{"id":37481889,"url":"https://github.com/sentinel-one/ai-siem","last_synced_at":"2026-04-27T04:00:45.742Z","repository":{"id":314821010,"uuid":"1040431714","full_name":"Sentinel-One/ai-siem","owner":"Sentinel-One","description":"A community‑driven, SentinelOne‑assisted library of parsers, dashboards, detections \u0026 response playbooks that supercharge the Singularity Platform.","archived":false,"fork":false,"pushed_at":"2026-04-22T15:23:36.000Z","size":10707,"stargazers_count":47,"open_issues_count":4,"forks_count":26,"subscribers_count":7,"default_branch":"main","last_synced_at":"2026-04-22T17:39:49.088Z","etag":null,"topics":["aisiem","security","sentinelone"],"latest_commit_sha":null,"homepage":"https://sentinelone.com","language":"Lua","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Sentinel-One.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS.md","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-08-19T01:13:04.000Z","updated_at":"2026-04-22T15:23:19.000Z","dependencies_parsed_at":"2025-09-15T02:38:14.855Z","dependency_job_id":"90c39f8b-082d-41b6-b196-ed16560eff81","html_url":"https://github.com/Sentinel-One/ai-siem","commit_stats":null,"previous_names":["sentinel-one/ai-siem"],"tags_count":31,"template":false,"template_full_name":null,"purl":"pkg:github/Sentinel-One/ai-siem","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sentinel-One%2Fai-siem","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sentinel-One%2Fai-siem/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sentinel-One%2Fai-siem/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sentinel-One%2Fai-siem/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Sentinel-One","download_url":"https://codeload.github.com/Sentinel-One/ai-siem/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sentinel-One%2Fai-siem/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32321940,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T23:26:28.701Z","status":"online","status_checked_at":"2026-04-27T02:00:06.769Z","response_time":128,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aisiem","security","sentinelone"],"created_at":"2026-01-16T07:27:51.592Z","updated_at":"2026-04-27T04:00:45.734Z","avatar_url":"https://github.com/Sentinel-One.png","language":"Lua","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AI-SIEM Repository – A SentinelOne GitHub Forge Project\n\n\u003e A community‑driven, SentinelOne‑assisted library of **parsers, dashboards, detections \u0026 response playbooks** that supercharge the Singularity Platform.\n\n---\n\n## Important Note \n\nSentinel-One AI-SIEM repository is a community-driven, open source project designed to streamline the deployment and use of the SentinelOne's AI SIEM. While not a formal SentinelOne product, Sentinel-One AI-SIEM repository is maintained by SentinelOne and supported in partnership with the open source developer community.\n\n## Why this repository exists  \n* Unite scattered content and eliminate “hunt‑the‑snippet” time for engineers and customers.  \n* Enforce automated quality gates so every artifact is production‑ready.  \n* Foster an open ecosystem where field teams, partners, and customers co‑create knowledge objects.\n\n---\n\n## Repository layout\n```\nai-siem/                # AI SIEM core structure (260+ components)\n  ├── dashboards/      # Visualizations (79 dashboards with metadata)\n  │   └── community/   # Community-contributed dashboards\n  ├── detections/      # Detection rules (8 detections with metadata)\n  │   └── community/   # Community-contributed detection rules\n  ├── monitors/        # Python monitoring scripts for Dataset Agent (log_gen, maxmind, powerquery)\n  ├── pipelines/       # Observo pipeline templates\n  │   ├── push/        # Vendor pushes to us (syslog/CEF/LEEF/KV or direct HEC)\n  │   │   ├── syslog/\u003cvendor\u003e/\u003cproduct\u003e/\n  │   │   └── hec/\u003cvendor\u003e/\u003cproduct\u003e/\n  │   ├── pull/        # We fetch from the vendor (REST API or object store)\n  │   │   ├── api/\u003cvendor\u003e/\u003cproduct\u003e/\n  │   │   └── object_store/\u003cvendor\u003e/\u003cproduct\u003e/\n  │   └── community/\n  │       └── transform_ocsf/\u003cvendor\u003e/\u003cproduct\u003e/  # OCSF normalization overlays\n  ├── parsers/         # Parsing logic and configurations (165 parsers)\n  │   ├── community/   # 148 community parsers (*.conf + metadata)\n  │   └── sentinelone/ # 17 official marketplace parsers (*.conf + metadata)\n  └── workflows/       # Automated playbooks and responses (3 workflows with metadata)\n```\n\n---\n\n## Quick start\n1. **Clone** the repo and select the folder that matches your use‑case.  \n2. **Import** dashboards (`*.conf`) or rules (`*.conf`) into your Singularity console.  \n3. **Choose** between community parsers or official SentinelOne marketplace parsers.  \n4. **Deploy** parsers using the included metadata.yaml for proper configuration.  \n5. *(Optional)* run `make install` or `make validate` to lint and prep local changes.\n\n\n---\n\n## Contribution guide ##\n1. Fork the repo and create a feature branch.  \n2. Name files `vendor-usecase-vX.Y.\u003cext\u003e` (e.g., `zscaler_http_access-v1.0.s1ql`) and add a matching `metadata.yaml`.  \n3. Include or update sample logs under `tests/fixtures`.  \n4. Open a Pull Request – CI will run secret scanning and CodeReview.  \n5. At least one owner review is required before merge.\n\n\n---\n\n## Automation \u0026 quality gates\n| Stage        | What it does                                                                        |\n|--------------|-------------------------------------------------------------------------------------|\n| Security     | Secret scanning \u0026 CodeQL                                                            |\n| Release      | Semantic‑release tags `vX.Y.Z` and publishes artifacts to GitHub Releases \u0026 S3      |\n\n---\n\n## Community recognition\nQuarterly awards for **Top Contributor**, **Most Interesting Use‑Case**, and **Best Dashboard** keep momentum high. All merged PRs count toward the public leaderboard—watch the PartnerOne newsletter for shout‑outs!\n\n---\n\n## Roadmap \u0026 KPIs\n* **MVP v1.0** public launch at OneCon.  \n* ≥ 200 GitHub ⭐ stars, 30 external PRs, and 40 % tenant adoption within the first 12 months.  \n* Continuous sprint cadence with KPI reviews every quarter.\n\n---\n\n## License\nReleased under the **GNU Affero General Public License v3.0 (AGPL-3.0)** – ensuring that all modifications and network use remain open source. See the [LICENSE](LICENSE) file for details.\n\n---\n\n## Monitors Installation Guide\n\n### Dataset Agent Integration\nThe monitors directory contains Python scripts for use with the Dataset Agent:\n- **log_gen.py** - Generate test logs for various vendor formats (Cisco, Windows DNS)\n- **maxmind.py** - MaxMind GeoIP enrichment for IP addresses\n- **powerquerymonitor.py** - PowerQuery monitoring capabilities\n\n### Installation Steps\n1. Copy monitor files to Dataset Agent directory:\n   ```bash\n   cp monitors/*.py /usr/share/scalyr-agent-2/py/scalyr_agent/builtin_monitors/\n   ```\n\n2. Configure the agent by editing `/etc/scalyr-agent-2/agent.log`:\n   ```json\n   monitors: [\n     {\n       \"module\": \"scalyr_agent.builtin_monitors.log_gen\",\n       \"logs\": \"/tmp/logs/*\",\n       \"type_array\": \"['cisco', 'windows_dns']\",\n       \"parser\": \"json\",\n       \"time_pattern\": \"(?P\u003cdate\u003e(\\\\d+ \\\\w+ \\\\d+|\\\\d+\\\\/\\\\d+\\\\/\\\\d+)) (?P\u003ctime\u003e(\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}|\\\\d+:\\\\d+:\\\\d+ \\\\w+))\",\n       \"sampling_rate\": \".2\"\n     }\n   ]\n   ```\n\n3. Start the Dataset Agent:\n   ```bash\n   scalyr-agent-2 start\n   ```\n\n---\n\n## Pipelines\n\nThe `pipelines/` directory holds Observo pipeline templates for SentinelOne\nAI SIEM, organized by ingest mode:\n\n- `pipelines/push/{syslog,hec}/\u003cvendor\u003e/\u003cproduct\u003e/` — vendor pushes events to us\n- `pipelines/pull/{api,object_store}/\u003cvendor\u003e/\u003cproduct\u003e/` — we fetch from the vendor\n- `pipelines/community/transform_ocsf/\u003cvendor\u003e/\u003cproduct\u003e/` — OCSF normalization\n  overlays that run on top of upstream-ingested data\n\nThe full directory taxonomy, required `metadata.yaml` fields, and naming\nconventions are documented in [`pipelines/community/README.md`](pipelines/community/README.md).\n\n### Installing a community pipeline\n\n1. Navigate to the relevant `pipelines/{push,pull}/\u003cmode\u003e/\u003cvendor\u003e/\u003cproduct\u003e/`\n   or `pipelines/community/transform_ocsf/\u003cvendor\u003e/\u003cproduct\u003e/` directory.\n2. Import the JSON template into your Observo instance, or apply the Lua\n   serializer to the appropriate transform stage.\n3. Update authentication credentials per the `metadata.yaml` `dependencies`\n   block.\n4. Configure the SentinelOne AI SIEM HEC destination:\n   - **HEC token** — replace the placeholder in the import.\n   - **Endpoint URL** — verify regional endpoint\n     (default `https://ingest.us1.sentinelone.net`).\n5. Deploy and activate.\n\n---\n\n## Workflows / Hyperautomation\n\nCommunity response playbooks and Hyperautomation workflows are located in [`workflows/community/`](workflows/community/).\n\nWe have introduced a standardized documentation approach:\n- Vendor-first folder structure with per-workflow subfolders\n- Consistent `metadata.yaml`\n- **Mermaid.js** diagrams for clear visualization of logic, decisions, and orchestration steps\n\n**Credit to Mermaid.js**: All diagrams are powered by the open-source **[mermaid-js/mermaid](https://github.com/mermaid-js/mermaid)** project. Huge thanks to the mermaid-js community and maintainers for making version-controlled, beautiful workflow documentation possible directly in Markdown.\n\nSee [`workflows/community/README.md`](workflows/community/README.md) for the full documentation standard and examples.\n\n---\n\n## Getting help\nOpen an issue. Office hours TBD based on requests.\n\n\n```yaml\n## Metadata requirements per configuration type:\n\n# Workflows\n# File: metadata.yaml\nmetadata_details:\n  purpose: \"Describe the outcome, integrations, and components that need to be preconfigured\"\n  trigger_type: \"alert | manual\"\n  integration_dependency: \"Describe the 3rd party integrations needed to run this activity. Mention if licensing or additional features are required.\"\n  expected_actions_per_run: \"Total number of steps in the workflow\"\n  human_in_the_loop: \"yes | no – Does the workflow require human interaction?\"\n  required_products: \"List SentinelOne products required (e.g., EDR, CWS, CNS, Vulnerability Management)\"\n  tags: \"Optional tagging\"\n  version: \"v1.0\"\n\n# Dashboards\n# File: metadata.yaml\nmetadata_details:\n  data_dependencies: \"Specify datasource.name or OCSF field\"\n  required_fields: \"Any additional fields needed beyond the extracted set\"\n  description: \"What is the visualization helping to inform?\"\n  usecase_type: \"Operational | Security | Compliance\"\n  usecase_action: \"Formfill | Dashboard | Report | Trending and Analysis\"\n  tags: \"Optional tagging\"\n  version: \"v1.0\"\n\n# Detections\n# File: metadata.yaml\nmetadata_details:\n  purpose: \"Detects a specific action from a SentinelOne component or third-party integration\"\n  mitre_tactic_technique: \"Provide the MITRE Tactic and Technique (if known)\"\n  datasource: \"Name of the dataSource.name field\"\n  search_type: \"powerquery | star_rule | watchlist_alert\"\n  usecase_plus: \"Explain how combining this data with others enhances detection\"\n  severity: \"Information | Low | Medium | High\"\n  expected_alert_scenario: \"What alert behavior should users expect?\"\n  performance_impact: \"Describe the impact on system performance or security operations\"\n  tags: \"Optional tagging\"\n  version: \"v1.0\"\n\n# Parsers\n# File: metadata.yaml\nmetadata_details:\n  purpose: \"Describe what the parser does and how it processes data\"\n  datasource_vendor: \"AWS | Microsoft | GCP | Azure | other\"\n  dataSource: \"Specify the value for dataSource.name\"\n  format: \"gron | json | xml | raw | syslog\"\n  ingestion_method: \"streaming | syslog | HEC | Agent Ingest\"\n  sample_record: \"Example log or event that the parser handles\"\n  dependency_summary: \"Dependencies required for this parser to function properly\"\n  performance_impact: \"Any performance impact or caveats\"\n  tags: \"Optional tagging\"\n  version: \"v1.0\"\n\n# Monitors\n# File: metadata.yaml\nmetadata_details:\n  data_dependencies: \"Relevant OCSF or custom fields used for triggering\"\n  monitor_type: \"Threshold | Anomaly | Heartbeat | Availability\"\n  trigger_frequency: \"Polling interval or triggering condition\"\n  expected_behavior: \"Describe the action or alert that should result\"\n  tags: \"Optional tagging\"\n  version: \"v1.0\"\n\n# Pipelines\n# File: metadata.yaml\n# Schema applies to new pipelines; existing entries will be backfilled in a follow-up.\n# Top-level `grade:` block is produced by the automated grader — do not hand-author.\nmetadata_details:\n  vendor: \"\u003ccanonical_vendor_key\u003e\"      # lowercase, underscored\n  product: \"\u003ccanonical_product_key\u003e\"    # lowercase, underscored\n  ingest_mode: \"HEC | Syslog | API Call | Other - {Explain, e.g. websocket, object store}\"\n  auth_type: \"N/A | HEC Token | OAuth | API Key \u0026 Secret | Bearer Token | Basic | mTLS | IAM Role | Other - {Explain}\"\n  syslog_format: \"CEF | LEEF | RFC5424 | RFC3164 | Vendor KV\"   # optional, push/syslog/ only\n  purpose: \"What the pipeline ingests/transforms and into which OCSF classes\"\n  source_template: \"Source template name as it appears in the pipeline manager\"\n  source_vendor: \"Vendor display name\"\n  destination_template: \"SentinelOne AI SIEM\"\n  destination_type: \"SPLUNK_HEC_LOGS\"\n  transform_templates: \"Description of OCSF / Lua serializer logic\"\n  input_schema: \"Expected input record fields\"\n  output_schema: \"Resulting OCSF event shape\"\n  scheduling: \"Polling interval / event-driven / N/A\"\n  retry_behavior: \"Backoff and failure handling\"\n  dependencies: \"Auth credentials, IAM, queues, etc.\"\n  performance_impact: \"Throughput and tuning notes\"\n  tags: \"Optional tagging\"\n  version: \"v1.0\"\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsentinel-one%2Fai-siem","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsentinel-one%2Fai-siem","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsentinel-one%2Fai-siem/lists"}