| Table of Contents |
|---|
| maxLevel | 2 |
|---|
| minLevel | 2 |
|---|
| type | flat |
|---|
|
...
Valid tags and data tables
The full tag must have at least 3 levels. The first two are fixed asedr.sentinelone. The third level identifies the type of events sent, and the fourth level indicates the event subtype.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
|---|
SentinelOne agent events | edr.sentinelone.agent.agents
| edr.sentinelone.agent.agents
|
edr.sentinelone.agent.threats
| edr.sentinelone.agent.threats
|
SentinelOne Deep Visibility | edr.sentinelone.dv
| edr.sentinelone.dv
|
edr.sentinelone.dv.cross_process
| edr.sentinelone.dv.cross_process
|
edr.sentinelone.dv.dns
| edr.sentinelone.dv.dns
|
edr.sentinelone.dv.driver
| edr.sentinelone.dv.driver
|
edr.sentinelone.dv.file
| edr.sentinelone.dv.file
|
edr.sentinelone.dv.group
| edr.sentinelone.dv.group
|
edr.sentinelone.dv.indicators
| edr.sentinelone.dv.indicators
|
edr.sentinelone.dv.ip
| edr.sentinelone.dv.ip
|
edr.sentinelone.dv.logins
| edr.sentinelone.dv.logins
|
edr.sentinelone.dv.module
| edr.sentinelone.dv.module
|
edr.sentinelone.dv.process
| edr.sentinelone.dv.process
|
edr.sentinelone.dv.registry
| edr.sentinelone.dv.registry
|
edr.sentinelone.dv.scheduled_task
| edr.sentinelone.dv.scheduled_task
|
SentinelOne management events | edr.sentinelone.management.activities
| edr.sentinelone.management.activities
|
How is the data sent to Devo?
To send events to the edr.sentinelone.dv tables, you must use the SentinelOne Deep Visibility with Cloud Funnel collector.
Table structure
These are the fields displayed in these tables:
...
