check what is the output for it, For us we get no result as don't have the data into our environment:

Image

After step 6 if you still getting any error with parser. Kindly share that error message with us, we will check it with the concern team and if required will have a meeting.

Thanks!

@q0njg3m1
Copy link
Author

Hi @v-sudkharat,

That did the trick!

Image

Image

Thank you for your help!

@v-sudkharat
Copy link
Contributor

@q0njg3m1, Great. So, can we close this issue?

@q0njg3m1
Copy link
Author

Yes sir! Thanks again for your help!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@v-sudkharat v-sudkharat

@v-visodadasi v-visodadasi

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@v-sudkharat @v-visodadasi @q0njg3m1