SentinelOne
Stack Serverless Observability Serverless Security
| Version | 1.39.0 (View all) |
| Subscription level What's this? |
Basic |
| Level of support What's this? |
Elastic |
| Ingestion method(s) | API |
The SentinelOne integration collects and parses data from SentinelOne REST APIs. This integration also offers the capability to perform response actions on SentinelOne hosts directly through the Elastic Security interface (introduced with v8.12.0). Additional configuration is required; for detailed guidance, refer to documentation.
Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to Agentless integrations and the Agentless integrations FAQ.
Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
This module has been tested against SentinelOne Management Console API version 2.1.
To collect data from SentinelOne APIs, you must have an API token. To create an API token, follow these steps:
- Log in to the SentinelOne Management Console as an Admin.
- Navigate to Logged User Account from top right panel in the navigation bar.
- Click My User.
- In the API token section, navigate to Actions > API Token Operators > Generate API Token.
- Enter the MFA code, if enabled.
- You will see the API token on the screen.
The API token generated by the user is time-limited. To rotate a new token, log in with the dedicated admin account.
The alert data stream depends on STAR Custom Rules. STAR Custom Rules are supported in Cloud environments, but are not supported in on-premises environments. Because of this, the alert data stream is not supported in on-premises environments.
The values used in event.severity are consistent with Elastic Detection Rules.
| Severity Name | event.severity |
|---|---|
| Low | 21 |
| Medium | 47 |
| High | 73 |
| Critical | 99 |
This is the activity dataset.
Example
{
"@timestamp": "2022-04-19T05:14:08.925Z",
"agent": {
"ephemeral_id": "10175f71-9c3d-43ea-9326-e2c1fbfed4fa",
"id": "9b7ecf1c-5873-4d71-b82a-5ef8d4ac574e",
"name": "elastic-agent-48880",
"type": "filebeat",
"version": "8.18.7"
},
"data_stream": {
"dataset": "sentinel_one.activity",
"namespace": "26410",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "9b7ecf1c-5873-4d71-b82a-5ef8d4ac574e",
"snapshot": false,
"version": "8.18.7"
},
"event": {
"agent_id_status": "verified",
"category": [
"configuration"
],
"created": "2025-09-22T11:35:05.641Z",
"dataset": "sentinel_one.activity",
"ingested": "2025-09-22T11:35:08Z",
"kind": "event",
"original": "{\"accountId\":\"3214567890123456789\",\"accountName\":\"Default12\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":\"True\",\"createdAt\":\"2022-04-19T05:14:08.925421Z\",\"data\":{\"accountName\":\"Default\",\"byUser\":\"API\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/default\",\"groupName\":null,\"newValue\":true,\"role\":\"Level\",\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"userScope\":\"account\",\"username\":\"API\"},\"description\":\"API\",\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"The management user API enabled Two factor authentication on the user API.\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-18T05:14:08.922553Z\",\"userId\":\"1234567890123456789\"}",
"type": [
"info"
]
},
"input": {
"type": "httpjson"
},
"message": "The management user API enabled Two factor authentication on the user API.",
"related": {
"user": [
"API"
]
},
"sentinel_one": {
"activity": {
"account": {
"id": "3214567890123456789",
"name": "Default12"
},
"comments": "True",
"data": {
"account": {
"name": "Default"
},
"fullscope": {
"details": "Account Default",
"details_path": "test/default"
},
"new": {
"value": "true"
},
"role": "Level",
"scope": {
"level": "Account",
"name": "Default"
},
"user": {
"name": "API",
"scope": "account"
}
},
"description": {
"primary": "The management user API enabled Two factor authentication on the user API."
},
"description_value": "API",
"id": "1234567890123456789",
"type": 1234,
"updated_at": "2022-04-18T05:14:08.922Z"
}
},
"tags": [
"preserve_original_event",
"forwarded",
"sentinel_one-activity"
],
"user": {
"full_name": "API",
"id": "1234567890123456789"
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Input type | keyword |
| log.offset | Log offset | long |
| log.source.address | Source address from which the log event was read / sent from. | keyword |
| sentinel_one.activity.account.id | Related account ID (if applicable). | keyword |
| sentinel_one.activity.account.name | Related account name (if applicable). | keyword |
| sentinel_one.activity.agent.id | Related agent (if applicable). | keyword |
| sentinel_one.activity.comments | Comments. | keyword |
| sentinel_one.activity.data.account.id | Related account ID (if applicable). | keyword |
| sentinel_one.activity.data.account.name | Related account name (if applicable). | keyword |
| sentinel_one.activity.data.attr | Attribute. | keyword |
| sentinel_one.activity.data.changed_keys | Changed keys. | keyword |
| sentinel_one.activity.data.confidence.level | Confidence level. | keyword |
| sentinel_one.activity.data.created_at | Created time. | date |
| sentinel_one.activity.data.description | Description. | keyword |
| sentinel_one.activity.data.downloaded.url | Downloaded URL. | keyword |
| sentinel_one.activity.data.flattened | Extra activity specific data. | flattened |
| sentinel_one.activity.data.fullscope.details | fullscope details. | keyword |
| sentinel_one.activity.data.fullscope.details_path | fullscope details path. | keyword |
| sentinel_one.activity.data.global.status | Global status. | keyword |
| sentinel_one.activity.data.group | Related group (if applicable). | keyword |
| sentinel_one.activity.data.group_name | Related group name (if applicable). | keyword |
| sentinel_one.activity.data.malicious.process.arguments | Malicious process arguments. | keyword |
| sentinel_one.activity.data.new.confidence_level | New confidence level. | keyword |
| sentinel_one.activity.data.new.status | Status. | keyword |
| sentinel_one.activity.data.new.value | Value. | keyword |
| sentinel_one.activity.data.old.confidence_level | Old confidence level. | keyword |
| sentinel_one.activity.data.optionals_groups | Optionals groups. | keyword |
| sentinel_one.activity.data.original.status | Original status. | keyword |
| sentinel_one.activity.data.policy | Policy. | flattened |
| sentinel_one.activity.data.policy_name | Policy name. | keyword |
| sentinel_one.activity.data.reason | Reason. | keyword |
| sentinel_one.activity.data.role | Role. | keyword |
| sentinel_one.activity.data.role_name | Role name. | keyword |
| sentinel_one.activity.data.scope.level | Scope Level. | keyword |
| sentinel_one.activity.data.scope.name | Scope name. | keyword |
| sentinel_one.activity.data.scope_level.name | Scope level name. | keyword |
| sentinel_one.activity.data.site.name | Related site name (if applicable). | keyword |
| sentinel_one.activity.data.source | Source. | keyword |
| sentinel_one.activity.data.status | Status. | keyword |
| sentinel_one.activity.data.system | System. | boolean |
| sentinel_one.activity.data.threat.classification.name | Threat classification name. | keyword |
| sentinel_one.activity.data.threat.classification.source | Threat classification source. | keyword |
| sentinel_one.activity.data.user.name | User name. | keyword |
| sentinel_one.activity.data.user.scope | User scope. | keyword |
| sentinel_one.activity.data.uuid | UUID. | keyword |
| sentinel_one.activity.description.primary | Primary description. | keyword |
| sentinel_one.activity.description.secondary | Secondary description. | keyword |
| sentinel_one.activity.description_value | keyword | |
| sentinel_one.activity.id | Activity ID. | keyword |
| sentinel_one.activity.site.id | Related site ID (if applicable). | keyword |
| sentinel_one.activity.site.name | Related site name (if applicable). | keyword |
| sentinel_one.activity.threat.id | Related threat ID (if applicable). | keyword |
| sentinel_one.activity.type | Activity type. | long |
| sentinel_one.activity.updated_at | Activity last updated time (UTC). | date |
This is the agent dataset.
Example
{
"@timestamp": "2022-04-07T08:31:47.481Z",
"agent": {
"ephemeral_id": "e30ba73f-f169-4f6a-868b-79481d37c732",
"id": "e8901d6d-1c15-41f6-acf8-046dbbd754ce",
"name": "elastic-agent-22310",
"type": "filebeat",
"version": "8.18.7"
},
"data_stream": {
"dataset": "sentinel_one.agent",
"namespace": "13010",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "e8901d6d-1c15-41f6-acf8-046dbbd754ce",
"snapshot": false,
"version": "8.18.7"
},
"event": {
"agent_id_status": "verified",
"category": [
"host"
],
"created": "2025-09-22T11:35:56.007Z",
"dataset": "sentinel_one.agent",
"ingested": "2025-09-22T11:35:59Z",
"kind": "event",
"original": "{\"accountId\":\"892341123451234512345\",\"accountName\":\"ABC\",\"activeDirectory\":{\"computerDistinguishedName\":null,\"computerMemberOf\":[],\"lastUserDistinguishedName\":null,\"lastUserMemberOf\":[]},\"activeThreats\":7,\"agentVersion\":\"12.x.x.x\",\"allowRemoteShell\":true,\"appsVulnerabilityStatus\":\"not_applicable\",\"cloudProviders\":{},\"computerName\":\"user-test\",\"consoleMigrationStatus\":\"N/A\",\"coreCount\":2,\"cpuCount\":2,\"cpuId\":\"CPU Name\",\"createdAt\":\"2022-03-18T09:12:00.519500Z\",\"detectionState\":null,\"domain\":\"WORKGROUP\",\"encryptedApplications\":false,\"externalId\":\"\",\"externalIp\":\"81.2.69.143\",\"firewallEnabled\":true,\"firstFullModeTime\":null,\"groupId\":\"1234567890123456789\",\"groupIp\":\"81.2.69.144\",\"groupName\":\"Default Group\",\"id\":\"13491234512345\",\"inRemoteShellSession\":false,\"infected\":true,\"installerType\":\".msi\",\"isActive\":true,\"isDecommissioned\":false,\"isPendingUninstall\":false,\"isUninstalled\":false,\"isUpToDate\":true,\"lastActiveDate\":\"2022-03-17T09:51:28.506000Z\",\"lastIpToMgmt\":\"81.2.69.145\",\"lastLoggedInUserName\":\"\",\"licenseKey\":\"\",\"locationEnabled\":true,\"locationType\":\"not_applicable\",\"locations\":null,\"machineType\":\"server\",\"missingPermissions\":[\"user-action-needed-bluetooth-per\",\"user_action_needed_fda\"],\"mitigationMode\":\"detect\",\"mitigationModeSuspicious\":\"detect\",\"modelName\":\"Compute Engine\",\"networkInterfaces\":[{\"gatewayIp\":\"81.2.69.145\",\"gatewayMacAddress\":\"00-00-5E-00-53-00\",\"id\":\"1234567890123456789\",\"inet\":[\"81.2.69.144\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"00-00-5E-00-53-00\"}],\"networkQuarantineEnabled\":false,\"networkStatus\":\"connected\",\"operationalState\":\"na\",\"operationalStateExpiration\":null,\"osArch\":\"64 bit\",\"osName\":\"Linux Server\",\"osRevision\":\"1234\",\"osStartTime\":\"2022-04-06T08:27:14Z\",\"osType\":\"linux\",\"osUsername\":null,\"rangerStatus\":\"Enabled\",\"rangerVersion\":\"21.x.x.x\",\"registeredAt\":\"2022-04-06T08:26:45.515278Z\",\"remoteProfilingState\":\"disabled\",\"remoteProfilingStateExpiration\":null,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"tags\":{\"sentinelone\":[{\"assignedAt\":\"2018-02-27T04:49:26.257525Z\",\"assignedBy\":\"test-user\",\"assignedById\":\"123456789012345678\",\"id\":\"123456789012345678\",\"key\":\"key123\",\"value\":\"value123\"}]},\"threatRebootRequired\":false,\"totalMemory\":1234,\"updatedAt\":\"2022-04-07T08:31:47.481227Z\",\"userActionsNeeded\":[\"reboot_needed\"],\"uuid\":\"XXX35XXX8Xfb4aX0X1X8X12X343X8X30\"}",
"type": [
"info"
]
},
"group": {
"id": "1234567890123456789",
"name": "Default Group"
},
"host": {
"domain": "WORKGROUP",
"geo": {
"city_name": "London",
"continent_name": "Europe",
"country_iso_code": "GB",
"country_name": "United Kingdom",
"location": {
"lat": 51.5142,
"lon": -0.0931
},
"region_iso_code": "GB-ENG",
"region_name": "England"
},
"id": "13491234512345",
"ip": [
"81.2.69.143"
],
"mac": [
"00-00-5E-00-53-00"
],
"name": "user-test",
"os": {
"name": "Linux Server",
"type": "linux",
"version": "1234"
}
},
"input": {
"type": "httpjson"
},
"observer": {
"version": "12.x.x.x"
},
"related": {
"hosts": [
"user-test",
"WORKGROUP"
],
"ip": [
"81.2.69.143",
"81.2.69.145",
"81.2.69.144",
"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"
]
},
"sentinel_one": {
"agent": {
"account": {
"id": "892341123451234512345",
"name": "ABC"
},
"active_threats_count": 7,
"agent": {
"id": "13491234512345"
},
"allow_remote_shell": true,
"apps_vulnerability_status": "not_applicable",
"console_migration_status": "N/A",
"core": {
"count": 2
},
"cpu": {
"count": 2,
"id": "CPU Name"
},
"created_at": "2022-03-18T09:12:00.519Z",
"encrypted_application": false,
"firewall_enabled": true,
"group": {
"ip": "81.2.69.144"
},
"in_remote_shell_session": false,
"infected": true,
"installer_type": ".msi",
"is_active": true,
"is_decommissioned": false,
"is_pending_uninstall": false,
"is_uninstalled": false,
"is_up_to_date": true,
"last_active_date": "2022-03-17T09:51:28.506Z",
"last_ip_to_mgmt": "81.2.69.145",
"location": {
"enabled": true,
"type": "not_applicable"
},
"machine": {
"type": "server"
},
"missing_permissions": [
"user-action-needed-bluetooth-per",
"user_action_needed_fda"
],
"mitigation_mode": "detect",
"mitigation_mode_suspicious": "detect",
"model_name": "Compute Engine",
"network_interfaces": [
{
"gateway": {
"ip": "81.2.69.145",
"mac": "00-00-5E-00-53-00"
},
"id": "1234567890123456789",
"inet": [
"81.2.69.144"
],
"inet6": [
"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"
],
"name": "Ethernet"
}
],
"network_quarantine_enabled": false,
"network_status": "connected",
"operational_state": "na",
"os": {
"arch": "64 bit",
"start_time": "2022-04-06T08:27:14.000Z"
},
"ranger": {
"status": "Enabled",
"version": "21.x.x.x"
},
"registered_at": "2022-04-06T08:26:45.515Z",
"remote_profiling_state": "disabled",
"scan": {
"finished_at": "2022-04-06T09:18:21.090Z",
"started_at": "2022-04-06T08:26:52.838Z",
"status": "finished"
},
"site": {
"id": "1234567890123456789",
"name": "Default site"
},
"tags": [
{
"assigned_at": "2018-02-27T04:49:26.257Z",
"assigned_by": "test-user",
"assigned_by_id": "123456789012345678",
"id": "123456789012345678",
"key": "key123",
"value": "value123"
}
],
"threat_reboot_required": false,
"total_memory": 1234,
"user_action_needed": [
"reboot_needed"
],
"uuid": "XXX35XXX8Xfb4aX0X1X8X12X343X8X30"
}
},
"tags": [
"preserve_original_event",
"forwarded",
"sentinel_one-agent"
]
}
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Input type | keyword |
| log.offset | Log offset | long |
| sentinel_one.agent.account.id | A reference to the containing account. | keyword |
| sentinel_one.agent.account.name | Name of the containing account. | keyword |
| sentinel_one.agent.active_directory.computer.member_of | Computer member of. | keyword |
| sentinel_one.agent.active_directory.computer.name | Computer distinguished name. | keyword |
| sentinel_one.agent.active_directory.last_user.distinguished_name | Last user distinguished name. | keyword |
| sentinel_one.agent.active_directory.last_user.member_of | Last user member of. | keyword |
| sentinel_one.agent.active_directory.mail | Mail. | keyword |
| sentinel_one.agent.active_directory.user.principal_name | User principal name. | keyword |
| sentinel_one.agent.active_threats_count | Current number of active threats. | long |
| sentinel_one.agent.agent.id | Related agent (if applicable). | keyword |
| sentinel_one.agent.allow_remote_shell | Agent is capable and policy enabled for remote shell. | boolean |
| sentinel_one.agent.apps_vulnerability_status | Apps vulnerability status. | keyword |
| sentinel_one.agent.cloud_provider | Cloud providers for this agent. | flattened |
| sentinel_one.agent.console_migration_status | What step the agent is at in the process of migrating to another console, if any. | keyword |
| sentinel_one.agent.core.count | CPU cores. | long |
| sentinel_one.agent.cpu.count | Number of CPUs. | long |
| sentinel_one.agent.cpu.id | CPU model. | keyword |
| sentinel_one.agent.created_at | Created at. | date |
| sentinel_one.agent.detection_state | Detection State. | keyword |
| sentinel_one.agent.encrypted_application | Disk encryption status. | boolean |
| sentinel_one.agent.external.id | External ID set by customer. | keyword |
| sentinel_one.agent.firewall_enabled | Firewall enabled. | boolean |
| sentinel_one.agent.first_full_mode_time | Date of the first time the Agent moved to full or slim detection modes. | date |
| sentinel_one.agent.group.ip | Group subnet address. | keyword |
| sentinel_one.agent.group.updated_at | Group updated at. | date |
| sentinel_one.agent.in_remote_shell_session | Is the Agent in a remote shell session. | boolean |
| sentinel_one.agent.infected | Indicates if the Agent has active threats. | boolean |
| sentinel_one.agent.installer_type | Installer package type (file extension). | keyword |
| sentinel_one.agent.is_active | Indicates if the agent was recently active. | boolean |
| sentinel_one.agent.is_decommissioned | Is Agent decommissioned. | boolean |
| sentinel_one.agent.is_pending_uninstall | Agent with a pending uninstall request. | boolean |
| sentinel_one.agent.is_uninstalled | Indicates if Agent was removed from the device. | boolean |
| sentinel_one.agent.is_up_to_date | Indicates if the agent version is up to date. | boolean |
| sentinel_one.agent.last_active_date | Last active date. | date |
| sentinel_one.agent.last_ip_to_mgmt | The last IP used to connect to the Management console. | ip |
| sentinel_one.agent.last_logged_in_user_name | Last logged in user name. | keyword |
| sentinel_one.agent.license.key | License key. | keyword |
| sentinel_one.agent.location.enabled | Location enabled. | boolean |
| sentinel_one.agent.location.type | Reported location type. | keyword |
| sentinel_one.agent.locations.id | Location ID. | keyword |
| sentinel_one.agent.locations.name | Location name. | keyword |
| sentinel_one.agent.locations.scope | Location scope. | keyword |
| sentinel_one.agent.machine.type | Machine type. | keyword |
| sentinel_one.agent.missing_permissions | keyword | |
| sentinel_one.agent.mitigation_mode | Agent mitigation mode policy. | keyword |
| sentinel_one.agent.mitigation_mode_suspicious | Mitigation mode policy for suspicious activity. | keyword |
| sentinel_one.agent.model_name | Device model. | keyword |
| sentinel_one.agent.network_interfaces.gateway.ip | The default gateway ip. | ip |
| sentinel_one.agent.network_interfaces.gateway.mac | The default gateway mac address. | keyword |
| sentinel_one.agent.network_interfaces.id | Id. | keyword |
| sentinel_one.agent.network_interfaces.inet | IPv4 addresses. | ip |
| sentinel_one.agent.network_interfaces.inet6 | IPv6 addresses. | ip |
| sentinel_one.agent.network_interfaces.name | Name. | keyword |
| sentinel_one.agent.network_quarantine_enabled | Network quarantine enabled. | boolean |
| sentinel_one.agent.network_status | Agent's network connectivity status. | keyword |
| sentinel_one.agent.operational_state | Agent operational state. | keyword |
| sentinel_one.agent.operational_state_expiration | Agent operational state expiration. | keyword |
| sentinel_one.agent.os.arch | OS architecture. | keyword |
| sentinel_one.agent.os.start_time | Last boot time. | date |
| sentinel_one.agent.policy.updated_at | Policy updated at. | date |
| sentinel_one.agent.ranger.status | Is Agent disabled as a Ranger. | keyword |
| sentinel_one.agent.ranger.version | The version of Ranger. | keyword |
| sentinel_one.agent.registered_at | Time of first registration to management console (similar to createdAt). | date |
| sentinel_one.agent.remote_profiling_state | Agent remote profiling state. | keyword |
| sentinel_one.agent.remote_profiling_state_expiration | Agent remote profiling state expiration in seconds. | keyword |
| sentinel_one.agent.scan.aborted_at | Abort time of last scan (if applicable). | date |
| sentinel_one.agent.scan.finished_at | Finish time of last scan (if applicable). | date |
| sentinel_one.agent.scan.started_at | Start time of last scan. | date |
| sentinel_one.agent.scan.status | Last scan status. | keyword |
| sentinel_one.agent.site.id | A reference to the containing site. | keyword |
| sentinel_one.agent.site.name | Name of the containing site. | keyword |
| sentinel_one.agent.storage.name | Storage name. | keyword |
| sentinel_one.agent.storage.type | Storage type. | keyword |
| sentinel_one.agent.tags.assigned_at | When tag assigned to the agent. | date |
| sentinel_one.agent.tags.assigned_by | full user name who assigned the tag to the agent. | keyword |
| sentinel_one.agent.tags.assigned_by_id | User ID who assigned the tag to the agent. | keyword |
| sentinel_one.agent.tags.id | Tag ID. | keyword |
| sentinel_one.agent.tags.key | Tag key. | keyword |
| sentinel_one.agent.tags.value | Tag value. | keyword |
| sentinel_one.agent.threat_reboot_required | Flag representing if the Agent has at least one threat with at least one mitigation action that is pending reboot to succeed. | boolean |
| sentinel_one.agent.total_memory | Memory size (MB). | long |
| sentinel_one.agent.user_action_needed | A list of pending user actions. | keyword |
| sentinel_one.agent.uuid | Agent's universally unique identifier. | keyword |
This is the alert dataset.
Example
{
"@timestamp": "2018-02-27T04:49:26.257Z",
"agent": {
"ephemeral_id": "08bbc60c-bcdb-4947-b58b-db2a8b01a1fc",
"id": "18481dc1-1b98-402b-ac39-57dc51f6d92e",
"name": "elastic-agent-93569",
"type": "filebeat",
"version": "8.18.7"
},
"container": {
"id": "string",
"image": {
"name": "string"
},
"name": "string"
},
"data_stream": {
"dataset": "sentinel_one.alert",
"namespace": "33685",
"type": "logs"
},
"destination": {
"ip": "81.2.69.144",
"port": 1234
},
"dll": {
"hash": {
"sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d"
},
"path": "string"
},
"dns": {
"question": {
"name": "string"
}
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "18481dc1-1b98-402b-ac39-57dc51f6d92e",
"snapshot": false,
"version": "8.18.7"
},
"event": {
"agent_id_status": "verified",
"category": [
"malware"
],
"created": "2025-09-22T11:51:54.640Z",
"dataset": "sentinel_one.alert",
"id": "888456789123456789",
"ingested": "2025-09-22T11:51:57Z",
"kind": "event",
"original": "{\"agentDetectionInfo\":{\"machineType\":\"string\",\"name\":\"string\",\"osFamily\":\"string\",\"osName\":\"string\",\"osRevision\":\"string\",\"siteId\":\"123456789123456789\",\"uuid\":\"string\",\"version\":\"3.x.x.x\"},\"alertInfo\":{\"alertId\":\"888456789123456789\",\"analystVerdict\":\"string\",\"createdAt\":\"2018-02-27T04:49:26.257525Z\",\"dnsRequest\":\"string\",\"dnsResponse\":\"string\",\"dstIp\":\"81.2.69.144\",\"dstPort\":\"1234\",\"dvEventId\":\"string\",\"eventType\":\"info\",\"hitType\":\"Events\",\"incidentStatus\":\"open\",\"indicatorCategory\":\"string\",\"indicatorDescription\":\"string\",\"indicatorName\":\"string\",\"loginAccountDomain\":\"string\",\"loginAccountSid\":\"string\",\"loginIsAdministratorEquivalent\":\"string\",\"loginIsSuccessful\":\"string\",\"loginType\":\"login\",\"loginsUserName\":\"string\",\"modulePath\":\"string\",\"moduleSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"netEventDirection\":\"string\",\"registryKeyPath\":\"string\",\"registryOldValue\":\"string\",\"registryOldValueType\":\"string\",\"registryPath\":\"string\",\"registryValue\":\"string\",\"reportedAt\":\"2018-02-27T04:49:26.257525Z\",\"source\":\"string\",\"srcIp\":\"81.2.69.142\",\"srcMachineIp\":\"81.2.69.142\",\"srcPort\":\"1234\",\"tiIndicatorComparisonMethod\":\"string\",\"tiIndicatorSource\":\"string\",\"tiIndicatorType\":\"string\",\"tiIndicatorValue\":\"string\",\"updatedAt\":\"2018-02-27T04:49:26.257525Z\"},\"containerInfo\":{\"id\":\"string\",\"image\":\"string\",\"labels\":\"string\",\"name\":\"string\"},\"kubernetesInfo\":{\"cluster\":\"string\",\"controllerKind\":\"string\",\"controllerLabels\":\"string\",\"controllerName\":\"string\",\"namespace\":\"string\",\"namespaceLabels\":\"string\",\"node\":\"string\",\"pod\":\"string\",\"podLabels\":\"string\"},\"ruleInfo\":{\"description\":\"string\",\"id\":\"string\",\"name\":\"string\",\"scopeLevel\":\"string\",\"severity\":\"Low\",\"treatAsThreat\":\"UNDEFINED\"},\"sourceParentProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"sourceProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"targetProcessInfo\":{\"tgtFileCreatedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"tgtFileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"tgtFileId\":\"string\",\"tgtFileIsSigned\":\"string\",\"tgtFileModifiedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileOldPath\":\"string\",\"tgtFilePath\":\"string\",\"tgtProcCmdLine\":\"string\",\"tgtProcImagePath\":\"string\",\"tgtProcIntegrityLevel\":\"unknown\",\"tgtProcName\":\"string\",\"tgtProcPid\":\"12345\",\"tgtProcSignedStatus\":\"string\",\"tgtProcStorylineId\":\"string\",\"tgtProcUid\":\"string\",\"tgtProcessStartTime\":\"2018-02-27T04:49:26.257525Z\"}}",
"severity": 21,
"type": [
"info"
]
},
"file": {
"created": "2018-02-27T04:49:26.257Z",
"mtime": "2018-02-27T04:49:26.257Z"
},
"host": {
"ip": [
"81.2.69.142"
],
"name": "string",
"os": {
"family": "string",
"name": "string",
"version": "string"
},
"type": "string"
},
"input": {
"type": "httpjson"
},
"message": "string",
"observer": {
"serial_number": "string",
"version": "3.x.x.x"
},
"orchestrator": {
"cluster": {
"name": "string"
},
"namespace": "string"
},
"process": {
"code_signature": {
"signing_id": "string"
},
"command_line": "string",
"entity_id": "string",
"executable": "string",
"hash": {
"md5": "5d41402abc4b2a76b9719d911017c592",
"sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d",
"sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
},
"name": "string",
"parent": {
"code_signature": {
"signing_id": "string"
},
"command_line": "string",
"entity_id": "string",
"executable": "string",
"hash": {
"md5": "5d41402abc4b2a76b9719d911017c592",
"sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d",
"sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
},
"name": "string",
"pid": 12345,
"start": "2018-02-27T04:49:26.257Z",
"user": {
"name": "string"
}
},
"pid": 12345,
"start": "2018-02-27T04:49:26.257Z",
"user": {
"name": "string"
}
},
"registry": {
"key": "string",
"path": "string",
"value": "string"
},
"related": {
"hash": [
"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d",
"5d41402abc4b2a76b9719d911017c592",
"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
],
"hosts": [
"string"
],
"ip": [
"81.2.69.142",
"81.2.69.144"
],
"user": [
"string"
]
},
"rule": {
"description": "string",
"id": "string",
"name": "string"
},
"sentinel_one": {
"alert": {
"agent": {
"site_id": "123456789123456789"
},
"analyst_verdict": "string",
"container": {
"info": {
"labels": "string"
}
},
"dv_event": {
"id": "string"
},
"info": {
"dns": {
"response": "string"
},
"event_type": "info",
"hit": {
"type": "Events"
},
"indicator": {
"category": "string",
"description": "string",
"name": "string"
},
"login": {
"account": {
"sid": "string"
},
"is_administrator": "string",
"is_successful": "string",
"type": "login"
},
"registry": {
"old_value": "string",
"old_value_type": "string"
},
"reported_at": "2018-02-27T04:49:26.257Z",
"source": "string",
"status": "open",
"ti_indicator": {
"comparison_method": "string",
"source": "string",
"type": "string",
"value": "string"
},
"updated_at": "2018-02-27T04:49:26.257Z"
},
"kubernetes": {
"controller": {
"kind": "string",
"labels": "string",
"name": "string"
},
"namespace": {
"labels": "string"
},
"node": "string",
"pod": {
"labels": "string",
"name": "string"
}
},
"process": {
"integrity_level": "unknown",
"parent": {
"integrity_level": "unknown",
"storyline": "string",
"subsystem": "unknown"
},
"storyline": "string",
"subsystem": "unknown"
},
"rule": {
"scope_level": "string",
"severity": "Low",
"treat_as_threat": "UNDEFINED"
},
"target": {
"process": {
"file": {
"hash": {
"sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d",
"sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
},
"id": "string",
"is_signed": "string",
"old_path": "string",
"path": "string"
},
"proc": {
"cmdline": "string",
"image_path": "string",
"integrity_level": "unknown",
"name": "string",
"pid": 12345,
"signed_status": "string",
"storyline_id": "string",
"uid": "string"
},
"start_time": "2018-02-27T04:49:26.257Z"
}
}
}
},
"source": {
"ip": "81.2.69.142",
"port": 1234
},
"tags": [
"preserve_original_event",
"forwarded",
"sentinel_one-alert"
],
"user": {
"domain": "string",
"name": "string"
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Input type | keyword |
| log.offset | Log offset | long |
| log.source.address | Source address from which the log event was read / sent from. | keyword |
| sentinel_one.alert.agent.computer_name | Computer distinguished name. | keyword |
| sentinel_one.alert.agent.id | Agent ID. | keyword |
| sentinel_one.alert.agent.infected | Agent infected. | boolean |
| sentinel_one.alert.agent.is_active | Is active. | boolean |
| sentinel_one.alert.agent.is_decommissioned | Is decommissioned. | boolean |
| sentinel_one.alert.agent.machine_type | Machine type. | keyword |
| sentinel_one.alert.agent.os.type | OS type. | keyword |
| sentinel_one.alert.agent.site_id | Site id. | keyword |
| sentinel_one.alert.analyst_verdict | Analyst verdict. | keyword |
| sentinel_one.alert.container.info.labels | Container info labels. | keyword |
| sentinel_one.alert.dv_event.id | DV event id. | keyword |
| sentinel_one.alert.info.dns.response | IP address, DNS, type, etc. in response. | keyword |
| sentinel_one.alert.info.event_type | Event type. | keyword |
| sentinel_one.alert.info.hit.type | Type of hit reported from agent. | keyword |
| sentinel_one.alert.info.indicator.category | Indicator categories for this process. | keyword |
| sentinel_one.alert.info.indicator.description | Indicator_description. | keyword |
| sentinel_one.alert.info.indicator.name | Indicator names for this process. | keyword |
| sentinel_one.alert.info.login.account.sid | SID of the account that attempted to login. | keyword |
| sentinel_one.alert.info.login.is_administrator | Is the login attempt administrator equivalent. | keyword |
| sentinel_one.alert.info.login.is_successful | Was the login attempt successful. | keyword |
| sentinel_one.alert.info.login.type | Type of login which was performed. | keyword |
| sentinel_one.alert.info.registry.old_value | Registry previous value (in case of modification). | keyword |
| sentinel_one.alert.info.registry.old_value_type | Registry previous value type (in case of modification). | keyword |
| sentinel_one.alert.info.reported_at | Timestamp of alert creation in STAR. | date |
| sentinel_one.alert.info.source | Source reported from agent. | keyword |
| sentinel_one.alert.info.status | Incident status. | keyword |
| sentinel_one.alert.info.ti_indicator.comparison_method | The comparison method used by SentinelOne to trigger the event. | keyword |
| sentinel_one.alert.info.ti_indicator.source | The value of the identified Threat Intelligence indicator. | keyword |
| sentinel_one.alert.info.ti_indicator.type | The type of the identified Threat Intelligence indicator. | keyword |
| sentinel_one.alert.info.ti_indicator.value | The value of the identified Threat Intelligence indicator. | keyword |
| sentinel_one.alert.info.updated_at | Date of alert updated in Star MMS. | date |
| sentinel_one.alert.kubernetes.controller.kind | Controller kind. | keyword |
| sentinel_one.alert.kubernetes.controller.labels | Controller labels. | keyword |
| sentinel_one.alert.kubernetes.controller.name | Controller name. | keyword |
| sentinel_one.alert.kubernetes.namespace.labels | Namespace labels. | keyword |
| sentinel_one.alert.kubernetes.node | Node. | keyword |
| sentinel_one.alert.kubernetes.pod.labels | Pod Labels. | keyword |
| sentinel_one.alert.kubernetes.pod.name | Pod name. | keyword |
| sentinel_one.alert.process.integrity_level | Integrity level. | keyword |
| sentinel_one.alert.process.parent.integrity_level | Integrity level. | keyword |
| sentinel_one.alert.process.parent.storyline | StoryLine. | keyword |
| sentinel_one.alert.process.parent.subsystem | Subsystem. | keyword |
| sentinel_one.alert.process.storyline | StoryLine. | keyword |
| sentinel_one.alert.process.subsystem | Subsystem. | keyword |
| sentinel_one.alert.rule.scope_level | Scope level. | keyword |
| sentinel_one.alert.rule.severity | Rule severity. | keyword |
| sentinel_one.alert.rule.treat_as_threat | Rule treat as threat type. | keyword |
| sentinel_one.alert.target.process.file.hash.sha1 | SHA1 Signature of File. | keyword |
| sentinel_one.alert.target.process.file.hash.sha256 | SHA256 Signature of File. | keyword |
| sentinel_one.alert.target.process.file.id | Unique ID of file. | keyword |
| sentinel_one.alert.target.process.file.is_signed | Is fle signed. | keyword |
| sentinel_one.alert.target.process.file.old_path | Old path before 'Rename'. | keyword |
| sentinel_one.alert.target.process.file.path | Path and filename. | keyword |
| sentinel_one.alert.target.process.proc.cmdline | Target Process Command Line. | keyword |
| sentinel_one.alert.target.process.proc.image_path | Target Process Image path | keyword |
| sentinel_one.alert.target.process.proc.integrity_level | Integrity level of target process. | keyword |
| sentinel_one.alert.target.process.proc.name | Target Process Name. | keyword |
| sentinel_one.alert.target.process.proc.pid | Target Process ID (PID). | long |
| sentinel_one.alert.target.process.proc.signed_status | Target Process Signed Status. | keyword |
| sentinel_one.alert.target.process.proc.storyline_id | Target Process StoryLine ID. | keyword |
| sentinel_one.alert.target.process.proc.uid | Target Process Unique ID. | keyword |
| sentinel_one.alert.target.process.start_time | Target Process Start Time. | date |
This is the application dataset.
Example
{
"@timestamp": "2025-09-22T11:37:35.103Z",
"agent": {
"ephemeral_id": "f3dbcd35-c358-4dc1-af94-eaabf9b235ed",
"id": "5d3eee3a-3182-4b39-8c6c-cb02286bd750",
"name": "elastic-agent-59605",
"type": "filebeat",
"version": "8.18.7"
},
"data_stream": {
"dataset": "sentinel_one.application",
"namespace": "44982",
"type": "logs"
},
"ecs": {
"version": "8.17.0"
},
"elastic_agent": {
"id": "5d3eee3a-3182-4b39-8c6c-cb02286bd750",
"snapshot": false,
"version": "8.18.7"
},
"event": {
"agent_id_status": "verified",
"category": [
"package"
],
"dataset": "sentinel_one.application",
"ingested": "2025-09-22T11:37:38Z",
"kind": "event",
"original": "{\"accountName\":\"7-Zip\",\"applicationInstallationDate\":\"2025-04-13T10:45:01Z\",\"applicationInstallationPath\":null,\"applicationName\":\"Igor Pavlov\",\"coreCount\":2,\"cpe\":\"cpe:2.3:a:abc:igor:8.17.3:*:*:*:*:*:*:*\",\"cpuCount\":1,\"detectionDate\":\"2025-06-19T18:00:51.166610Z\",\"endpointId\":\"216970508828266268\",\"endpointName\":\"srv-win-defend-03\",\"endpointType\":\"server\",\"endpointUuid\":\"eb655be8be894dae97711ebb9a9091ae\",\"fileSize\":517364,\"groupName\":\"Default Group\",\"id\":\"2218357748550497214\",\"osArch\":\"64 bit\",\"osName\":\"Windows Server 2022 Datacenter\",\"osType\":\"windows\",\"osVersion\":\"Windows Server 2022 Datacenter 20348\",\"siteName\":\"Default site\",\"version\":\"8.17.3\"}",
"type": [
"info"
]
},
"host": {
"name": "srv-win-defend-03",
"os": {
"full": "Windows Server 2022 Datacenter 20348",
"name": "Windows Server 2022 Datacenter",
"type": "windows"
},
"type": "server"
},
"input": {
"type": "cel"
},
"package": {
"installed": "2025-04-13T10:45:01.000Z",
"name": "Igor Pavlov",
"size": 517364,
"version": "8.17.3"
},
"related": {
"hosts": [
"srv-win-defend-03"
]
},
"sentinel_one": {
"application": {
"account_name": "7-Zip",
"application_installation_date": "2025-04-13T10:45:01.000Z",
"application_name": "Igor Pavlov",
"core_count": 2,
"cpe": "cpe:2.3:a:abc:igor:8.17.3:*:*:*:*:*:*:*",
"cpu_count": 1,
"detection_date": "2025-06-19T18:00:51.166Z",
"endpoint_id": "216970508828266268",
"endpoint_name": "srv-win-defend-03",
"endpoint_type": "server",
"endpoint_uuid": "eb655be8be894dae97711ebb9a9091ae",
"file_size": 517364,
"group_name": "Default Group",
"id": "2218357748550497214",
"os_arch": "64 bit",
"os_name": "Windows Server 2022 Datacenter",
"os_type": "windows",
"os_version": "Windows Server 2022 Datacenter 20348",
"site_name": "Default site",
"version": "8.17.3"
}
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"sentinel_one-application"
]
}
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters |
constant_keyword |
| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters |
constant_keyword |
| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. |
constant_keyword |
| input.type | Type of filebeat input. | keyword |
| log.offset | Log offset. | long |
| sentinel_one.application.account_name | keyword | |
| sentinel_one.application.application_installation_date | date | |
| sentinel_one.application.application_installation_path | keyword | |
| sentinel_one.application.application_name | keyword | |
| sentinel_one.application.application_vendor | keyword | |
| sentinel_one.application.application_versions_count | long | |
| sentinel_one.application.core_count | long | |
| sentinel_one.application.cpe | keyword | |
| sentinel_one.application.cpu_count | long | |
| sentinel_one.application.detection_date | date | |
| sentinel_one.application.endpoint_id | keyword | |
| sentinel_one.application.endpoint_name | keyword | |
| sentinel_one.application.endpoint_type | keyword | |
| sentinel_one.application.endpoint_uuid | keyword | |
| sentinel_one.application.endpoints_count | long | |
| sentinel_one.application.estimate | boolean | |
| sentinel_one.application.file_size | long | |
| sentinel_one.application.group_name | keyword | |
| sentinel_one.application.id | keyword | |
| sentinel_one.application.os_arch | keyword | |
| sentinel_one.application.os_name | keyword | |
| sentinel_one.application.os_type | keyword | |
| sentinel_one.application.os_version | keyword | |
| sentinel_one.application.site_name | keyword | |
| sentinel_one.application.version | keyword |
This is the application risk dataset.
Example
{
"@timestamp": "2025-07-29T19:25:47.000Z",
"agent": {
"ephemeral_id": "a2feec44-477e-4405-95d0-a4478a26060b",
"id": "4fd69adb-bbe2-4f41-bbee-5673417f7a81",
"name": "elastic-agent-70432",
"type": "filebeat",
"version": "8.18.7"
},
"data_stream": {
"dataset": "sentinel_one.application_risk",
"namespace": "92576",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "4fd69adb-bbe2-4f41-bbee-5673417f7a81",
"snapshot": false,
"version": "8.18.7"
},
"event": {
"agent_id_status": "verified",
"category": [
"vulnerability"
],
"created": "2025-06-02T04:46:51.710Z",
"dataset": "sentinel_one.application_risk",
"id": "2228104980801805822",
"ingested": "2025-09-22T11:38:28Z",
"kind": "state",
"original": "{\"application\":\"7-Zip 22.01\",\"applicationName\":\"7-Zip\",\"applicationVendor\":\"Igor Pavlov\",\"applicationVersion\":\"22.01\",\"baseScore\":\"7.00\",\"cveId\":\"CVE-2025-0411\",\"cvssVersion\":\"3.1\",\"daysDetected\":59,\"detectionDate\":\"2025-06-02T04:46:51.710569Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"test_endpoint\",\"endpointType\":\"desktop\",\"id\":\"2228104980801805822\",\"lastScanDate\":\"2025-07-29T19:25:47Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2025-01-20T07:04:04Z\",\"reason\":null,\"severity\":\"HIGH\",\"status\":\"Detected\"}",
"outcome": "success",
"severity": 73,
"type": [
"info"
]
},
"host": {
"id": "2162143406517023959",
"os": {
"type": "windows"
},
"type": "desktop"
},
"input": {
"type": "cel"
},
"package": {
"name": "7-Zip",
"version": "22.01"
},
"resource": {
"id": "2162143406517023959",
"name": "test_endpoint"
},
"sentinel_one": {
"application_risk": {
"application": "7-Zip 22.01",
"application_vendor": "Igor Pavlov",
"days_detected": 59,
"detection_date": "2025-06-02T04:46:51.710Z",
"last_scan_date": "2025-07-29T19:25:47.000Z",
"last_scan_result": "Succeeded",
"severity": "HIGH",
"status": "Detected"
}
},
"tags": [
"preserve_original_event",
"forwarded",
"sentinel_one-application_risk"
],
"vulnerability": {
"cve": "CVE-2025-0411",
"id": "CVE-2025-0411",
"package": {
"published_date": "2025-01-20T07:04:04.000Z"
},
"score": {
"base": 7,
"version": "3.1"
}
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters |
constant_keyword |
| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters |
constant_keyword |
| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. |
constant_keyword |
| input.type | Type of Filebeat input. | keyword |
| labels.is_transform_source | Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering. | constant_keyword |
| log.offset | Log offset. | long |
| observer.vendor | Vendor name of the observer. | constant_keyword |
| resource.id | The ID of the vulnerable resource. | keyword |
| resource.name | The name of the vulnerable resource. | keyword |
| sentinel_one.application_risk.application | Composed application name. | keyword |
| sentinel_one.application_risk.application_name | Application name. | keyword |
| sentinel_one.application_risk.application_vendor | Application vendor. | keyword |
| sentinel_one.application_risk.application_version | Application version. | keyword |
| sentinel_one.application_risk.base_score | float | |
| sentinel_one.application_risk.cve_id | CVE Id. | keyword |
| sentinel_one.application_risk.cvss_version | Cvss version. | keyword |
| sentinel_one.application_risk.days_detected | Days detected. | long |
| sentinel_one.application_risk.detection_date | Detection date. | date |
| sentinel_one.application_risk.endpoint_id | Endpoint id. | keyword |
| sentinel_one.application_risk.endpoint_name | Endpoint name. | keyword |
| sentinel_one.application_risk.endpoint_type | Endpoint type. | keyword |
| sentinel_one.application_risk.exploit_code_maturity | keyword | |
| sentinel_one.application_risk.id | Id. | keyword |
| sentinel_one.application_risk.last_scan_date | Last scan date. | date |
| sentinel_one.application_risk.last_scan_result | Last scan result. | keyword |
| sentinel_one.application_risk.mark_type | Mark type. | keyword |
| sentinel_one.application_risk.marked_by | Marked by. | keyword |
| sentinel_one.application_risk.marked_date | Marked date. | date |
| sentinel_one.application_risk.mitigation_status | Risk mitigation status. | keyword |
| sentinel_one.application_risk.mitigation_status_change_time | Mitigation status change time. | date |
| sentinel_one.application_risk.mitigation_status_changed_by | Mitigation status changer. | keyword |
| sentinel_one.application_risk.mitigation_status_reason | Mitigation status reason. | keyword |
| sentinel_one.application_risk.nvd_base_score | double | |
| sentinel_one.application_risk.nvd_cvss_version | keyword | |
| sentinel_one.application_risk.os_type | OS type. | keyword |
| sentinel_one.application_risk.published_date | Published date. | date |
| sentinel_one.application_risk.reason | Reason. | keyword |
| sentinel_one.application_risk.remediation_level | keyword | |
| sentinel_one.application_risk.report_confidence | keyword | |
| sentinel_one.application_risk.risk_score | double | |
| sentinel_one.application_risk.severity | Severity. | keyword |
| sentinel_one.application_risk.status | Risk status. | keyword |
| vulnerability.cve | The CVE id of the vulnerability. | keyword |
| vulnerability.package.published_date | When the vulnerability was published. | date |
This is the group dataset.
Example
{
"@timestamp": "2022-04-05T16:01:57.564Z",
"agent": {
"ephemeral_id": "19a3b41e-6893-4b82-ae86-4c2e93da02d9",
"id": "14cf6e5d-1727-4dee-a04e-568d68d0491a",
"name": "elastic-agent-16291",
"type": "filebeat",
"version": "8.18.7"
},
"data_stream": {
"dataset": "sentinel_one.group",
"namespace": "33426",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "14cf6e5d-1727-4dee-a04e-568d68d0491a",
"snapshot": false,
"version": "8.18.7"
},
"event": {
"agent_id_status": "verified",
"category": [
"iam"
],
"created": "2025-09-22T11:39:15.003Z",
"dataset": "sentinel_one.group",
"ingested": "2025-09-22T11:39:17Z",
"kind": "event",
"original": "{\"createdAt\":\"2022-04-05T16:01:56.928383Z\",\"creator\":\"Test User\",\"creatorId\":\"1234567890123456789\",\"filterId\":null,\"filterName\":null,\"id\":\"1234567890123456789\",\"inherits\":true,\"isDefault\":true,\"name\":\"Default Group\",\"rank\":null,\"registrationToken\":\"eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=\",\"siteId\":\"1234567890123456789\",\"totalAgents\":1,\"type\":\"static\",\"updatedAt\":\"2022-04-05T16:01:57.564266Z\"}",
"type": [
"info"
]
},
"group": {
"id": "1234567890123456789",
"name": "Default Group"
},
"input": {
"type": "httpjson"
},
"related": {
"user": [
"Test User"
]
},
"sentinel_one": {
"group": {
"agent": {
"count": 1
},
"created_at": "2022-04-05T16:01:56.928Z",
"creator": {
"id": "1234567890123456789"
},
"inherits": true,
"is_default": true,
"registration_token": "eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=",
"site": {
"id": "1234567890123456789"
},
"type": "static"
}
},
"tags": [
"preserve_original_event",
"forwarded",
"sentinel_one-group"
],
"user": {
"full_name": "Test User"
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Input type | keyword |
| log.offset | Log offset | long |
| log.source.address | Source address from which the log event was read / sent from. | keyword |
| sentinel_one.group.agent.count | long | |
| sentinel_one.group.created_at | date | |
| sentinel_one.group.creator.id | keyword | |
| sentinel_one.group.filter.id | keyword | |
| sentinel_one.group.filter.name | keyword | |
| sentinel_one.group.inherits | boolean | |
| sentinel_one.group.is_default | boolean | |
| sentinel_one.group.rank | long | |
| sentinel_one.group.registration_token | keyword | |
| sentinel_one.group.site.id | keyword | |
| sentinel_one.group.type | keyword |
This is the threat dataset.
Example
{
"@timestamp": "2022-04-06T08:54:17.194Z",
"agent": {
"ephemeral_id": "1128d81b-01bd-4864-808c-5ad00f4c923b",
"id": "bc9ba90f-141f-42b8-ae9a-e8f473cf41f1",
"name": "elastic-agent-63288",
"type": "filebeat",
"version": "8.18.7"
},
"data_stream": {
"dataset": "sentinel_one.threat",
"namespace": "26215",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "bc9ba90f-141f-42b8-ae9a-e8f473cf41f1",
"snapshot": false,
"version": "8.18.7"
},
"event": {
"action": "SentinelOne Cloud",
"agent_id_status": "verified",
"category": [
"malware"
],
"created": "2025-09-22T12:02:37.990Z",
"dataset": "sentinel_one.threat",
"id": "1234567890123456789",
"ingested": "2025-09-22T12:02:39Z",
"kind": "alert",
"original": "{\"agentDetectionInfo\":{\"accountId\":\"111245567890123456789\",\"accountName\":\"Default2\",\"agentDetectionState\":null,\"agentDomain\":\"WORKGROUP\",\"agentIpV4\":\"127.0.0.1\",\"agentIpV6\":\"2a02:cf40::\",\"agentLastLoggedInUpn\":null,\"agentLastLoggedInUserMail\":null,\"agentLastLoggedInUserName\":\"\",\"agentMitigationMode\":\"protect\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentRegisteredAt\":\"2022-04-08T08:26:45.515278Z\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x\",\"cloudProviders\":{},\"externalIp\":\"81.2.69.143\",\"groupId\":\"1444567890123456789\",\"groupName\":\"Default Group\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\"},\"agentRealtimeInfo\":{\"accountId\":\"1456567890123456789\",\"accountName\":\"Default2\",\"activeThreats\":8,\"agentComputerName\":\"test-LINUX\",\"agentDecommissionedAt\":null,\"agentDomain\":\"WORKGROUP\",\"agentId\":\"1234567890123456789\",\"agentInfected\":true,\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"server\",\"agentMitigationMode\":\"detect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentOsType\":\"linux\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x.1234\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"networkInterfaces\":[{\"id\":\"1234567890123456789\",\"inet\":[\"10.0.0.1\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"DE:AD:00:00:BE:EF\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-09T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-09T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"id\":\"1234567890123456789\",\"indicators\":[],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[{\"action\":\"unquarantine\",\"actionsCounters\":{\"failed\":0,\"notFound\":0,\"pendingReboot\":0,\"success\":1,\"total\":1},\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:54:17.198002Z\",\"latestReport\":\"/threats/mitigation-report\",\"mitigationEndedAt\":\"2022-04-06T08:54:17.101000Z\",\"mitigationStartedAt\":\"2022-04-06T08:54:17.101000Z\",\"status\":\"success\"},{\"action\":\"kill\",\"actionsCounters\":null,\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:45:55.303355Z\",\"latestReport\":null,\"mitigationEndedAt\":\"2022-04-06T08:45:55.297364Z\",\"mitigationStartedAt\":\"2022-04-06T08:45:55.297363Z\",\"status\":\"success\"}],\"threatInfo\":{\"analystVerdict\":\"undefined\",\"analystVerdictDescription\":\"Undefined\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":\"\",\"classification\":\"Trojan\",\"classificationSource\":\"Cloud\",\"cloudFilesHashVerdict\":\"black\",\"collectionId\":\"1234567890123456789\",\"confidenceLevel\":\"malicious\",\"createdAt\":\"2022-04-06T08:45:54.519988Z\",\"detectionEngines\":[{\"key\":\"sentinelone_cloud\",\"title\":\"SentinelOne Cloud\"}],\"detectionType\":\"static\",\"engines\":[\"SentinelOne Cloud\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":\"EXE\",\"fileExtensionType\":\"Executable\",\"filePath\":\"default.exe\",\"fileSize\":1234,\"fileVerificationType\":\"NotSigned\",\"identifiedAt\":\"2022-04-06T08:45:53.968000Z\",\"incidentStatus\":\"unresolved\",\"incidentStatusDescription\":\"Unresolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":false,\"maliciousProcessArguments\":null,\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"not_mitigated\",\"mitigationStatusDescription\":\"Not mitigated\",\"originatorProcess\":\"default.exe\",\"pendingActions\":false,\"processUser\":\"test user\",\"publisherName\":\"\",\"reachedEventsLimit\":false,\"rebootRequired\":false,\"sha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"sha256\":null,\"storyline\":\"D0XXXXXXXXXXAF4D\",\"threatId\":\"1234567890123456789\",\"threatName\":\"default.exe\",\"updatedAt\":\"2022-04-06T08:54:17.194122Z\"},\"whiteningOptions\":[\"hash\"]}",
"type": [
"info"
]
},
"host": {
"domain": "WORKGROUP",
"geo": {
"city_name": "London",
"continent_name": "Europe",
"country_iso_code": "GB",
"country_name": "United Kingdom",
"location": {
"lat": 51.5142,
"lon": -0.0931
},
"region_iso_code": "GB-ENG",
"region_name": "England"
},
"id": "1234567890123456789",
"ip": [
"81.2.69.143"
],
"mac": [
"DE-AD-00-00-BE-EF"
],
"name": "test-LINUX",
"os": {
"name": "linux",
"type": "linux"
}
},
"input": {
"type": "httpjson"
},
"message": "Threat Detected: default.exe (malicious)",
"observer": {
"version": "21.x.x.1234"
},
"process": {
"name": "default.exe"
},
"related": {
"hash": [
"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d"
],
"hosts": [
"test-LINUX"
],
"ip": [
"127.0.0.1",
"2a02:cf40::",
"81.2.69.143",
"10.0.0.1",
"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"
],
"user": [
"test user"
]
},
"sentinel_one": {
"threat": {
"agent": {
"account": {
"id": "1456567890123456789",
"name": "Default2"
},
"active_threats": 8,
"group": {
"id": "1234567890123456789",
"name": "Default Group"
},
"id": "1234567890123456789",
"infected": true,
"is_active": true,
"is_decommissioned": false,
"machine_type": "server",
"mitigation_mode": "detect",
"network_interface": [
{
"id": "1234567890123456789",
"inet": [
"10.0.0.1"
],
"inet6": [
"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"
],
"name": "Ethernet"
}
],
"network_status": "connected",
"operational_state": "na",
"os": {
"version": "1234"
},
"reboot_required": false,
"scan": {
"finished_at": "2022-04-09T09:18:21.090Z",
"started_at": "2022-04-09T08:26:52.838Z",
"status": "finished"
},
"site": {
"id": "1234567890123456789",
"name": "Default site"
},
"uuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx"
},
"analysis": {
"description": "Undefined",
"verdict": "undefined"
},
"automatically_resolved": false,
"classification": "Trojan",
"classification_source": "Cloud",
"cloudfiles_hash_verdict": "black",
"collection": {
"id": "1234567890123456789"
},
"confidence_level": "malicious",
"created_at": "2022-04-06T08:45:54.519Z",
"detection": {
"account": {
"id": "111245567890123456789",
"name": "Default2"
},
"agent": {
"domain": "WORKGROUP",
"group": {
"id": "1444567890123456789",
"name": "Default Group"
},
"ipv4": [
"127.0.0.1"
],
"ipv6": [
"2a02:cf40::"
],
"mitigation_mode": "protect",
"os": {
"name": "linux",
"version": "1234"
},
"registered_at": "2022-04-08T08:26:45.515Z",
"site": {
"id": "1234567890123456789",
"name": "Default site"
},
"uuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx",
"version": "21.x.x"
},
"engines": [
{
"key": "sentinelone_cloud",
"title": "SentinelOne Cloud"
}
],
"type": "static"
},
"engines": [
"SentinelOne Cloud"
],
"external_ticket": {
"exist": false
},
"failed_actions": false,
"file": {
"extension": {
"type": "Executable"
},
"identified_at": "2022-04-06T08:45:53.968Z",
"verification_type": "NotSigned"
},
"id": "1234567890123456789",
"incident": {
"status": "unresolved",
"status_description": "Unresolved"
},
"initiated": {
"description": "Agent Policy",
"name": "agent_policy"
},
"is_fileless": false,
"is_valid_certificate": false,
"mitigated_preemptively": false,
"mitigation": {
"description": "Not mitigated",
"status": "not_mitigated"
},
"mitigation_status": [
{
"action": "unquarantine",
"action_counters": {
"failed": 0,
"not_found": 0,
"pending_reboot": 0,
"success": 1,
"total": 1
},
"agent_supports_report": true,
"group_not_found": false,
"last_update": "2022-04-06T08:54:17.198Z",
"latest_report": "/threats/mitigation-report",
"mitigation_ended_at": "2022-04-06T08:54:17.101Z",
"mitigation_started_at": "2022-04-06T08:54:17.101Z",
"status": "success"
},
{
"action": "kill",
"agent_supports_report": true,
"group_not_found": false,
"last_update": "2022-04-06T08:45:55.303Z",
"mitigation_ended_at": "2022-04-06T08:45:55.297Z",
"mitigation_started_at": "2022-04-06T08:45:55.297Z",
"status": "success"
}
],
"name": "default.exe",
"originator_process": "default.exe",
"pending_actions": false,
"process_user": "test user",
"reached_events_limit": false,
"reboot_required": false,
"storyline": "D0XXXXXXXXXXAF4D",
"threat_id": "1234567890123456789",
"whitening_option": [
"hash"
]
}
},
"tags": [
"preserve_original_event",
"forwarded",
"sentinel_one-threat"
],
"threat": {
"indicator": {
"file": {
"extension": "EXE",
"hash": {
"sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d"
},
"path": "default.exe",
"size": 1234
}
}
},
"user": {
"name": "test user"
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Input type | keyword |
| log.offset | Log offset | long |
| sentinel_one.threat.agent.account.id | Account id. | keyword |
| sentinel_one.threat.agent.account.name | Account name. | keyword |
| sentinel_one.threat.agent.active_threats | Active threats. | long |
| sentinel_one.threat.agent.decommissioned_at | Decommissioned at. | boolean |
| sentinel_one.threat.agent.group.id | Group id. | keyword |
| sentinel_one.threat.agent.group.name | Group name. | keyword |
| sentinel_one.threat.agent.id | Related agent (if applicable). | keyword |
| sentinel_one.threat.agent.infected | Agent infected. | boolean |
| sentinel_one.threat.agent.is_active | Is active. | boolean |
| sentinel_one.threat.agent.is_decommissioned | Is decommissioned. | boolean |
| sentinel_one.threat.agent.machine_type | Machine type. | keyword |
| sentinel_one.threat.agent.mitigation_mode | Agent mitigation mode policy. | keyword |
| sentinel_one.threat.agent.network_interface.id | Device's network interfaces id. | keyword |
| sentinel_one.threat.agent.network_interface.inet | Device's network interfaces IPv4 addresses. | keyword |
| sentinel_one.threat.agent.network_interface.inet6 | Device's network interfaces IPv6 addresses. | keyword |
| sentinel_one.threat.agent.network_interface.name | Device's network interfaces IPv4 Name. | keyword |
| sentinel_one.threat.agent.network_status | Network status. | keyword |
| sentinel_one.threat.agent.operational_state | Agent operational state. | keyword |
| sentinel_one.threat.agent.os.version | OS revision. | keyword |
| sentinel_one.threat.agent.reboot_required | A reboot is required on the endpoint for at least one acton on the threat. | boolean |
| sentinel_one.threat.agent.scan.aborted_at | Abort time of last scan (if applicable). | keyword |
| sentinel_one.threat.agent.scan.finished_at | Finish time of last scan (if applicable). | keyword |
| sentinel_one.threat.agent.scan.started_at | Start time of last scan. | keyword |
| sentinel_one.threat.agent.scan.status | Scan status. | keyword |
| sentinel_one.threat.agent.site.id | Site id. | keyword |
| sentinel_one.threat.agent.site.name | Site name. | keyword |
| sentinel_one.threat.agent.storage.name | Storage Name. | keyword |
| sentinel_one.threat.agent.storage.type | Storage Type. | keyword |
| sentinel_one.threat.agent.user_action_needed | A list of pending user actions. List items possible values: "none, reboot_needed, user_acton_needed, upgrade_needed, incompatible_os, unprotected, user_acton_needed_fda, user_acton_needed_rs_fda,user_acton_needed_network, rebootless_without_dynamic_detection, extended_exclusions_partially_accepted, user_action_needed_bluetooth_per". | keyword |
| sentinel_one.threat.agent.uuid | UUID. | keyword |
| sentinel_one.threat.analysis.description | Analyst verdict description. | keyword |
| sentinel_one.threat.analysis.verdict | Analyst verdict. | keyword |
| sentinel_one.threat.automatically_resolved | Automatically resolved. | boolean |
| sentinel_one.threat.browser_type | Browser type. | keyword |
| sentinel_one.threat.certificate.id | File Certificate ID. | keyword |
| sentinel_one.threat.classification | Classification of the threat. | keyword |
| sentinel_one.threat.classification_source | Source of the threat Classification. | keyword |
| sentinel_one.threat.cloudfiles_hash_verdict | Cloud files hash verdict. | keyword |
| sentinel_one.threat.collection.id | Collection id. | keyword |
| sentinel_one.threat.confidence_level | SentinelOne threat confidence level. | keyword |
| sentinel_one.threat.container.labels | Container labels. | keyword |
| sentinel_one.threat.created_at | Timestamp of date creation in the Management Console. | date |
| sentinel_one.threat.detection.account.id | Orig account id. | keyword |
| sentinel_one.threat.detection.account.name | Orig account name. | keyword |
| sentinel_one.threat.detection.agent.domain | Network domain. | keyword |
| sentinel_one.threat.detection.agent.group.id | Orig group id. | keyword |
| sentinel_one.threat.detection.agent.group.name | Orig group name. | keyword |
| sentinel_one.threat.detection.agent.ipv4 | Orig agent ipv4. | ip |
| sentinel_one.threat.detection.agent.ipv6 | Orig agent ipv6. | ip |
| sentinel_one.threat.detection.agent.last_logged_in.upn | UPN of last logged in user. | keyword |
| sentinel_one.threat.detection.agent.mitigation_mode | Agent mitigation mode policy. | keyword |
| sentinel_one.threat.detection.agent.os.name | Orig agent OS name. | keyword |
| sentinel_one.threat.detection.agent.os.version | Orig agent OS revision. | keyword |
| sentinel_one.threat.detection.agent.registered_at | Time of first registration to management console. | date |
| sentinel_one.threat.detection.agent.site.id | Orig site id. | keyword |
| sentinel_one.threat.detection.agent.site.name | Orig site name. | keyword |
| sentinel_one.threat.detection.agent.uuid | UUID of the agent. | keyword |
| sentinel_one.threat.detection.agent.version | Orig agent version. | keyword |
| sentinel_one.threat.detection.cloud_providers | Cloud providers for this agent. | flattened |
| sentinel_one.threat.detection.engines.key | List of engines that detected the threat key. | keyword |
| sentinel_one.threat.detection.engines.title | List of engines that detected the threat title. | keyword |
| sentinel_one.threat.detection.state | The Agent's detection state at time of detection. | keyword |
| sentinel_one.threat.detection.type | Detection type. | keyword |
| sentinel_one.threat.engines | List of engines that detected the threat. | keyword |
| sentinel_one.threat.external_ticket.exist | External ticket exists. | boolean |
| sentinel_one.threat.external_ticket.id | External ticket id. | keyword |
| sentinel_one.threat.failed_actions | At least one action failed on the threat. | boolean |
| sentinel_one.threat.file.extension.type | File extension type. | keyword |
| sentinel_one.threat.file.identified_at | Identified at. | keyword |
| sentinel_one.threat.file.verification_type | File verification type. | keyword |
| sentinel_one.threat.id | Threat id. | keyword |
| sentinel_one.threat.incident.status | Incident status. | keyword |
| sentinel_one.threat.incident.status_description | Incident status description. | keyword |
| sentinel_one.threat.indicators.category.id | Indicators Category Id. | long |
| sentinel_one.threat.indicators.category.name | Indicators Category Name. | keyword |
| sentinel_one.threat.indicators.description | Indicators Description. | keyword |
| sentinel_one.threat.initiated.description | Initiated by description. | keyword |
| sentinel_one.threat.initiated.name | Source of threat. | keyword |
| sentinel_one.threat.initiating_user.id | Initiating user id. | keyword |
| sentinel_one.threat.initiating_user.name | Initiating user username. | keyword |
| sentinel_one.threat.is_fileless | Is fileless. | boolean |
| sentinel_one.threat.is_valid_certificate | True if the certificate is valid. | boolean |
| sentinel_one.threat.kubernetes.cluster | Cluster. | keyword |
| sentinel_one.threat.kubernetes.controller.kind | Controller kind. | keyword |
| sentinel_one.threat.kubernetes.controller.labels | Controller labels. | keyword |
| sentinel_one.threat.kubernetes.controller.name | Controller name. | keyword |
| sentinel_one.threat.kubernetes.namespace.labels | Namespace labels. | keyword |
| sentinel_one.threat.kubernetes.namespace.name | Namespace name. | keyword |
| sentinel_one.threat.kubernetes.node | Node. | keyword |
| sentinel_one.threat.kubernetes.pod.labels | Pod labels. | keyword |
| sentinel_one.threat.kubernetes.pod.name | Pod name. | keyword |
| sentinel_one.threat.malicious_process_arguments | Malicious process arguments. | keyword |
| sentinel_one.threat.mitigated_preemptively | True is the threat was blocked before execution. | boolean |
| sentinel_one.threat.mitigation.description | Mitigation status description. | keyword |
| sentinel_one.threat.mitigation.status | Mitigation status. | keyword |
| sentinel_one.threat.mitigation_status.action | Action. | keyword |
| sentinel_one.threat.mitigation_status.action_counters.failed | Actions counters Failed. | long |
| sentinel_one.threat.mitigation_status.action_counters.not_found | Actions counters Not found. | long |
| sentinel_one.threat.mitigation_status.action_counters.pending_reboot | Actions counters Pending reboot. | long |
| sentinel_one.threat.mitigation_status.action_counters.success | Actions counters Success. | long |
| sentinel_one.threat.mitigation_status.action_counters.total | Actions counters Total. | long |
| sentinel_one.threat.mitigation_status.agent_supports_report | The Agent generates a full mitigation report. | boolean |
| sentinel_one.threat.mitigation_status.group_not_found | Agent could not find the threat. | boolean |
| sentinel_one.threat.mitigation_status.last_update | Timestamp of last mitigation status update. | keyword |
| sentinel_one.threat.mitigation_status.latest_report | Report download URL. If None, there is no report. | keyword |
| sentinel_one.threat.mitigation_status.mitigation_ended_at | The time the Agent finished the mitigation. | keyword |
| sentinel_one.threat.mitigation_status.mitigation_started_at | The time the Agent started the mitigation. | keyword |
| sentinel_one.threat.mitigation_status.report_id | Report identifier. | keyword |
| sentinel_one.threat.mitigation_status.status | Status. | keyword |
| sentinel_one.threat.name | Threat name. | keyword |
| sentinel_one.threat.originator_process | Originator process. | keyword |
| sentinel_one.threat.pending_actions | At least one action is pending on the threat. | boolean |
| sentinel_one.threat.process_user | Process user. | keyword |
| sentinel_one.threat.publisher.name | Certificate publisher. | keyword |
| sentinel_one.threat.reached_events_limit | Has number of OS events for this threat reached the limit, resulting in a partial attack storyline. | boolean |
| sentinel_one.threat.reboot_required | A reboot is required on the endpoint for at least one threat. | boolean |
| sentinel_one.threat.storyline | Storyline identifier from agent. | keyword |
| sentinel_one.threat.threat_id | Threat id. | keyword |
| sentinel_one.threat.whitening_option | Whitening options. | keyword |
This integration includes one or more Kibana dashboards that visualizes the data collected by the integration. The screenshots below illustrate how the ingested data is displayed.
Changelog
| Version | Details | Kibana version(s) |
|---|---|---|
| 1.39.0 | Enhancement (View pull request) Update README instructions for generating the API token. |
8.18.7 or higher 8.19.4 or higher 9.0.7 or higher 9.1.4 or higher |
| 1.38.0 | Enhancement (View pull request) Add support for application risk data stream. |
8.18.7 or higher 8.19.4 or higher 9.0.7 or higher 9.1.4 or higher |
| 1.37.0 | Enhancement (View pull request) Add support for application data stream. |
8.18.0 or higher 9.0.0 or higher |
| 1.36.0 | Enhancement (View pull request) Add configuration option to filter results by Site IDs. |
8.18.0 or higher 9.0.0 or higher |
| 1.35.1 | Bug fix (View pull request) Add temporary processor to remove the fields added by the Agentless policy. |
8.18.0 or higher 9.0.0 or higher |
| 1.35.0 | Enhancement (View pull request) Normalize event.severity values across EDR integrations. |
8.18.0 or higher 9.0.0 or higher |
| 1.34.2 | Bug fix (View pull request) Fix the Activities by OS Family visualization in the Activities dashboard. |
8.18.0 or higher 9.0.0 or higher |
| 1.34.1 | Bug fix (View pull request) Fix default request trace enabled behavior. |
8.18.0 or higher 9.0.0 or higher |
| 1.34.0 | Enhancement (View pull request) Populate ECS field message for threat, alert and activity datastreams. |
8.18.0 or higher 9.0.0 or higher |
| 1.33.0 | Enhancement (View pull request) Update host.* ECS mappings. |
8.18.0 or higher 9.0.0 or higher |
| 1.32.0 | Enhancement (View pull request) Updated integration logo. |
8.18.0 or higher 9.0.0 or higher |
| 1.31.1 | Bug fix (View pull request) Fix handling of events with empty string values. |
8.18.0 or higher 9.0.0 or higher |
| 1.31.0 | Enhancement (View pull request) Enable request trace log removal. |
8.18.0 or higher 9.0.0 or higher |
| 1.30.0 | Enhancement (View pull request) Add agentless deployment. |
8.18.0 or higher 9.0.0 or higher |
| 1.29.1 | Bug fix (View pull request) Updated SSL description in package manifest.yml to be uniform and to include links to documentation. |
8.13.0 or higher 9.0.0 or higher |
| 1.29.0 | Enhancement (View pull request) Update Kibana constraint to support 9.0.0. |
8.13.0 or higher 9.0.0 or higher |
| 1.28.0 | Enhancement (View pull request) Handle comma-separated IP lists. Enhancement (View pull request) Improve error handling. |
8.13.0 or higher |
| 1.27.0 | Enhancement (View pull request) Do not remove event.original in main ingest pipeline. |
8.13.0 or higher |
| 1.26.0 | Enhancement (View pull request) Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error". |
8.13.0 or higher |
| 1.25.1 | Bug fix (View pull request) Document limitation for using the alert data stream in on-premises environments. |
8.13.0 or higher |
| 1.25.0 | Enhancement (View pull request) Add agent.* to alerts data. |
8.13.0 or higher |
| 1.24.0 | Enhancement (View pull request) Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. |
8.13.0 or higher |
| 1.23.3 | Bug fix (View pull request) Fix sample event MAC address. |
8.12.0 or higher |
| 1.23.2 | Enhancement (View pull request) Change default interval to 30s for all data streams. |
8.12.0 or higher |
| 1.23.1 | Bug fix (View pull request) Fix sample event. |
8.12.0 or higher |
| 1.23.0 | Enhancement (View pull request) Make host.ip field conform to ECS field definition. |
8.12.0 or higher |
| 1.22.0 | Enhancement (View pull request) Add agent.id to all agent related data. |
8.12.0 or higher |
| 1.21.1 | Bug fix (View pull request) Fix Ingest Pipline Error in SentinelOne Package with k8s Elastic Agent. |
8.12.0 or higher |
| 1.21.0 | Enhancement (View pull request) Improve handling of empty responses. |
8.12.0 or higher |
| 1.20.0 | Enhancement (View pull request) Set sensitive values as secret and fix incorrect mappings. |
8.12.0 or higher |
| 1.19.2 | Enhancement (View pull request) Changed owners |
8.7.1 or higher |
| 1.19.1 | Enhancement (View pull request) Add information to README about support for response actions |
8.7.1 or higher |
| 1.19.0 | Enhancement (View pull request) Limit request tracer log count to five. |
8.7.1 or higher |
| 1.18.0 | Enhancement (View pull request) ECS version updated to 8.11.0. |
8.7.1 or higher |
| 1.17.0 | Enhancement (View pull request) Improve 'event.original' check to avoid errors if set. |
8.7.1 or higher |
| 1.16.1 | Bug fix (View pull request) Add support for a missing field. |
8.7.1 or higher |
| 1.16.0 | Enhancement (View pull request) Update the package format_version to 3.0.0. |
8.7.1 or higher |
| 1.15.0 | Bug fix (View pull request) Correct invalid ECS field usages at root-level. |
8.7.1 or higher |
| 1.14.0 | Enhancement (View pull request) ECS version updated to 8.10.0. |
8.7.1 or higher |
| 1.13.0 | Enhancement (View pull request) Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. |
8.7.1 or higher |
| 1.12.0 | Enhancement (View pull request) Update package to ECS 8.9.0. |
8.7.1 or higher |
| 1.11.0 | Enhancement (View pull request) Convert dashboards to Lens. |
8.7.1 or higher |
| 1.10.0 | Enhancement (View pull request) Ensure event.kind is correctly set for pipeline errors. |
8.7.1 or higher |
| 1.9.0 | Enhancement (View pull request) Update package to ECS 8.8.0. |
8.7.1 or higher |
| 1.8.0 | Enhancement (View pull request) Update package-spec version to 2.7.0. |
8.7.1 or higher |
| 1.7.0 | Enhancement (View pull request) Add a new flag to enable request tracing |
8.7.1 or higher |
| 1.6.0 | Enhancement (View pull request) Update package to ECS 8.7.0. |
7.17.0 or higher 8.0.0 or higher |
| 1.5.2 | Enhancement (View pull request) Added categories and/or subcategories. |
7.17.0 or higher 8.0.0 or higher |
| 1.5.1 | Enhancement (View pull request) Set event.id from SentinelOne Threat ID |
7.17.0 or higher 8.0.0 or higher |
| 1.5.0 | Enhancement (View pull request) Update package to ECS 8.6.0. |
7.17.0 or higher 8.0.0 or higher |
| 1.4.0 | Enhancement (View pull request) Add an on_failure processor to the date processor and update the pagination termination condition. Bug fix (View pull request) Update newValue field type in Activity data stream. |
7.17.0 or higher 8.0.0 or higher |
| 1.3.0 | Enhancement (View pull request) Update package to ECS 8.5.0. |
7.17.0 or higher 8.0.0 or higher |
| 1.2.2 | Bug fix (View pull request) Ensure stability of related.hash array ordering. |
7.17.0 or higher 8.0.0 or higher |
| 1.2.1 | Bug fix (View pull request) Enrich the event.category, event.type, event.kind and event.outcome field based on activity. |
7.17.0 or higher 8.0.0 or higher |
| 1.2.0 | Enhancement (View pull request) Set event.kind to alert for Sentinel One Threats. |
7.17.0 or higher 8.0.0 or higher |
| 1.1.0 | Enhancement (View pull request) Update package to ECS 8.4.0 |
7.17.0 or higher 8.0.0 or higher |
| 1.0.0 | Enhancement (View pull request) Make GA |
7.17.0 or higher 8.0.0 or higher |
| 0.2.1 | Bug fix (View pull request) Fix proxy URL documentation rendering. |
— |
| 0.2.0 | Enhancement (View pull request) Update package to ECS 8.3.0. |
— |
| 0.1.0 | Enhancement (View pull request) Initial Release |
— |