SentinelOne

Collect logs from SentinelOne with Elastic Agent.

Version
1.25.1 (View all)
Compatible Kibana version(s)
8.13.0 or higher
Supported Serverless project types

Security
Observability
Subscription level
Basic
Level of support
Elastic

The SentinelOne integration collects and parses data from SentinelOne REST APIs. This integration also offers the capability to perform response actions on SentinelOne hosts directly through the Elastic Security interface (introduced with v8.12.0). Additional configuration is required; for detailed guidance, refer to documentation.

Compatibility

This module has been tested against SentinelOne Management Console API version 2.1.

API token

To collect data from SentinelOne APIs, you must have an API token. To create an API token, follow these steps:

  1. Log in to the SentinelOne Management Console as an Admin.
  2. Navigate to Logged User Account from top right panel in the navigation bar.
  3. Click My User.
  4. In the API token section, click Generate.

Note

The API token generated by the user is time-limited. To rotate a new token, log in with the dedicated admin account.

The alert data stream depends on STAR Custom Rules. STAR Custom Rules are supported in Cloud environments, but are not supported in on-premises environments. Because of this, the alert data stream is not supported in on-premises environments.

Logs

activity

This is the activity dataset.

An example event for activity looks as following:

{
    "@timestamp": "2022-04-05T16:01:56.995Z",
    "agent": {
        "ephemeral_id": "630c4de2-59ec-4613-ab7d-261434a79313",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "sentinel_one.activity",
        "namespace": "83396",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "configuration"
        ],
        "created": "2024-06-12T03:21:55.005Z",
        "dataset": "sentinel_one.activity",
        "ingested": "2024-06-12T03:22:05Z",
        "kind": "event",
        "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-05T16:01:56.995120Z\",\"data\":{\"accountId\":1234567890123456800,\"accountName\":\"Default\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/path\",\"groupName\":null,\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"username\":\"test user\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"created Default account.\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-05T16:01:56.992136Z\",\"userId\":\"1234567890123456789\"}",
        "type": [
            "creation"
        ]
    },
    "input": {
        "type": "httpjson"
    },
    "related": {
        "user": [
            "test user"
        ]
    },
    "sentinel_one": {
        "activity": {
            "account": {
                "id": "1234567890123456789",
                "name": "Default"
            },
            "data": {
                "account": {
                    "id": "1234567890123456800",
                    "name": "Default"
                },
                "fullscope": {
                    "details": "Account Default",
                    "details_path": "test/path"
                },
                "scope": {
                    "level": "Account",
                    "name": "Default"
                }
            },
            "description": {
                "primary": "created Default account."
            },
            "id": "1234567890123456789",
            "type": 1234,
            "updated_at": "2022-04-05T16:01:56.992Z"
        }
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "sentinel_one-activity"
    ],
    "user": {
        "full_name": "test user",
        "id": "1234567890123456789"
    }
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.image.id
Image ID for the cloud instance.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset.
constant_keyword
event.module
Event module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
input.type
Input type
keyword
log.offset
Log offset
long
log.source.address
Source address from which the log event was read / sent from.
keyword
sentinel_one.activity.account.id
Related account ID (if applicable).
keyword
sentinel_one.activity.account.name
Related account name (if applicable).
keyword
sentinel_one.activity.agent.id
Related agent (if applicable).
keyword
sentinel_one.activity.comments
Comments.
keyword
sentinel_one.activity.data.account.id
Related account ID (if applicable).
keyword
sentinel_one.activity.data.account.name
Related account name (if applicable).
keyword
sentinel_one.activity.data.attr
Attribute.
keyword
sentinel_one.activity.data.changed_keys
Changed keys.
keyword
sentinel_one.activity.data.confidence.level
Confidence level.
keyword
sentinel_one.activity.data.created_at
Created time.
date
sentinel_one.activity.data.description
Description.
keyword
sentinel_one.activity.data.downloaded.url
Downloaded URL.
keyword
sentinel_one.activity.data.flattened
Extra activity specific data.
flattened
sentinel_one.activity.data.fullscope.details
fullscope details.
keyword
sentinel_one.activity.data.fullscope.details_path
fullscope details path.
keyword
sentinel_one.activity.data.global.status
Global status.
keyword
sentinel_one.activity.data.group
Related group (if applicable).
keyword
sentinel_one.activity.data.group_name
Related group name (if applicable).
keyword
sentinel_one.activity.data.malicious.process.arguments
Malicious process arguments.
keyword
sentinel_one.activity.data.new.confidence_level
New confidence level.
keyword
sentinel_one.activity.data.new.status
Status.
keyword
sentinel_one.activity.data.new.value
Value.
keyword
sentinel_one.activity.data.old.confidence_level
Old confidence level.
keyword
sentinel_one.activity.data.optionals_groups
Optionals groups.
keyword
sentinel_one.activity.data.original.status
Original status.
keyword
sentinel_one.activity.data.policy
Policy.
flattened
sentinel_one.activity.data.policy_name
Policy name.
keyword
sentinel_one.activity.data.reason
Reason.
keyword
sentinel_one.activity.data.role
Role.
keyword
sentinel_one.activity.data.role_name
Role name.
keyword
sentinel_one.activity.data.scope.level
Scope Level.
keyword
sentinel_one.activity.data.scope.name
Scope name.
keyword
sentinel_one.activity.data.scope_level.name
Scope level name.
keyword
sentinel_one.activity.data.site.name
Related site name (if applicable).
keyword
sentinel_one.activity.data.source
Source.
keyword
sentinel_one.activity.data.status
Status.
keyword
sentinel_one.activity.data.system
System.
boolean
sentinel_one.activity.data.threat.classification.name
Threat classification name.
keyword
sentinel_one.activity.data.threat.classification.source
Threat classification source.
keyword
sentinel_one.activity.data.user.name
User name.
keyword
sentinel_one.activity.data.user.scope
User scope.
keyword
sentinel_one.activity.data.uuid
UUID.
keyword
sentinel_one.activity.description.primary
Primary description.
keyword
sentinel_one.activity.description.secondary
Secondary description.
keyword
sentinel_one.activity.id
Activity ID.
keyword
sentinel_one.activity.site.id
Related site ID (if applicable).
keyword
sentinel_one.activity.site.name
Related site name (if applicable).
keyword
sentinel_one.activity.threat.id
Related threat ID (if applicable).
keyword
sentinel_one.activity.type
Activity type.
long
sentinel_one.activity.updated_at
Activity last updated time (UTC).
date

agent

This is the agent dataset.

An example event for agent looks as following:

{
    "@timestamp": "2022-04-07T08:31:47.481Z",
    "agent": {
        "ephemeral_id": "bc127c14-939d-445f-ba71-65c2a9cd997e",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "sentinel_one.agent",
        "namespace": "27680",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "host"
        ],
        "created": "2024-06-12T03:22:47.058Z",
        "dataset": "sentinel_one.agent",
        "ingested": "2024-06-12T03:22:59Z",
        "kind": "event",
        "original": "{\"accountId\":\"12345123451234512345\",\"accountName\":\"Account Name\",\"activeDirectory\":{\"computerDistinguishedName\":null,\"computerMemberOf\":[],\"lastUserDistinguishedName\":null,\"lastUserMemberOf\":[]},\"activeThreats\":7,\"agentVersion\":\"12.x.x.x\",\"allowRemoteShell\":true,\"appsVulnerabilityStatus\":\"not_applicable\",\"cloudProviders\":{},\"computerName\":\"user-test\",\"consoleMigrationStatus\":\"N/A\",\"coreCount\":2,\"cpuCount\":2,\"cpuId\":\"CPU Name\",\"createdAt\":\"2022-03-18T09:12:00.519500Z\",\"detectionState\":null,\"domain\":\"WORKGROUP\",\"encryptedApplications\":false,\"externalId\":\"\",\"externalIp\":\"81.2.69.143\",\"firewallEnabled\":true,\"firstFullModeTime\":null,\"groupId\":\"1234567890123456789\",\"groupIp\":\"81.2.69.144\",\"groupName\":\"Default Group\",\"id\":\"13491234512345\",\"inRemoteShellSession\":false,\"infected\":true,\"installerType\":\".msi\",\"isActive\":true,\"isDecommissioned\":false,\"isPendingUninstall\":false,\"isUninstalled\":false,\"isUpToDate\":true,\"lastActiveDate\":\"2022-03-17T09:51:28.506000Z\",\"lastIpToMgmt\":\"81.2.69.145\",\"lastLoggedInUserName\":\"\",\"licenseKey\":\"\",\"locationEnabled\":true,\"locationType\":\"not_applicable\",\"locations\":null,\"machineType\":\"server\",\"missingPermissions\":[\"user-action-needed-bluetooth-per\",\"user_action_needed_fda\"],\"mitigationMode\":\"detect\",\"mitigationModeSuspicious\":\"detect\",\"modelName\":\"Compute Engine\",\"networkInterfaces\":[{\"gatewayIp\":\"81.2.69.145\",\"gatewayMacAddress\":\"00-00-5E-00-53-00\",\"id\":\"1234567890123456789\",\"inet\":[\"81.2.69.144\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"00-00-5E-00-53-00\"}],\"networkQuarantineEnabled\":false,\"networkStatus\":\"connected\",\"operationalState\":\"na\",\"operationalStateExpiration\":null,\"osArch\":\"64 bit\",\"osName\":\"Linux Server\",\"osRevision\":\"1234\",\"osStartTime\":\"2022-04-06T08:27:14Z\",\"osType\":\"linux\",\"osUsername\":null,\"rangerStatus\":\"Enabled\",\"rangerVersion\":\"21.x.x.x\",\"registeredAt\":\"2022-04-06T08:26:45.515278Z\",\"remoteProfilingState\":\"disabled\",\"remoteProfilingStateExpiration\":null,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"tags\":{\"sentinelone\":[{\"assignedAt\":\"2018-02-27T04:49:26.257525Z\",\"assignedBy\":\"test-user\",\"assignedById\":\"123456789012345678\",\"id\":\"123456789012345678\",\"key\":\"key123\",\"value\":\"value123\"}]},\"threatRebootRequired\":false,\"totalMemory\":1234,\"updatedAt\":\"2022-04-07T08:31:47.481227Z\",\"userActionsNeeded\":[\"reboot_needed\"],\"uuid\":\"XXX35XXX8Xfb4aX0X1X8X12X343X8X30\"}",
        "type": [
            "info"
        ]
    },
    "group": {
        "id": "1234567890123456789",
        "name": "Default Group"
    },
    "host": {
        "domain": "WORKGROUP",
        "geo": {
            "city_name": "London",
            "continent_name": "Europe",
            "country_iso_code": "GB",
            "country_name": "United Kingdom",
            "location": {
                "lat": 51.5142,
                "lon": -0.0931
            },
            "region_iso_code": "GB-ENG",
            "region_name": "England"
        },
        "id": "13491234512345",
        "ip": [
            "81.2.69.143"
        ],
        "mac": [
            "00-00-5E-00-53-00"
        ],
        "name": "user-test",
        "os": {
            "name": "Linux Server",
            "type": "linux",
            "version": "1234"
        }
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "version": "12.x.x.x"
    },
    "related": {
        "hosts": [
            "user-test",
            "WORKGROUP"
        ],
        "ip": [
            "81.2.69.143",
            "81.2.69.145",
            "81.2.69.144",
            "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"
        ]
    },
    "sentinel_one": {
        "agent": {
            "account": {
                "id": "12345123451234512345",
                "name": "Account Name"
            },
            "active_threats_count": 7,
            "agent": {
                "id": "13491234512345"
            },
            "allow_remote_shell": true,
            "apps_vulnerability_status": "not_applicable",
            "console_migration_status": "N/A",
            "core": {
                "count": 2
            },
            "cpu": {
                "count": 2,
                "id": "CPU Name"
            },
            "created_at": "2022-03-18T09:12:00.519Z",
            "encrypted_application": false,
            "firewall_enabled": true,
            "group": {
                "ip": "81.2.69.144"
            },
            "in_remote_shell_session": false,
            "infected": true,
            "installer_type": ".msi",
            "is_active": true,
            "is_decommissioned": false,
            "is_pending_uninstall": false,
            "is_uninstalled": false,
            "is_up_to_date": true,
            "last_active_date": "2022-03-17T09:51:28.506Z",
            "last_ip_to_mgmt": "81.2.69.145",
            "location": {
                "enabled": true,
                "type": "not_applicable"
            },
            "machine": {
                "type": "server"
            },
            "missing_permissions": [
                "user-action-needed-bluetooth-per",
                "user_action_needed_fda"
            ],
            "mitigation_mode": "detect",
            "mitigation_mode_suspicious": "detect",
            "model_name": "Compute Engine",
            "network_interfaces": [
                {
                    "gateway": {
                        "ip": "81.2.69.145",
                        "mac": "00-00-5E-00-53-00"
                    },
                    "id": "1234567890123456789",
                    "inet": [
                        "81.2.69.144"
                    ],
                    "inet6": [
                        "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"
                    ],
                    "name": "Ethernet"
                }
            ],
            "network_quarantine_enabled": false,
            "network_status": "connected",
            "operational_state": "na",
            "os": {
                "arch": "64 bit",
                "start_time": "2022-04-06T08:27:14.000Z"
            },
            "ranger": {
                "status": "Enabled",
                "version": "21.x.x.x"
            },
            "registered_at": "2022-04-06T08:26:45.515Z",
            "remote_profiling_state": "disabled",
            "scan": {
                "finished_at": "2022-04-06T09:18:21.090Z",
                "started_at": "2022-04-06T08:26:52.838Z",
                "status": "finished"
            },
            "site": {
                "id": "1234567890123456789",
                "name": "Default site"
            },
            "tags": [
                {
                    "assigned_at": "2018-02-27T04:49:26.257Z",
                    "assigned_by": "test-user",
                    "assigned_by_id": "123456789012345678",
                    "id": "123456789012345678",
                    "key": "key123",
                    "value": "value123"
                }
            ],
            "threat_reboot_required": false,
            "total_memory": 1234,
            "user_action_needed": [
                "reboot_needed"
            ],
            "uuid": "XXX35XXX8Xfb4aX0X1X8X12X343X8X30"
        }
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "sentinel_one-agent"
    ]
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.image.id
Image ID for the cloud instance.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset.
constant_keyword
event.module
Event module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
input.type
Input type
keyword
log.offset
Log offset
long
sentinel_one.agent.account.id
A reference to the containing account.
keyword
sentinel_one.agent.account.name
Name of the containing account.
keyword
sentinel_one.agent.active_directory.computer.member_of
Computer member of.
keyword
sentinel_one.agent.active_directory.computer.name
Computer distinguished name.
keyword
sentinel_one.agent.active_directory.last_user.distinguished_name
Last user distinguished name.
keyword
sentinel_one.agent.active_directory.last_user.member_of
Last user member of.
keyword
sentinel_one.agent.active_directory.mail
Mail.
keyword
sentinel_one.agent.active_directory.user.principal_name
User principal name.
keyword
sentinel_one.agent.active_threats_count
Current number of active threats.
long
sentinel_one.agent.agent.id
Related agent (if applicable).
keyword
sentinel_one.agent.allow_remote_shell
Agent is capable and policy enabled for remote shell.
boolean
sentinel_one.agent.apps_vulnerability_status
Apps vulnerability status.
keyword
sentinel_one.agent.cloud_provider
Cloud providers for this agent.
flattened
sentinel_one.agent.console_migration_status
What step the agent is at in the process of migrating to another console, if any.
keyword
sentinel_one.agent.core.count
CPU cores.
long
sentinel_one.agent.cpu.count
Number of CPUs.
long
sentinel_one.agent.cpu.id
CPU model.
keyword
sentinel_one.agent.created_at
Created at.
date
sentinel_one.agent.detection_state
Detection State.
keyword
sentinel_one.agent.encrypted_application
Disk encryption status.
boolean
sentinel_one.agent.external.id
External ID set by customer.
keyword
sentinel_one.agent.firewall_enabled
Firewall enabled.
boolean
sentinel_one.agent.first_full_mode_time
Date of the first time the Agent moved to full or slim detection modes.
date
sentinel_one.agent.group.ip
Group subnet address.
keyword
sentinel_one.agent.group.updated_at
Group updated at.
date
sentinel_one.agent.in_remote_shell_session
Is the Agent in a remote shell session.
boolean
sentinel_one.agent.infected
Indicates if the Agent has active threats.
boolean
sentinel_one.agent.installer_type
Installer package type (file extension).
keyword
sentinel_one.agent.is_active
Indicates if the agent was recently active.
boolean
sentinel_one.agent.is_decommissioned
Is Agent decommissioned.
boolean
sentinel_one.agent.is_pending_uninstall
Agent with a pending uninstall request.
boolean
sentinel_one.agent.is_uninstalled
Indicates if Agent was removed from the device.
boolean
sentinel_one.agent.is_up_to_date
Indicates if the agent version is up to date.
boolean
sentinel_one.agent.last_active_date
Last active date.
date
sentinel_one.agent.last_ip_to_mgmt
The last IP used to connect to the Management console.
ip
sentinel_one.agent.last_logged_in_user_name
Last logged in user name.
keyword
sentinel_one.agent.license.key
License key.
keyword
sentinel_one.agent.location.enabled
Location enabled.
boolean
sentinel_one.agent.location.type
Reported location type.
keyword
sentinel_one.agent.locations.id
Location ID.
keyword
sentinel_one.agent.locations.name
Location name.
keyword
sentinel_one.agent.locations.scope
Location scope.
keyword
sentinel_one.agent.machine.type
Machine type.
keyword
sentinel_one.agent.missing_permissions
keyword
sentinel_one.agent.mitigation_mode
Agent mitigation mode policy.
keyword
sentinel_one.agent.mitigation_mode_suspicious
Mitigation mode policy for suspicious activity.
keyword
sentinel_one.agent.model_name
Device model.
keyword
sentinel_one.agent.network_interfaces.gateway.ip
The default gateway ip.
ip
sentinel_one.agent.network_interfaces.gateway.mac
The default gateway mac address.
keyword
sentinel_one.agent.network_interfaces.id
Id.
keyword
sentinel_one.agent.network_interfaces.inet
IPv4 addresses.
ip
sentinel_one.agent.network_interfaces.inet6
IPv6 addresses.
ip
sentinel_one.agent.network_interfaces.name
Name.
keyword
sentinel_one.agent.network_quarantine_enabled
Network quarantine enabled.
boolean
sentinel_one.agent.network_status
Agent's network connectivity status.
keyword
sentinel_one.agent.operational_state
Agent operational state.
keyword
sentinel_one.agent.operational_state_expiration
Agent operational state expiration.
keyword
sentinel_one.agent.os.arch
OS architecture.
keyword
sentinel_one.agent.os.start_time
Last boot time.
date
sentinel_one.agent.policy.updated_at
Policy updated at.
date
sentinel_one.agent.ranger.status
Is Agent disabled as a Ranger.
keyword
sentinel_one.agent.ranger.version
The version of Ranger.
keyword
sentinel_one.agent.registered_at
Time of first registration to management console (similar to createdAt).
date
sentinel_one.agent.remote_profiling_state
Agent remote profiling state.
keyword
sentinel_one.agent.remote_profiling_state_expiration
Agent remote profiling state expiration in seconds.
keyword
sentinel_one.agent.scan.aborted_at
Abort time of last scan (if applicable).
date
sentinel_one.agent.scan.finished_at
Finish time of last scan (if applicable).
date
sentinel_one.agent.scan.started_at
Start time of last scan.
date
sentinel_one.agent.scan.status
Last scan status.
keyword
sentinel_one.agent.site.id
A reference to the containing site.
keyword
sentinel_one.agent.site.name
Name of the containing site.
keyword
sentinel_one.agent.storage.name
Storage name.
keyword
sentinel_one.agent.storage.type
Storage type.
keyword
sentinel_one.agent.tags.assigned_at
When tag assigned to the agent.
date
sentinel_one.agent.tags.assigned_by
full user name who assigned the tag to the agent.
keyword
sentinel_one.agent.tags.assigned_by_id
User ID who assigned the tag to the agent.
keyword
sentinel_one.agent.tags.id
Tag ID.
keyword
sentinel_one.agent.tags.key
Tag key.
keyword
sentinel_one.agent.tags.value
Tag value.
keyword
sentinel_one.agent.threat_reboot_required
Flag representing if the Agent has at least one threat with at least one mitigation action that is pending reboot to succeed.
boolean
sentinel_one.agent.total_memory
Memory size (MB).
long
sentinel_one.agent.user_action_needed
A list of pending user actions.
keyword
sentinel_one.agent.uuid
Agent's universally unique identifier.
keyword

alert

This is the alert dataset.

An example event for alert looks as following:

{
    "@timestamp": "2018-02-27T04:49:26.257Z",
    "agent": {
        "ephemeral_id": "5076489f-5b52-4bc8-a887-13206a7b5ebd",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "container": {
        "id": "string",
        "image": {
            "name": "string"
        },
        "name": "string"
    },
    "data_stream": {
        "dataset": "sentinel_one.alert",
        "namespace": "68976",
        "type": "logs"
    },
    "destination": {
        "ip": "81.2.69.144",
        "port": 1234
    },
    "dll": {
        "hash": {
            "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d"
        },
        "path": "string"
    },
    "dns": {
        "question": {
            "name": "string"
        }
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "malware"
        ],
        "created": "2024-06-12T03:23:40.343Z",
        "dataset": "sentinel_one.alert",
        "id": "123456789123456789",
        "ingested": "2024-06-12T03:23:52Z",
        "kind": "event",
        "original": "{\"agentDetectionInfo\":{\"machineType\":\"string\",\"name\":\"string\",\"osFamily\":\"string\",\"osName\":\"string\",\"osRevision\":\"string\",\"siteId\":\"123456789123456789\",\"uuid\":\"string\",\"version\":\"3.x.x.x\"},\"alertInfo\":{\"alertId\":\"123456789123456789\",\"analystVerdict\":\"string\",\"createdAt\":\"2018-02-27T04:49:26.257525Z\",\"dnsRequest\":\"string\",\"dnsResponse\":\"string\",\"dstIp\":\"81.2.69.144\",\"dstPort\":\"1234\",\"dvEventId\":\"string\",\"eventType\":\"info\",\"hitType\":\"Events\",\"incidentStatus\":\"string\",\"indicatorCategory\":\"string\",\"indicatorDescription\":\"string\",\"indicatorName\":\"string\",\"loginAccountDomain\":\"string\",\"loginAccountSid\":\"string\",\"loginIsAdministratorEquivalent\":\"string\",\"loginIsSuccessful\":\"string\",\"loginType\":\"string\",\"loginsUserName\":\"string\",\"modulePath\":\"string\",\"moduleSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"netEventDirection\":\"string\",\"registryKeyPath\":\"string\",\"registryOldValue\":\"string\",\"registryOldValueType\":\"string\",\"registryPath\":\"string\",\"registryValue\":\"string\",\"reportedAt\":\"2018-02-27T04:49:26.257525Z\",\"source\":\"string\",\"srcIp\":\"81.2.69.142\",\"srcMachineIp\":\"81.2.69.142\",\"srcPort\":\"1234\",\"tiIndicatorComparisonMethod\":\"string\",\"tiIndicatorSource\":\"string\",\"tiIndicatorType\":\"string\",\"tiIndicatorValue\":\"string\",\"updatedAt\":\"2018-02-27T04:49:26.257525Z\"},\"containerInfo\":{\"id\":\"string\",\"image\":\"string\",\"labels\":\"string\",\"name\":\"string\"},\"kubernetesInfo\":{\"cluster\":\"string\",\"controllerKind\":\"string\",\"controllerLabels\":\"string\",\"controllerName\":\"string\",\"namespace\":\"string\",\"namespaceLabels\":\"string\",\"node\":\"string\",\"pod\":\"string\",\"podLabels\":\"string\"},\"ruleInfo\":{\"description\":\"string\",\"id\":\"string\",\"name\":\"string\",\"scopeLevel\":\"string\",\"severity\":\"Low\",\"treatAsThreat\":\"UNDEFINED\"},\"sourceParentProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"sourceProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"targetProcessInfo\":{\"tgtFileCreatedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"tgtFileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"tgtFileId\":\"string\",\"tgtFileIsSigned\":\"string\",\"tgtFileModifiedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileOldPath\":\"string\",\"tgtFilePath\":\"string\",\"tgtProcCmdLine\":\"string\",\"tgtProcImagePath\":\"string\",\"tgtProcIntegrityLevel\":\"unknown\",\"tgtProcName\":\"string\",\"tgtProcPid\":\"12345\",\"tgtProcSignedStatus\":\"string\",\"tgtProcStorylineId\":\"string\",\"tgtProcUid\":\"string\",\"tgtProcessStartTime\":\"2018-02-27T04:49:26.257525Z\"}}",
        "type": [
            "info"
        ]
    },
    "file": {
        "created": "2018-02-27T04:49:26.257Z",
        "mtime": "2018-02-27T04:49:26.257Z"
    },
    "host": {
        "ip": [
            "81.2.69.142"
        ],
        "name": "string",
        "os": {
            "family": "string",
            "name": "string",
            "version": "string"
        },
        "type": "string"
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "serial_number": "string",
        "version": "3.x.x.x"
    },
    "orchestrator": {
        "cluster": {
            "name": "string"
        },
        "namespace": "string"
    },
    "process": {
        "code_signature": {
            "signing_id": "string"
        },
        "command_line": "string",
        "entity_id": "string",
        "executable": "string",
        "hash": {
            "md5": "5d41402abc4b2a76b9719d911017c592",
            "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d",
            "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
        },
        "name": "string",
        "parent": {
            "code_signature": {
                "signing_id": "string"
            },
            "command_line": "string",
            "entity_id": "string",
            "executable": "string",
            "hash": {
                "md5": "5d41402abc4b2a76b9719d911017c592",
                "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d",
                "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
            },
            "name": "string",
            "pid": 12345,
            "start": "2018-02-27T04:49:26.257Z",
            "user": {
                "name": "string"
            }
        },
        "pid": 12345,
        "start": "2018-02-27T04:49:26.257Z",
        "user": {
            "name": "string"
        }
    },
    "registry": {
        "key": "string",
        "path": "string",
        "value": "string"
    },
    "related": {
        "hash": [
            "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d",
            "5d41402abc4b2a76b9719d911017c592",
            "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
        ],
        "hosts": [
            "string"
        ],
        "ip": [
            "81.2.69.142",
            "81.2.69.144"
        ],
        "user": [
            "string"
        ]
    },
    "rule": {
        "description": "string",
        "id": "string",
        "name": "string"
    },
    "sentinel_one": {
        "alert": {
            "agent": {
                "site_id": "123456789123456789"
            },
            "analyst_verdict": "string",
            "container": {
                "info": {
                    "labels": "string"
                }
            },
            "dv_event": {
                "id": "string"
            },
            "info": {
                "dns": {
                    "response": "string"
                },
                "event_type": "info",
                "hit": {
                    "type": "Events"
                },
                "indicator": {
                    "category": "string",
                    "description": "string",
                    "name": "string"
                },
                "login": {
                    "account": {
                        "sid": "string"
                    },
                    "is_administrator": "string",
                    "is_successful": "string",
                    "type": "string"
                },
                "registry": {
                    "old_value": "string",
                    "old_value_type": "string"
                },
                "reported_at": "2018-02-27T04:49:26.257Z",
                "source": "string",
                "status": "string",
                "ti_indicator": {
                    "comparison_method": "string",
                    "source": "string",
                    "type": "string",
                    "value": "string"
                },
                "updated_at": "2018-02-27T04:49:26.257Z"
            },
            "kubernetes": {
                "controller": {
                    "kind": "string",
                    "labels": "string",
                    "name": "string"
                },
                "namespace": {
                    "labels": "string"
                },
                "node": "string",
                "pod": {
                    "labels": "string",
                    "name": "string"
                }
            },
            "process": {
                "integrity_level": "unknown",
                "parent": {
                    "integrity_level": "unknown",
                    "storyline": "string",
                    "subsystem": "unknown"
                },
                "storyline": "string",
                "subsystem": "unknown"
            },
            "rule": {
                "scope_level": "string",
                "severity": "Low",
                "treat_as_threat": "UNDEFINED"
            },
            "target": {
                "process": {
                    "file": {
                        "hash": {
                            "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d",
                            "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
                        },
                        "id": "string",
                        "is_signed": "string",
                        "old_path": "string",
                        "path": "string"
                    },
                    "proc": {
                        "cmdline": "string",
                        "image_path": "string",
                        "integrity_level": "unknown",
                        "name": "string",
                        "pid": 12345,
                        "signed_status": "string",
                        "storyline_id": "string",
                        "uid": "string"
                    },
                    "start_time": "2018-02-27T04:49:26.257Z"
                }
            }
        }
    },
    "source": {
        "ip": "81.2.69.142",
        "port": 1234
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "sentinel_one-alert"
    ],
    "user": {
        "domain": "string",
        "name": "string"
    }
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.image.id
Image ID for the cloud instance.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset.
constant_keyword
event.module
Event module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
input.type
Input type
keyword
log.offset
Log offset
long
log.source.address
Source address from which the log event was read / sent from.
keyword
sentinel_one.alert.agent.computer_name
Computer distinguished name.
keyword
sentinel_one.alert.agent.id
Agent ID.
keyword
sentinel_one.alert.agent.infected
Agent infected.
boolean
sentinel_one.alert.agent.is_active
Is active.
boolean
sentinel_one.alert.agent.is_decommissioned
Is decommissioned.
boolean
sentinel_one.alert.agent.machine_type
Machine type.
keyword
sentinel_one.alert.agent.os.type
OS type.
keyword
sentinel_one.alert.agent.site_id
Site id.
keyword
sentinel_one.alert.analyst_verdict
Analyst verdict.
keyword
sentinel_one.alert.container.info.labels
Container info labels.
keyword
sentinel_one.alert.dv_event.id
DV event id.
keyword
sentinel_one.alert.info.dns.response
IP address, DNS, type, etc. in response.
keyword
sentinel_one.alert.info.event_type
Event type.
keyword
sentinel_one.alert.info.hit.type
Type of hit reported from agent.
keyword
sentinel_one.alert.info.indicator.category
Indicator categories for this process.
keyword
sentinel_one.alert.info.indicator.description
Indicator_description.
keyword
sentinel_one.alert.info.indicator.name
Indicator names for this process.
keyword
sentinel_one.alert.info.login.account.sid
SID of the account that attempted to login.
keyword
sentinel_one.alert.info.login.is_administrator
Is the login attempt administrator equivalent.
keyword
sentinel_one.alert.info.login.is_successful
Was the login attempt successful.
keyword
sentinel_one.alert.info.login.type
Type of login which was performed.
keyword
sentinel_one.alert.info.registry.old_value
Registry previous value (in case of modification).
keyword
sentinel_one.alert.info.registry.old_value_type
Registry previous value type (in case of modification).
keyword
sentinel_one.alert.info.reported_at
Timestamp of alert creation in STAR.
date
sentinel_one.alert.info.source
Source reported from agent.
keyword
sentinel_one.alert.info.status
Incident status.
keyword
sentinel_one.alert.info.ti_indicator.comparison_method
The comparison method used by SentinelOne to trigger the event.
keyword
sentinel_one.alert.info.ti_indicator.source
The value of the identified Threat Intelligence indicator.
keyword
sentinel_one.alert.info.ti_indicator.type
The type of the identified Threat Intelligence indicator.
keyword
sentinel_one.alert.info.ti_indicator.value
The value of the identified Threat Intelligence indicator.
keyword
sentinel_one.alert.info.updated_at
Date of alert updated in Star MMS.
date
sentinel_one.alert.kubernetes.controller.kind
Controller kind.
keyword
sentinel_one.alert.kubernetes.controller.labels
Controller labels.
keyword
sentinel_one.alert.kubernetes.controller.name
Controller name.
keyword
sentinel_one.alert.kubernetes.namespace.labels
Namespace labels.
keyword
sentinel_one.alert.kubernetes.node
Node.
keyword
sentinel_one.alert.kubernetes.pod.labels
Pod Labels.
keyword
sentinel_one.alert.kubernetes.pod.name
Pod name.
keyword
sentinel_one.alert.process.integrity_level
Integrity level.
keyword
sentinel_one.alert.process.parent.integrity_level
Integrity level.
keyword
sentinel_one.alert.process.parent.storyline
StoryLine.
keyword
sentinel_one.alert.process.parent.subsystem
Subsystem.
keyword
sentinel_one.alert.process.storyline
StoryLine.
keyword
sentinel_one.alert.process.subsystem
Subsystem.
keyword
sentinel_one.alert.rule.scope_level
Scope level.
keyword
sentinel_one.alert.rule.severity
Rule severity.
keyword
sentinel_one.alert.rule.treat_as_threat
Rule treat as threat type.
keyword
sentinel_one.alert.target.process.file.hash.sha1
SHA1 Signature of File.
keyword
sentinel_one.alert.target.process.file.hash.sha256
SHA256 Signature of File.
keyword
sentinel_one.alert.target.process.file.id
Unique ID of file.
keyword
sentinel_one.alert.target.process.file.is_signed
Is fle signed.
keyword
sentinel_one.alert.target.process.file.old_path
Old path before 'Rename'.
keyword
sentinel_one.alert.target.process.file.path
Path and filename.
keyword
sentinel_one.alert.target.process.proc.cmdline
Target Process Command Line.
keyword
sentinel_one.alert.target.process.proc.image_path
Target Process Image path
keyword
sentinel_one.alert.target.process.proc.integrity_level
Integrity level of target process.
keyword
sentinel_one.alert.target.process.proc.name
Target Process Name.
keyword
sentinel_one.alert.target.process.proc.pid
Target Process ID (PID).
long
sentinel_one.alert.target.process.proc.signed_status
Target Process Signed Status.
keyword
sentinel_one.alert.target.process.proc.storyline_id
Target Process StoryLine ID.
keyword
sentinel_one.alert.target.process.proc.uid
Target Process Unique ID.
keyword
sentinel_one.alert.target.process.start_time
Target Process Start Time.
date

group

This is the group dataset.

An example event for group looks as following:

{
    "@timestamp": "2022-04-05T16:01:57.564Z",
    "agent": {
        "ephemeral_id": "99777f03-5c73-4831-b833-2489562ef8fb",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "sentinel_one.group",
        "namespace": "81222",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "iam"
        ],
        "created": "2024-06-12T03:24:33.387Z",
        "dataset": "sentinel_one.group",
        "ingested": "2024-06-12T03:24:45Z",
        "kind": "event",
        "original": "{\"createdAt\":\"2022-04-05T16:01:56.928383Z\",\"creator\":\"Test User\",\"creatorId\":\"1234567890123456789\",\"filterId\":null,\"filterName\":null,\"id\":\"1234567890123456789\",\"inherits\":true,\"isDefault\":true,\"name\":\"Default Group\",\"rank\":null,\"registrationToken\":\"eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=\",\"siteId\":\"1234567890123456789\",\"totalAgents\":1,\"type\":\"static\",\"updatedAt\":\"2022-04-05T16:01:57.564266Z\"}",
        "type": [
            "info"
        ]
    },
    "group": {
        "id": "1234567890123456789",
        "name": "Default Group"
    },
    "input": {
        "type": "httpjson"
    },
    "related": {
        "user": [
            "Test User"
        ]
    },
    "sentinel_one": {
        "group": {
            "agent": {
                "count": 1
            },
            "created_at": "2022-04-05T16:01:56.928Z",
            "creator": {
                "id": "1234567890123456789"
            },
            "inherits": true,
            "is_default": true,
            "registration_token": "eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=",
            "site": {
                "id": "1234567890123456789"
            },
            "type": "static"
        }
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "sentinel_one-group"
    ],
    "user": {
        "full_name": "Test User"
    }
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.image.id
Image ID for the cloud instance.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset.
constant_keyword
event.module
Event module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
input.type
Input type
keyword
log.offset
Log offset
long
log.source.address
Source address from which the log event was read / sent from.
keyword
sentinel_one.group.agent.count
long
sentinel_one.group.created_at
date
sentinel_one.group.creator.id
keyword
sentinel_one.group.filter.id
keyword
sentinel_one.group.filter.name
keyword
sentinel_one.group.inherits
boolean
sentinel_one.group.is_default
boolean
sentinel_one.group.rank
long
sentinel_one.group.registration_token
keyword
sentinel_one.group.site.id
keyword
sentinel_one.group.type
keyword

threat

This is the threat dataset.

An example event for threat looks as following:

{
    "@timestamp": "2022-04-06T08:54:17.194Z",
    "agent": {
        "ephemeral_id": "a2264e16-9431-4dd9-9e8a-6209c36c3c1e",
        "id": "59bbe264-6d1c-48b7-9f6a-f2172d817ded",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "sentinel_one.threat",
        "namespace": "80468",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "59bbe264-6d1c-48b7-9f6a-f2172d817ded",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "action": "SentinelOne Cloud",
        "agent_id_status": "verified",
        "category": [
            "malware"
        ],
        "created": "2024-06-18T21:22:32.743Z",
        "dataset": "sentinel_one.threat",
        "id": "1234567890123456789",
        "ingested": "2024-06-18T21:22:44Z",
        "kind": "alert",
        "original": "{\"agentDetectionInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"agentDetectionState\":null,\"agentDomain\":\"WORKGROUP\",\"agentIpV4\":\"10.0.0.1\",\"agentIpV6\":\"2a02:cf40::\",\"agentLastLoggedInUpn\":null,\"agentLastLoggedInUserMail\":null,\"agentLastLoggedInUserName\":\"\",\"agentMitigationMode\":\"protect\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentRegisteredAt\":\"2022-04-06T08:26:45.515278Z\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x\",\"cloudProviders\":{},\"externalIp\":\"81.2.69.143\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\"},\"agentRealtimeInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activeThreats\":7,\"agentComputerName\":\"test-LINUX\",\"agentDecommissionedAt\":null,\"agentDomain\":\"WORKGROUP\",\"agentId\":\"1234567890123456789\",\"agentInfected\":true,\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"server\",\"agentMitigationMode\":\"detect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentOsType\":\"linux\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x.1234\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"networkInterfaces\":[{\"id\":\"1234567890123456789\",\"inet\":[\"10.0.0.1\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"DE:AD:00:00:BE:EF\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"id\":\"1234567890123456789\",\"indicators\":[],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[{\"action\":\"unquarantine\",\"actionsCounters\":{\"failed\":0,\"notFound\":0,\"pendingReboot\":0,\"success\":1,\"total\":1},\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:54:17.198002Z\",\"latestReport\":\"/threats/mitigation-report\",\"mitigationEndedAt\":\"2022-04-06T08:54:17.101000Z\",\"mitigationStartedAt\":\"2022-04-06T08:54:17.101000Z\",\"status\":\"success\"},{\"action\":\"kill\",\"actionsCounters\":null,\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:45:55.303355Z\",\"latestReport\":null,\"mitigationEndedAt\":\"2022-04-06T08:45:55.297364Z\",\"mitigationStartedAt\":\"2022-04-06T08:45:55.297363Z\",\"status\":\"success\"}],\"threatInfo\":{\"analystVerdict\":\"undefined\",\"analystVerdictDescription\":\"Undefined\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":\"\",\"classification\":\"Trojan\",\"classificationSource\":\"Cloud\",\"cloudFilesHashVerdict\":\"black\",\"collectionId\":\"1234567890123456789\",\"confidenceLevel\":\"malicious\",\"createdAt\":\"2022-04-06T08:45:54.519988Z\",\"detectionEngines\":[{\"key\":\"sentinelone_cloud\",\"title\":\"SentinelOne Cloud\"}],\"detectionType\":\"static\",\"engines\":[\"SentinelOne Cloud\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":\"EXE\",\"fileExtensionType\":\"Executable\",\"filePath\":\"default.exe\",\"fileSize\":1234,\"fileVerificationType\":\"NotSigned\",\"identifiedAt\":\"2022-04-06T08:45:53.968000Z\",\"incidentStatus\":\"unresolved\",\"incidentStatusDescription\":\"Unresolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":false,\"maliciousProcessArguments\":null,\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"not_mitigated\",\"mitigationStatusDescription\":\"Not mitigated\",\"originatorProcess\":\"default.exe\",\"pendingActions\":false,\"processUser\":\"test user\",\"publisherName\":\"\",\"reachedEventsLimit\":false,\"rebootRequired\":false,\"sha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"sha256\":null,\"storyline\":\"D0XXXXXXXXXXAF4D\",\"threatId\":\"1234567890123456789\",\"threatName\":\"default.exe\",\"updatedAt\":\"2022-04-06T08:54:17.194122Z\"},\"whiteningOptions\":[\"hash\"]}",
        "type": [
            "info"
        ]
    },
    "host": {
        "domain": "WORKGROUP",
        "geo": {
            "city_name": "London",
            "continent_name": "Europe",
            "country_iso_code": "GB",
            "country_name": "United Kingdom",
            "location": {
                "lat": 51.5142,
                "lon": -0.0931
            },
            "region_iso_code": "GB-ENG",
            "region_name": "England"
        },
        "id": "1234567890123456789",
        "ip": [
            "81.2.69.143"
        ],
        "mac": [
            "DE-AD-00-00-BE-EF"
        ],
        "name": "test-LINUX",
        "os": {
            "name": "linux",
            "type": "linux"
        }
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "version": "21.x.x.1234"
    },
    "process": {
        "name": "default.exe"
    },
    "related": {
        "hash": [
            "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d"
        ],
        "hosts": [
            "test-LINUX"
        ],
        "ip": [
            "10.0.0.1",
            "2a02:cf40::",
            "81.2.69.143",
            "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"
        ],
        "user": [
            "test user"
        ]
    },
    "sentinel_one": {
        "threat": {
            "agent": {
                "account": {
                    "id": "1234567890123456789",
                    "name": "Default"
                },
                "active_threats": 7,
                "group": {
                    "id": "1234567890123456789",
                    "name": "Default Group"
                },
                "id": "1234567890123456789",
                "infected": true,
                "is_active": true,
                "is_decommissioned": false,
                "machine_type": "server",
                "mitigation_mode": "detect",
                "network_interface": [
                    {
                        "id": "1234567890123456789",
                        "inet": [
                            "10.0.0.1"
                        ],
                        "inet6": [
                            "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"
                        ],
                        "name": "Ethernet"
                    }
                ],
                "network_status": "connected",
                "operational_state": "na",
                "os": {
                    "version": "1234"
                },
                "reboot_required": false,
                "scan": {
                    "finished_at": "2022-04-06T09:18:21.090Z",
                    "started_at": "2022-04-06T08:26:52.838Z",
                    "status": "finished"
                },
                "site": {
                    "id": "1234567890123456789",
                    "name": "Default site"
                },
                "uuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx"
            },
            "analysis": {
                "description": "Undefined",
                "verdict": "undefined"
            },
            "automatically_resolved": false,
            "classification": "Trojan",
            "classification_source": "Cloud",
            "cloudfiles_hash_verdict": "black",
            "collection": {
                "id": "1234567890123456789"
            },
            "confidence_level": "malicious",
            "created_at": "2022-04-06T08:45:54.519Z",
            "detection": {
                "account": {
                    "id": "1234567890123456789",
                    "name": "Default"
                },
                "agent": {
                    "domain": "WORKGROUP",
                    "group": {
                        "id": "1234567890123456789",
                        "name": "Default Group"
                    },
                    "ipv4": "10.0.0.1",
                    "ipv6": "2a02:cf40::",
                    "mitigation_mode": "protect",
                    "os": {
                        "name": "linux",
                        "version": "1234"
                    },
                    "registered_at": "2022-04-06T08:26:45.515Z",
                    "site": {
                        "id": "1234567890123456789",
                        "name": "Default site"
                    },
                    "uuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx",
                    "version": "21.x.x"
                },
                "engines": [
                    {
                        "key": "sentinelone_cloud",
                        "title": "SentinelOne Cloud"
                    }
                ],
                "type": "static"
            },
            "engines": [
                "SentinelOne Cloud"
            ],
            "external_ticket": {
                "exist": false
            },
            "failed_actions": false,
            "file": {
                "extension": {
                    "type": "Executable"
                },
                "identified_at": "2022-04-06T08:45:53.968Z",
                "verification_type": "NotSigned"
            },
            "id": "1234567890123456789",
            "incident": {
                "status": "unresolved",
                "status_description": "Unresolved"
            },
            "initiated": {
                "description": "Agent Policy",
                "name": "agent_policy"
            },
            "is_fileless": false,
            "is_valid_certificate": false,
            "mitigated_preemptively": false,
            "mitigation": {
                "description": "Not mitigated",
                "status": "not_mitigated"
            },
            "mitigation_status": [
                {
                    "action": "unquarantine",
                    "action_counters": {
                        "failed": 0,
                        "not_found": 0,
                        "pending_reboot": 0,
                        "success": 1,
                        "total": 1
                    },
                    "agent_supports_report": true,
                    "group_not_found": false,
                    "last_update": "2022-04-06T08:54:17.198Z",
                    "latest_report": "/threats/mitigation-report",
                    "mitigation_ended_at": "2022-04-06T08:54:17.101Z",
                    "mitigation_started_at": "2022-04-06T08:54:17.101Z",
                    "status": "success"
                },
                {
                    "action": "kill",
                    "agent_supports_report": true,
                    "group_not_found": false,
                    "last_update": "2022-04-06T08:45:55.303Z",
                    "mitigation_ended_at": "2022-04-06T08:45:55.297Z",
                    "mitigation_started_at": "2022-04-06T08:45:55.297Z",
                    "status": "success"
                }
            ],
            "name": "default.exe",
            "originator_process": "default.exe",
            "pending_actions": false,
            "process_user": "test user",
            "reached_events_limit": false,
            "reboot_required": false,
            "storyline": "D0XXXXXXXXXXAF4D",
            "threat_id": "1234567890123456789",
            "whitening_option": [
                "hash"
            ]
        }
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "sentinel_one-threat"
    ],
    "threat": {
        "indicator": {
            "file": {
                "extension": "EXE",
                "hash": {
                    "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d"
                },
                "path": "default.exe",
                "size": 1234
            }
        }
    }
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.image.id
Image ID for the cloud instance.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset.
constant_keyword
event.module
Event module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
input.type
Input type
keyword
log.offset
Log offset
long
sentinel_one.threat.agent.account.id
Account id.
keyword
sentinel_one.threat.agent.account.name
Account name.
keyword
sentinel_one.threat.agent.active_threats
Active threats.
long
sentinel_one.threat.agent.decommissioned_at
Decommissioned at.
boolean
sentinel_one.threat.agent.group.id
Group id.
keyword
sentinel_one.threat.agent.group.name
Group name.
keyword
sentinel_one.threat.agent.id
Related agent (if applicable).
keyword
sentinel_one.threat.agent.infected
Agent infected.
boolean
sentinel_one.threat.agent.is_active
Is active.
boolean
sentinel_one.threat.agent.is_decommissioned
Is decommissioned.
boolean
sentinel_one.threat.agent.machine_type
Machine type.
keyword
sentinel_one.threat.agent.mitigation_mode
Agent mitigation mode policy.
keyword
sentinel_one.threat.agent.network_interface.id
Device's network interfaces id.
keyword
sentinel_one.threat.agent.network_interface.inet
Device's network interfaces IPv4 addresses.
keyword
sentinel_one.threat.agent.network_interface.inet6
Device's network interfaces IPv6 addresses.
keyword
sentinel_one.threat.agent.network_interface.name
Device's network interfaces IPv4 Name.
keyword
sentinel_one.threat.agent.network_status
Network status.
keyword
sentinel_one.threat.agent.operational_state
Agent operational state.
keyword
sentinel_one.threat.agent.os.version
OS revision.
keyword
sentinel_one.threat.agent.reboot_required
A reboot is required on the endpoint for at least one acton on the threat.
boolean
sentinel_one.threat.agent.scan.aborted_at
Abort time of last scan (if applicable).
keyword
sentinel_one.threat.agent.scan.finished_at
Finish time of last scan (if applicable).
keyword
sentinel_one.threat.agent.scan.started_at
Start time of last scan.
keyword
sentinel_one.threat.agent.scan.status
Scan status.
keyword
sentinel_one.threat.agent.site.id
Site id.
keyword
sentinel_one.threat.agent.site.name
Site name.
keyword
sentinel_one.threat.agent.storage.name
Storage Name.
keyword
sentinel_one.threat.agent.storage.type
Storage Type.
keyword
sentinel_one.threat.agent.user_action_needed
A list of pending user actions. List items possible values: "none, reboot_needed, user_acton_needed, upgrade_needed, incompatible_os, unprotected, user_acton_needed_fda, user_acton_needed_rs_fda,user_acton_needed_network, rebootless_without_dynamic_detection, extended_exclusions_partially_accepted, user_action_needed_bluetooth_per".
keyword
sentinel_one.threat.agent.uuid
UUID.
keyword
sentinel_one.threat.analysis.description
Analyst verdict description.
keyword
sentinel_one.threat.analysis.verdict
Analyst verdict.
keyword
sentinel_one.threat.automatically_resolved
Automatically resolved.
boolean
sentinel_one.threat.browser_type
Browser type.
keyword
sentinel_one.threat.certificate.id
File Certificate ID.
keyword
sentinel_one.threat.classification
Classification of the threat.
keyword
sentinel_one.threat.classification_source
Source of the threat Classification.
keyword
sentinel_one.threat.cloudfiles_hash_verdict
Cloud files hash verdict.
keyword
sentinel_one.threat.collection.id
Collection id.
keyword
sentinel_one.threat.confidence_level
SentinelOne threat confidence level.
keyword
sentinel_one.threat.container.labels
Container labels.
keyword
sentinel_one.threat.created_at
Timestamp of date creation in the Management Console.
date
sentinel_one.threat.detection.account.id
Orig account id.
keyword
sentinel_one.threat.detection.account.name
Orig account name.
keyword
sentinel_one.threat.detection.agent.domain
Network domain.
keyword
sentinel_one.threat.detection.agent.group.id
Orig group id.
keyword
sentinel_one.threat.detection.agent.group.name
Orig group name.
keyword
sentinel_one.threat.detection.agent.ipv4
Orig agent ipv4.
ip
sentinel_one.threat.detection.agent.ipv6
Orig agent ipv6.
ip
sentinel_one.threat.detection.agent.last_logged_in.upn
UPN of last logged in user.
keyword
sentinel_one.threat.detection.agent.mitigation_mode
Agent mitigation mode policy.
keyword
sentinel_one.threat.detection.agent.os.name
Orig agent OS name.
keyword
sentinel_one.threat.detection.agent.os.version
Orig agent OS revision.
keyword
sentinel_one.threat.detection.agent.registered_at
Time of first registration to management console.
date
sentinel_one.threat.detection.agent.site.id
Orig site id.
keyword
sentinel_one.threat.detection.agent.site.name
Orig site name.
keyword
sentinel_one.threat.detection.agent.uuid
UUID of the agent.
keyword
sentinel_one.threat.detection.agent.version
Orig agent version.
keyword
sentinel_one.threat.detection.cloud_providers
Cloud providers for this agent.
flattened
sentinel_one.threat.detection.engines.key
List of engines that detected the threat key.
keyword
sentinel_one.threat.detection.engines.title
List of engines that detected the threat title.
keyword
sentinel_one.threat.detection.state
The Agent's detection state at time of detection.
keyword
sentinel_one.threat.detection.type
Detection type.
keyword
sentinel_one.threat.engines
List of engines that detected the threat.
keyword
sentinel_one.threat.external_ticket.exist
External ticket exists.
boolean
sentinel_one.threat.external_ticket.id
External ticket id.
keyword
sentinel_one.threat.failed_actions
At least one action failed on the threat.
boolean
sentinel_one.threat.file.extension.type
File extension type.
keyword
sentinel_one.threat.file.identified_at
Identified at.
keyword
sentinel_one.threat.file.verification_type
File verification type.
keyword
sentinel_one.threat.id
Threat id.
keyword
sentinel_one.threat.incident.status
Incident status.
keyword
sentinel_one.threat.incident.status_description
Incident status description.
keyword
sentinel_one.threat.indicators.category.id
Indicators Category Id.
long
sentinel_one.threat.indicators.category.name
Indicators Category Name.
keyword
sentinel_one.threat.indicators.description
Indicators Description.
keyword
sentinel_one.threat.initiated.description
Initiated by description.
keyword
sentinel_one.threat.initiated.name
Source of threat.
keyword
sentinel_one.threat.initiating_user.id
Initiating user id.
keyword
sentinel_one.threat.initiating_user.name
Initiating user username.
keyword
sentinel_one.threat.is_fileless
Is fileless.
boolean
sentinel_one.threat.is_valid_certificate
True if the certificate is valid.
boolean
sentinel_one.threat.kubernetes.cluster
Cluster.
keyword
sentinel_one.threat.kubernetes.controller.kind
Controller kind.
keyword
sentinel_one.threat.kubernetes.controller.labels
Controller labels.
keyword
sentinel_one.threat.kubernetes.controller.name
Controller name.
keyword
sentinel_one.threat.kubernetes.namespace.labels
Namespace labels.
keyword
sentinel_one.threat.kubernetes.namespace.name
Namespace name.
keyword
sentinel_one.threat.kubernetes.node
Node.
keyword
sentinel_one.threat.kubernetes.pod.labels
Pod labels.
keyword
sentinel_one.threat.kubernetes.pod.name
Pod name.
keyword
sentinel_one.threat.malicious_process_arguments
Malicious process arguments.
keyword
sentinel_one.threat.mitigated_preemptively
True is the threat was blocked before execution.
boolean
sentinel_one.threat.mitigation.description
Mitigation status description.
keyword
sentinel_one.threat.mitigation.status
Mitigation status.
keyword
sentinel_one.threat.mitigation_status.action
Action.
keyword
sentinel_one.threat.mitigation_status.action_counters.failed
Actions counters Failed.
long
sentinel_one.threat.mitigation_status.action_counters.not_found
Actions counters Not found.
long
sentinel_one.threat.mitigation_status.action_counters.pending_reboot
Actions counters Pending reboot.
long
sentinel_one.threat.mitigation_status.action_counters.success
Actions counters Success.
long
sentinel_one.threat.mitigation_status.action_counters.total
Actions counters Total.
long
sentinel_one.threat.mitigation_status.agent_supports_report
The Agent generates a full mitigation report.
boolean
sentinel_one.threat.mitigation_status.group_not_found
Agent could not find the threat.
boolean
sentinel_one.threat.mitigation_status.last_update
Timestamp of last mitigation status update.
keyword
sentinel_one.threat.mitigation_status.latest_report
Report download URL. If None, there is no report.
keyword
sentinel_one.threat.mitigation_status.mitigation_ended_at
The time the Agent finished the mitigation.
keyword
sentinel_one.threat.mitigation_status.mitigation_started_at
The time the Agent started the mitigation.
keyword
sentinel_one.threat.mitigation_status.status
Status.
keyword
sentinel_one.threat.name
Threat name.
keyword
sentinel_one.threat.originator_process
Originator process.
keyword
sentinel_one.threat.pending_actions
At least one action is pending on the threat.
boolean
sentinel_one.threat.process_user
Process user.
keyword
sentinel_one.threat.publisher.name
Certificate publisher.
keyword
sentinel_one.threat.reached_events_limit
Has number of OS events for this threat reached the limit, resulting in a partial attack storyline.
boolean
sentinel_one.threat.reboot_required
A reboot is required on the endpoint for at least one threat.
boolean
sentinel_one.threat.storyline
Storyline identifier from agent.
keyword
sentinel_one.threat.threat_id
Threat id.
keyword
sentinel_one.threat.whitening_option
Whitening options.
keyword

Changelog

VersionDetailsKibana version(s)

1.25.1

Bug fix View pull request
Document limitation for using the alert data stream in on-premises environments.

8.13.0 or higher

1.25.0

Enhancement View pull request
Add agent.* to alerts data.

8.13.0 or higher

1.24.0

Enhancement View pull request
Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

1.23.3

Bug fix View pull request
Fix sample event MAC address.

8.12.0 or higher

1.23.2

Enhancement View pull request
Change default interval to 30s for all data streams.

8.12.0 or higher

1.23.1

Bug fix View pull request
Fix sample event.

8.12.0 or higher

1.23.0

Enhancement View pull request
Make host.ip field conform to ECS field definition.

8.12.0 or higher

1.22.0

Enhancement View pull request
Add agent.id to all agent related data.

8.12.0 or higher

1.21.1

Bug fix View pull request
Fix Ingest Pipline Error in SentinelOne Package with k8s Elastic Agent.

8.12.0 or higher

1.21.0

Enhancement View pull request
Improve handling of empty responses.

8.12.0 or higher

1.20.0

Enhancement View pull request
Set sensitive values as secret and fix incorrect mappings.

8.12.0 or higher

1.19.2

Enhancement View pull request
Changed owners

8.7.1 or higher

1.19.1

Enhancement View pull request
Add information to README about support for response actions

8.7.1 or higher

1.19.0

Enhancement View pull request
Limit request tracer log count to five.

8.7.1 or higher

1.18.0

Enhancement View pull request
ECS version updated to 8.11.0.

8.7.1 or higher

1.17.0

Enhancement View pull request
Improve 'event.original' check to avoid errors if set.

8.7.1 or higher

1.16.1

Bug fix View pull request
Add support for a missing field.

8.7.1 or higher

1.16.0

Enhancement View pull request
Update the package format_version to 3.0.0.

8.7.1 or higher

1.15.0

Bug fix View pull request
Correct invalid ECS field usages at root-level.

8.7.1 or higher

1.14.0

Enhancement View pull request
ECS version updated to 8.10.0.

8.7.1 or higher

1.13.0

Enhancement View pull request
Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

8.7.1 or higher

1.12.0

Enhancement View pull request
Update package to ECS 8.9.0.

8.7.1 or higher

1.11.0

Enhancement View pull request
Convert dashboards to Lens.

8.7.1 or higher

1.10.0

Enhancement View pull request
Ensure event.kind is correctly set for pipeline errors.

8.7.1 or higher

1.9.0

Enhancement View pull request
Update package to ECS 8.8.0.

8.7.1 or higher

1.8.0

Enhancement View pull request
Update package-spec version to 2.7.0.

8.7.1 or higher

1.7.0

Enhancement View pull request
Add a new flag to enable request tracing

8.7.1 or higher

1.6.0

Enhancement View pull request
Update package to ECS 8.7.0.

7.17.0 or higher
8.0.0 or higher

1.5.2

Enhancement View pull request
Added categories and/or subcategories.

7.17.0 or higher
8.0.0 or higher

1.5.1

Enhancement View pull request
Set event.id from SentinelOne Threat ID

7.17.0 or higher
8.0.0 or higher

1.5.0

Enhancement View pull request
Update package to ECS 8.6.0.

7.17.0 or higher
8.0.0 or higher

1.4.0

Enhancement View pull request
Add an on_failure processor to the date processor and update the pagination termination condition.

Bug fix View pull request
Update newValue field type in Activity data stream.

7.17.0 or higher
8.0.0 or higher

1.3.0

Enhancement View pull request
Update package to ECS 8.5.0.

7.17.0 or higher
8.0.0 or higher

1.2.2

Bug fix View pull request
Ensure stability of related.hash array ordering.

7.17.0 or higher
8.0.0 or higher

1.2.1

Bug fix View pull request
Enrich the event.category, event.type, event.kind and event.outcome field based on activity.

7.17.0 or higher
8.0.0 or higher

1.2.0

Enhancement View pull request
Set event.kind to alert for Sentinel One Threats.

7.17.0 or higher
8.0.0 or higher

1.1.0

Enhancement View pull request
Update package to ECS 8.4.0

7.17.0 or higher
8.0.0 or higher

1.0.0

Enhancement View pull request
Make GA

7.17.0 or higher
8.0.0 or higher

0.2.1

Bug fix View pull request
Fix proxy URL documentation rendering.

0.2.0

Enhancement View pull request
Update package to ECS 8.3.0.

0.1.0

Enhancement View pull request
Initial Release