Skip to content

feat: Add UAM Alert Ingest API support #67

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
natesmalley merged 2 commits into from
Feb 16, 2026
Merged

feat: Add UAM Alert Ingest API support #67

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d9b00db
feat: Add UAM Alert Ingest API support with Service Account authentic…
Feb 13, 2026
0fdfd78
feat: Add inline alert detonation to Apollo ransomware scenario with …
Feb 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions Backend/api/.env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,12 @@ S1_HEC_TOKEN=your-hec-token
S1_SDL_API_TOKEN=your-sdl-api-token
S1_HEC_URL=https://your-instance.sentinelone.net/api/v1/cloud_connect/events/raw

# UAM Alert Ingest (Service Account - separate from HEC)
S1_UAM_INGEST_URL=https://ingest.us1.sentinelone.net
S1_UAM_SERVICE_TOKEN=your-service-account-token
S1_UAM_ACCOUNT_ID=your-account-id
S1_UAM_SITE_ID=

# CORS Origins (comma-separated)
BACKEND_CORS_ORIGINS=http://localhost:3000,http://localhost:8080

Expand Down
Empty file added Backend/api/app/alerts/__init__.py
View file
Open in desktop
Empty file.
106 changes: 106 additions & 0 deletions Backend/api/app/alerts/templates/advanced_sample_alert.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
{
"finding_info": {
"uid": "placeholder_uid",
"title": "HELIOS Advanced Sample Alert",
"desc": "Advanced sample alert with related events, generated by HELIOS alert engine",
"related_events": [
{
"type": "Process Creation",
"attacks": [
{
"tactic": {
"uid": "TA0001",
"name": "Initial Access"
},
"technique": {
"uid": "T1566.001",
"name": "Spearphishing Attachment"
},
"version": "13.1"
}
],
"uid": "placeholder_uid",
"observables": [
{
"name": "file.name",
"type_id": 7,
"value": "malicious_payload.exe"
},
{
"name": "process.pid",
"type_id": 29,
"value": "4821"
}
],
"severity_id": 4,
"time": "DYNAMIC",
"message": "Suspicious process created from spearphishing attachment"
},
{
"type": "Network Connection",
"attacks": [
{
"tactic": {
"uid": "TA0011",
"name": "Command and Control"
},
"technique": {
"uid": "T1071.001",
"name": "Web Protocols"
},
"version": "13.1"
}
],
"uid": "placeholder_uid",
"observables": [
{
"name": "dst_endpoint.ip",
"type_id": 2,
"value": "198.51.100.23"
},
{
"name": "dst_endpoint.port",
"type_id": 29,
"value": "443"
}
],
"severity_id": 3,
"time": "DYNAMIC",
"message": "Outbound C2 connection detected over HTTPS"
}
]
},
"resources": [
{
"uid": "helios-asset-001",
"name": "helios-endpoint-01"
}
],
"severity": "high",
"category_uid": 2,
"class_uid": 99602001,
"class_name": "S1 Security Alert",
"type_uid": 9960200101,
"type_name": "S1 Security Alert: Create",
"category_name": "Findings",
"activity_id": 1,
"metadata": {
"version": "1.1.0",
"extension": {
"name": "s1",
"uid": "998",
"version": "0.1.0"
},
"product": {
"name": "HELIOS",
"vendor_name": "RoarinPenguin"
},
"logged_time": "DYNAMIC",
"modified_time": "DYNAMIC"
},
"time": "DYNAMIC",
"attack_surface_ids": [1],
"severity_id": 4,
"state_id": 1,
"s1_classification_id": 1
}
85 changes: 85 additions & 0 deletions Backend/api/app/alerts/templates/default_alert.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
{
"activity_id": 1,
"attack_surface_ids": [1],
"category_uid": 2,
"category_name": "Findings",
"class_name": "S1 Security Alert",
"class_uid": 99602001,
"type_name": "S1 Security Alert: Create",
"type_uid": 9960200101,
"finding_info": {
"title": "Suspicious Activity",
"uid": "placeholder_uid",
"desc": "Malware Detection - Suspicious file activity detected"
},
"evidences": [
{
"process": {
"file": {
"name": "malicious_file.exe",
"path": "/usr/local/bin/malicious_file.exe",
"size": 1024000,
"hashes": [
{
"algorithm_id": 6,
"value": "2c4d2c6262d46313990e31bf7b6437028a566ba8"
},
{
"algorithm_id": 1,
"value": "d41d8cd98f00b204e9800998ecf8427e"
},
{
"algorithm_id": 2,
"value": "da39a3ee5e6b4b0d3255bfef95601890afd80709"
}
],
"signature": {
"algorithm_id": 3,
"certificate": {
"subject": "CN=CodeSign Cert, O=Acme Corp, C=US",
"serial_number": "1234567890ABCDEF",
"expiration_time": 1718400000000,
"fingerprints": [
{
"algorithm_id": 6,
"value": "2c4d2c6262d46313990e31bf7b6437028a566ba8"
},
{
"algorithm_id": 1,
"value": "d41d8cd98f00b204e9800998ecf8427e"
}
],
"issuer": "Acme Corp"
}
},
"type_id": 3
}
}
}
],
"resources": [
{
"name": "endpoint-workstation-01",
"uid": "res-001"
}
],
"metadata": {
"version": "1.1.0",
"extension": {
"name": "s1",
"uid": "998",
"version": "0.1.0"
},
"product": {
"name": "HELIOS",
"vendor_name": "RoarinPenguin"
},
"logged_time": "DYNAMIC",
"modified_time": "DYNAMIC"
},
"time": "DYNAMIC",
"severity_id": 1,
"state_id": 1,
"s1_classification_id": 0,
"confidence_id": 1
}
42 changes: 42 additions & 0 deletions Backend/api/app/alerts/templates/o365_admin_consent_all.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
{
"finding_info": {
"uid": "placeholder_uid",
"title": "Office 365 Admin Consent Granted for All Principals",
"desc": "Admin consent granted for all applications/principals. Critical privilege escalation risk."
},
"resources": [
{
"uid": "jeanluc@starfleet.com",
"name": "jeanluc@starfleet.com"
}
],
"severity": "critical",
"category_uid": 2,
"class_uid": 99602001,
"class_name": "S1 Security Alert",
"type_uid": 9960200101,
"type_name": "S1 Security Alert: Create",
"category_name": "Findings",
"activity_id": 1,
"metadata": {
"version": "1.1.0",
"extension": {
"name": "s1",
"uid": "998",
"version": "0.1.0"
},
"product": {
"name": "Microsoft 365",
"vendor_name": "Microsoft"
},
"logged_time": "DYNAMIC",
"modified_time": "DYNAMIC"
},
"time": "DYNAMIC",
"attack_surface_ids": [
1
],
"severity_id": 5,
"state_id": 1,
"s1_classification_id": 28
}
42 changes: 42 additions & 0 deletions Backend/api/app/alerts/templates/o365_antiphish_rule_disabled.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
{
"finding_info": {
"uid": "placeholder_uid",
"title": "Office 365 Deactivation or Removal of Anti-Phish Rule",
"desc": "Anti-phishing rule deactivated or removed. Critical email security control disabled."
},
"resources": [
{
"uid": "jeanluc@starfleet.com",
"name": "jeanluc@starfleet.com"
}
],
"severity": "high",
"category_uid": 2,
"class_uid": 99602001,
"class_name": "S1 Security Alert",
"type_uid": 9960200101,
"type_name": "S1 Security Alert: Create",
"category_name": "Findings",
"activity_id": 1,
"metadata": {
"version": "1.1.0",
"extension": {
"name": "s1",
"uid": "998",
"version": "0.1.0"
},
"product": {
"name": "Microsoft 365",
"vendor_name": "Microsoft"
},
"logged_time": "DYNAMIC",
"modified_time": "DYNAMIC"
},
"time": "DYNAMIC",
"attack_surface_ids": [
1
],
"severity_id": 4,
"state_id": 1,
"s1_classification_id": 28
}
42 changes: 42 additions & 0 deletions Backend/api/app/alerts/templates/o365_app_role_assigned.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
{
"finding_info": {
"uid": "placeholder_uid",
"title": "Office 365 Application Role Assigned to Service Principal",
"desc": "Application role assigned to service principal. Review for unauthorized privilege assignment."
},
"resources": [
{
"uid": "jeanluc@starfleet.com",
"name": "jeanluc@starfleet.com"
}
],
"severity": "medium",
"category_uid": 2,
"class_uid": 99602001,
"class_name": "S1 Security Alert",
"type_uid": 9960200101,
"type_name": "S1 Security Alert: Create",
"category_name": "Findings",
"activity_id": 1,
"metadata": {
"version": "1.1.0",
"extension": {
"name": "s1",
"uid": "998",
"version": "0.1.0"
},
"product": {
"name": "Microsoft 365",
"vendor_name": "Microsoft"
},
"logged_time": "DYNAMIC",
"modified_time": "DYNAMIC"
},
"time": "DYNAMIC",
"attack_surface_ids": [
1
],
"severity_id": 3,
"state_id": 1,
"s1_classification_id": 1
}
42 changes: 42 additions & 0 deletions Backend/api/app/alerts/templates/o365_attachment_removed.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
{
"finding_info": {
"uid": "placeholder_uid",
"title": "Office 365 Malicious Email Attachment Removed After Delivery",
"desc": "Malicious email attachment removed post-delivery. ZAP protection activated."
},
"resources": [
{
"uid": "jeanluc@starfleet.com",
"name": "jeanluc@starfleet.com"
}
],
"severity": "medium",
"category_uid": 2,
"class_uid": 99602001,
"class_name": "S1 Security Alert",
"type_uid": 9960200101,
"type_name": "S1 Security Alert: Create",
"category_name": "Findings",
"activity_id": 1,
"metadata": {
"version": "1.1.0",
"extension": {
"name": "s1",
"uid": "998",
"version": "0.1.0"
},
"product": {
"name": "Microsoft 365",
"vendor_name": "Microsoft"
},
"logged_time": "DYNAMIC",
"modified_time": "DYNAMIC"
},
"time": "DYNAMIC",
"attack_surface_ids": [
1
],
"severity_id": 3,
"state_id": 1,
"s1_classification_id": 1
}
Loading
Loading