mirror of
https://github.com/marcredhat/SIEM-toolkit-patched
synced 2026-06-09 21:07:15 +00:00
marc
d6d0faf218
End-to-end regression test for the SDL Stormshield parser: - test.py single upload + 150s polling verifier - send_burst.py 4 varied events (different users, IPs, actions) with current timestamps - verify_query.py query last 15 min of stormshield events - run_and_verify.sh burst + 40s wait + verify - config.example.json template (config.json is gitignored) - README.md setup, run, behaviour-quirks docs Use against a real SDL tenant after deploying parsers/stormshield. Confirms parser='stormshield', dataSource.name='Stormshield', and the 5 OCSF rewrites (src_endpoint.ip/port, dst_endpoint.ip/port, actor.user.name).
13 lines
894 B
JSON
13 lines
894 B
JSON
{
|
|
"_comment": "Copy to config.json (gitignored) and fill in your SDL keys. Generate them in the SentinelOne console under Singularity Data Lake -> API Keys. log_write_key needs 'Log Write Access'. log_read_key needs 'Log Read Access'. config_read_key needs 'Configuration Read'. config_write_key needs 'Configuration Write'. console_api_token is a regular console user/service-user API token; it works for query and config methods but NOT for uploadLogs (uploadLogs requires a real Log Write key).",
|
|
"base_url": "https://xdr.us1.sentinelone.net/",
|
|
"log_write_key": "REPLACE_WITH_LOG_WRITE_KEY",
|
|
"log_read_key": "REPLACE_WITH_LOG_READ_KEY",
|
|
"config_read_key": "REPLACE_WITH_CONFIG_READ_KEY",
|
|
"config_write_key": "REPLACE_WITH_CONFIG_WRITE_KEY",
|
|
"console_api_token": "REPLACE_WITH_CONSOLE_API_TOKEN_OR_LEAVE_EMPTY",
|
|
"s1_scope": "",
|
|
"verify_tls": true,
|
|
"timeout_seconds": 30
|
|
}
|