Page Comparison

Table of Contents

maxLevel	2
minLevel	2
type	flat

...

Valid tags and data tables

The full tag must have at least 3 levels. The first two are fixed asedr.sentinelone. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables
SentinelOne agent events	`edr.sentinelone.agent.agents`	`edr.sentinelone.agent.agents`
SentinelOne agent events	`edr.sentinelone.agent.threats`	`edr.sentinelone.agent.threats`
SentinelOne Deep Visibility	`edr.sentinelone.dv`	`edr.sentinelone.dv`
	`edr.sentinelone.dv.cross_process`	`edr.sentinelone.dv.cross_process`
	`edr.sentinelone.dv.dns`	`edr.sentinelone.dv.dns`
	`edr.sentinelone.dv.driver`	`edr.sentinelone.dv.driver`
	`edr.sentinelone.dv.file`	`edr.sentinelone.dv.file`
	`edr.sentinelone.dv.group`	`edr.sentinelone.dv.group`
	`edr.sentinelone.dv.indicators`	`edr.sentinelone.dv.indicators`
	`edr.sentinelone.dv.ip`	`edr.sentinelone.dv.ip`
	`edr.sentinelone.dv.logins`	`edr.sentinelone.dv.logins`
	`edr.sentinelone.dv.module`	`edr.sentinelone.dv.module`
	`edr.sentinelone.dv.process`	`edr.sentinelone.dv.process`
	`edr.sentinelone.dv.registry`	`edr.sentinelone.dv.registry`
	`edr.sentinelone.dv.scheduled_task`	`edr.sentinelone.dv.scheduled_task`
	`edr.sentinelone.dv.url`	`edr.sentinelone.dv.url`
SentinelOne management events	`edr.sentinelone.management.activities`	`edr.sentinelone.management.activities`

How is the data sent to Devo?

...

str

Rw ui tabs macro

Rw tab

title	1-4

edr.sentinelone.agent.agents
edr.sentinelone.agent.threats
edr.sentinelone.dv
edr.sentinelone.dv.cross_process

Anchor
tag1
tag1
edr.sentinelone.agent.agents

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

hostname

str

accountId

str

accountName

str

computerDistinguishedName

str

computerMemberOf

str

lastUserDistinguishedName

str

lastUserMemberOf

str

activeThreats

int4

agentVersion

str

allowRemoteShell

bool

appsVulnerabilityStatus

str

cloudProviders

str

computerName

str

consoleMigrationStatus

str

coreCount

int4

cpuCount

int4

cpuId

str

createdAt

timestamp

domain

str

encryptedApplications

bool

externalId

str

externalIp

str

externalIpv4

ip4

Code Block
ip4(externalIp)

externalIp

externalIpv6

str

Code Block
ifthenelse(isnull(externalIpv4), externalIp, null)

externalIp

externalIpv4

firewallEnabled

bool

groupId

str

groupIp

str

groupIpv4

ip4

Code Block
ip4(groupIp)

groupIp

groupIpv6

str

Code Block
ifthenelse(isnull(groupIpv4), groupIp, null)

groupIpv4

groupIp

groupName

str

id

str

inRemoteShellSession

bool

infected

bool

installerType

str

isActive

bool

isDecommissioned

bool

isPendingUninstall

bool

isUninstalled

bool

isUpToDate

bool

lastActiveDate

timestamp

lastIpToMgmt

ip4

lastLoggedInUserName

str

licenseKey

str

locationEnabled

bool

locationType

str

locations

str

machineType

str

mitigationMode

str

mitigationModeSuspicious

str

modelName

str

networkInterfaces

str

networkQuarantineEnabled

bool

networkStatus

str

operationalState

str

operationalStateExpiration

str

osArch

str

osName

str

osRevision

str

osStartTime

timestamp

osType

str

osUsername

str

rangerStatus

str

rangerVersion

str

registeredAt

timestamp

remoteProfilingState

str

remoteProfilingStateExpiration

str

scanAbortedAt

timestamp

scanFinishedAt

timestamp

scanStartedAt

timestamp

scanStatus

str

siteId

str

siteName

str

storageName

str

storageType

str

threatRebootRequired

bool

totalMemory

int4

updatedAt

timestamp

userActionsNeeded

str

uuid

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag2
tag2
edr.sentinelone.agent.threats

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

hostname

str

agentDetectionInfo__accountId

str

agentDetectionInfo__accountName

str

agentDetectionInfo__agentDomain

str

agentDetectionInfo__agentIpV4

ip4

agentDetectionInfo__agentIpV6

str

agentDetectionInfo__agentLastLoggedInUserName

str

agentDetectionInfo__agentMitigationMode

str

agentDetectionInfo__agentOsName

str

agentDetectionInfo__agentOsRevision

str

agentDetectionInfo__agentRegisteredAt

timestamp

agentDetectionInfo__agentUuid

str

agentDetectionInfo__agentVersion

str

agentDetectionInfo__externalIp

str

agentDetectionInfo__externalIp4

ip4

Code Block
ip4(agentDetectionInfo__externalIp)

agentDetectionInfo__externalIp

agentDetectionInfo__externalIp6

ip6

Code Block
ip6(agentDetectionInfo__externalIp)

agentDetectionInfo__externalIp

agentDetectionInfo__groupId

str

agentDetectionInfo__groupName

str

agentDetectionInfo__siteId

str

agentDetectionInfo__siteName

str

agentRealtimeInfo__accountId

str

agentRealtimeInfo__accountName

str

agentRealtimeInfo__activeThreats

int4

agentRealtimeInfo__agentComputerName

str

agentRealtimeInfo__agentDecommissionedAt

bool

agentRealtimeInfo__agentDomain

str

agentRealtimeInfo__agentId

str

agentRealtimeInfo__agentInfected

bool

agentRealtimeInfo__agentIsActive

bool

agentRealtimeInfo__agentIsDecommissioned

bool

agentRealtimeInfo__agentMachineType

str

agentRealtimeInfo__agentMitigationMode

str

agentRealtimeInfo__agentNetworkStatus

str

agentRealtimeInfo__agentOsName

str

agentRealtimeInfo__agentOsRevision

str

agentRealtimeInfo__agentOsType

str

agentRealtimeInfo__agentUuid

str

agentRealtimeInfo__agentVersion

str

agentRealtimeInfo__groupId

str

agentRealtimeInfo__groupName

str

agentRealtimeInfo__networkInterfaces

str

agentRealtimeInfo__operationalState

str

agentRealtimeInfo__rebootRequired

bool

agentRealtimeInfo__scanAbortedAt

timestamp

agentRealtimeInfo__scanFinishedAt

timestamp

agentRealtimeInfo__scanStartedAt

timestamp

agentRealtimeInfo__scanStatus

str

agentRealtimeInfo__siteId

str

agentRealtimeInfo__siteName

str

agentRealtimeInfo__storageName

str

agentRealtimeInfo__storageType

str

agentRealtimeInfo__userActionsNeeded

str

containerInfo__id

str

containerInfo__image

str

containerInfo__labels

str

containerInfo__name

str

id

str

indicators

str

kubernetesInfo__cluster

str

kubernetesInfo__controllerKind

str

kubernetesInfo__controllerLabels

str

kubernetesInfo__controllerName

str

kubernetesInfo__namespace

str

kubernetesInfo__namespaceLabels

str

kubernetesInfo__node

str

kubernetesInfo__pod

str

kubernetesInfo__podLabels

str

mitigationStatus

str

threatInfo__analystVerdict

str

threatInfo__analystVerdictDescription

str

threatInfo__automaticallyResolved

bool

threatInfo__browserType

str

threatInfo__certificateId

str

threatInfo__classification

str

threatInfo__classificationSource

str

threatInfo__cloudFilesHashVerdict

str

threatInfo__collectionId

str

threatInfo__confidenceLevel

str

threatInfo__createdAt

timestamp

threatInfo__detectionEngines

str

threatInfo__detectionType

str

threatInfo__engines

str

threatInfo__externalTicketExists

bool

threatInfo__externalTicketId

str

threatInfo__failedActions

bool

threatInfo__fileExtension

str

threatInfo__fileExtensionType

str

threatInfo__filePath

str

threatInfo__fileSize

int8

threatInfo__fileVerificationType

str

threatInfo__identifiedAt

timestamp

threatInfo__incidentStatus

str

threatInfo__incidentStatusDescription

str

threatInfo__initiatedBy

str

threatInfo__initiatedByDescription

str

threatInfo__initiatingUserId

str

threatInfo__initiatingUsername

str

threatInfo__isFileless

bool

threatInfo__isValidCertificate

bool

threatInfo__maliciousProcessArguments

str

threatInfo__md5

str

threatInfo__mitigatedPreemptively

bool

threatInfo__mitigationStatus

str

threatInfo__mitigationStatusDescription

str

threatInfo__originatorProcess

str

threatInfo__pendingActions

bool

threatInfo__processUser

str

threatInfo__publisherName

str

threatInfo__reachedEventsLimit

bool

threatInfo__rebootRequired

bool

threatInfo__sha1

str

threatInfo__sha256

str

threatInfo__storyline

str

threatInfo__threatId

str

threatInfo__threatName

str

threatInfo__updatedAt

timestamp

whiteningOptions

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag3
tag3
edr.sentinelone.dv

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

hostname

str

tagging_source

str

Code Block
ifthenelse(vType = "events", "legacy", vType)

vType

hostchain

str

✓

tag

str

✓

rawMessage

str

Anchor
tag4
tag4
edr.sentinelone.dv.cross_process

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
tgt_process_display_name	`str`
src_process_parent_is_storyline_root	`bool`
event_category	`str`
src_process_parent_image_sha1	`str`
site_id	`str`
src_process_image_binary_is_executable	`bool`
src_process_parent_display_name	`str`
tgt_process_storyline_id	`str`
tgt_process_is_native64_bit	`bool`
src_process_user	`str`
src_process_parent_subsystem	`str`
src_process_indicator_ransomware_count	`int8`
src_process_cross_process_dup_remote_process_handle_count	`int8`
src_process_tgt_file_creation_count	`int8`
src_process_indicator_injection_count	`int8`
src_process_module_count	`int8`
src_process_parent_name	`str`
i_version	`str`
sca_atlantis_ingest_time	`timestamp`
src_process_image_md5	`str`
src_process_indicator_reconnaissance_count	`int8`
src_process_storyline_id	`str`
src_process_child_proc_count	`int8`
mgmt_url	`str`
tgt_process_image_binary_is_executable	`bool`
src_process_cross_process_open_process_count	`int8`
tgt_process_subsystem	`str`
tgt_process_image_sha256	`str`
src_process_subsystem	`str`
meta_event_name	`str`
src_process_parent_integrity_level	`str`
tgt_process_publisher	`str`
src_process_indicator_exploitation_count	`int8`
src_process_parent_storyline_id	`str`
tgt_process_verified_status	`str`
tgt_process_image_path	`str`
i_scheme	`str`
src_process_integrity_level	`str`
tgt_process_integrity_level	`str`
src_process_net_conn_in_count	`int8`
tgt_process_image_md5	`str`
event_time	`timestamp`
timestamp	`timestamp`
account_id	`str`
data_source_name	`str`
endpoint_name	`str`
src_process_image_sha1	`str`
src_process_is_storyline_root	`bool`
tgt_process_relation	`str`
src_process_parent_image_path	`str`
data_source_vendor	`str`
src_process_pid	`int8`
tgt_file_is_signed	`str`
sca_ingest_time	`timestamp`
data_source_category	`str`
src_process_cmdline	`str`
src_process_publisher	`str`
src_process_cross_process_thread_create_count	`int8`
src_process_parent_is_native64_bit	`bool`
tgt_process_image_sha1	`str`
src_process_parent_is_redirect_cmd_processor	`bool`
src_process_signed_status	`str`
src_process_cross_process_count	`int8`
event_id	`str`
src_process_parent_cmdline	`str`
src_process_image_path	`str`
src_process_tgt_file_modification_count	`int8`
src_process_indicator_evasion_count	`int8`
src_process_net_conn_out_count	`int8`
tgt_process_pid	`int8`
src_process_cross_process_dup_thread_handle_count	`int8`
tgt_process_name	`str`
endpoint_os	`str`
tgt_process_signed_status	`str`
src_process_tgt_file_deletion_count	`int8`
src_process_start_time	`timestamp`
mgmt_id	`str`
os_name	`str`
tgt_process_access_rights	`int8`
tgt_process_cmdline	`str`
src_process_display_name	`str`
src_process_is_native64_bit	`bool`
src_process_parent_session_id	`int8`
src_process_uid	`str`
src_process_parent_image_md5	`str`
src_process_indicator_infostealer_count	`int8`
src_process_indicator_boot_configuration_update_count	`int8`
process_unique_key	`str`
tgt_process_uid	`str`
tgt_process_is_storyline_root	`bool`
agent_version	`str`
src_process_parent_uid	`str`
src_process_parent_image_sha256	`str`
src_process_session_id	`int8`
src_process_net_conn_count	`int8`
mgmt_os_revision	`str`
group_id	`str`
src_process_is_redirect_cmd_processor	`bool`
src_process_verified_status	`str`
tgt_process_start_time	`timestamp`
src_process_parent_publisher	`str`
src_process_parent_start_time	`timestamp`
src_process_dns_count	`int8`
endpoint_type	`str`
trace_id	`str`
src_process_name	`str`
agent_uuid	`str`
src_process_image_sha256	`str`
tgt_process_user	`str`
src_process_indicator_general_count	`int8`
src_process_cross_process_out_of_storyline_count	`int8`
src_process_registry_change_count	`int8`
packet_id	`str`
tgt_process_session_id	`int8`
src_process_indicator_persistence_count	`int8`
src_process_parent_signed_status	`str`
src_process_parent_user	`str`
tgt_process_is_redirect_cmd_processor	`bool`
event_type	`str`
src_process_indicator_post_exploitation_count	`int8`
src_process_parent_pid	`int8`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Rw tab

title	5-8

edr.sentinelone.dv.dns
edr.sentinelone.dv.driver
edr.sentinelone.dv.file
edr.sentinelone.dv.group

Anchor
tag5
tag5
edr.sentinelone.dv.dns

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
src_process_parent_is_storyline_root	`bool`
event_category	`str`
src_process_parent_image_sha1	`str`
site_id	`str`
os_src_process_is_redirect_cmd_processor	`bool`
src_process_image_binary_is_executable	`bool`
src_process_parent_display_name	`str`
os_src_process_image_md5	`str`
os_src_process_cross_process_open_process_count	`int8`
os_src_process_publisher	`str`
os_src_process_cross_process_dup_thread_handle_count	`int8`
src_process_user	`str`
os_src_process_indicator_persistence_count	`int8`
src_process_parent_subsystem	`str`
src_process_indicator_ransomware_count	`int8`
src_process_cross_process_dup_remote_process_handle_count	`int8`
os_src_process_cross_process_out_of_storyline_count	`int8`
os_src_process_image_sha1	`str`
src_process_tgt_file_creation_count	`int8`
os_src_process_child_proc_count	`int8`
src_process_indicator_injection_count	`int8`
os_src_process_indicator_reconnaissance_count	`int8`
src_process_module_count	`int8`
src_process_parent_name	`str`
i_version	`str`
os_src_process_signed_status	`str`
sca_atlantis_ingest_time	`timestamp`
src_process_image_md5	`str`
src_process_indicator_reconnaissance_count	`int8`
src_process_storyline_id	`str`
src_process_child_proc_count	`int8`
mgmt_url	`str`
src_process_cross_process_open_process_count	`int8`
os_src_process_cross_process_thread_create_count	`int8`
os_src_process_module_count	`int8`
os_src_process_indicator_post_exploitation_count	`int8`
os_src_process_indicator_infostealer_count	`int8`
src_process_subsystem	`str`
meta_event_name	`str`
src_process_parent_integrity_level	`str`
os_src_process_user	`str`
os_src_process_image_binary_is_executable	`bool`
os_src_process_tgt_file_modification_count	`int8`
src_process_indicator_exploitation_count	`int8`
os_src_process_registry_change_count	`int8`
src_process_parent_storyline_id	`str`
os_src_process_net_conn_in_count	`int8`
i_scheme	`str`
src_process_integrity_level	`str`
os_src_process_indicator_injection_count	`int8`
os_src_process_pid	`int8`
src_process_net_conn_in_count	`int8`
event_time	`timestamp`
event_dns_response	`str`
timestamp	`timestamp`
account_id	`str`
data_source_name	`str`
os_src_process_cross_process_count	`int8`
endpoint_name	`str`
src_process_image_sha1	`str`
src_process_is_storyline_root	`bool`
src_process_parent_image_path	`str`
os_src_process_is_native64_bit	`bool`
data_source_vendor	`str`
src_process_pid	`int8`
os_src_process_uid	`str`
tgt_file_is_signed	`str`
sca_ingest_time	`timestamp`
data_source_category	`str`
src_process_cmdline	`str`
src_process_publisher	`str`
src_process_cross_process_thread_create_count	`int8`
src_process_parent_is_native64_bit	`bool`
os_src_process_is_storyline_root	`bool`
src_process_parent_is_redirect_cmd_processor	`bool`
os_src_process_integrity_level	`str`
src_process_signed_status	`str`
src_process_cross_process_count	`int8`
os_src_process_subsystem	`str`
event_id	`str`
os_src_process_cross_process_dup_remote_process_handle_count	`int8`
os_src_process_tgt_file_creation_count	`int8`
src_process_parent_cmdline	`str`
src_process_image_path	`str`
src_process_tgt_file_modification_count	`int8`
os_src_process_name	`str`
src_process_indicator_evasion_count	`int8`
src_process_net_conn_out_count	`int8`
os_src_process_start_time	`timestamp`
src_process_cross_process_dup_thread_handle_count	`int8`
endpoint_os	`str`
os_src_process_net_conn_out_count	`int8`
os_src_process_image_sha256	`str`
src_process_tgt_file_deletion_count	`int8`
src_process_start_time	`timestamp`
mgmt_id	`str`
os_src_process_indicator_ransomware_count	`int8`
os_src_process_net_conn_count	`int8`
os_name	`str`
os_src_process_indicator_general_count	`int8`
src_process_display_name	`str`
os_src_process_dns_count	`int8`
event_dns_request	`str`
src_process_is_native64_bit	`bool`
src_process_parent_session_id	`int8`
os_src_process_session_id	`int8`
src_process_uid	`str`
src_process_parent_image_md5	`str`
os_src_process_verified_status	`str`
os_src_process_cmdline	`str`
src_process_indicator_infostealer_count	`int8`
src_process_indicator_boot_configuration_update_count	`int8`
process_unique_key	`str`
agent_version	`str`
src_process_parent_uid	`str`
src_process_parent_image_sha256	`str`
src_process_session_id	`int8`
src_process_net_conn_count	`int8`
mgmt_os_revision	`str`
os_src_process_image_path	`str`
group_id	`str`
os_src_process_indicator_boot_configuration_update_count	`int8`
src_process_is_redirect_cmd_processor	`bool`
src_process_verified_status	`str`
src_process_parent_publisher	`str`
src_process_parent_start_time	`timestamp`
os_src_process_indicator_exploitation_count	`int8`
src_process_dns_count	`int8`
os_src_process_tgt_file_deletion_count	`int8`
os_src_process_indicator_evasion_count	`int8`
endpoint_type	`str`
trace_id	`str`
src_process_name	`str`
agent_uuid	`str`
os_src_process_display_name	`str`
src_process_image_sha256	`str`
src_process_indicator_general_count	`int8`
src_process_cross_process_out_of_storyline_count	`int8`
src_process_registry_change_count	`int8`
packet_id	`str`
src_process_indicator_persistence_count	`int8`
src_process_parent_signed_status	`str`
src_process_parent_user	`str`
os_src_process_storyline_id	`str`
event_type	`str`
src_process_indicator_post_exploitation_count	`int8`
src_process_parent_pid	`int8`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
tag6
tag6
edr.sentinelone.dv.driver

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
src_process_parent_is_storyline_root	`bool`
event_category	`str`
tgt_file_modification_time	`int8`
src_process_parent_image_sha1	`str`
site_id	`str`
tgt_file_location	`str`
os_src_process_is_redirect_cmd_processor	`bool`
src_process_image_binary_is_executable	`bool`
src_process_parent_display_name	`str`
os_src_process_publisher	`str`
src_process_user	`str`
src_process_parent_subsystem	`str`
src_process_indicator_ransomware_count	`int8`
src_process_cross_process_dup_remote_process_handle_count	`int8`
os_src_process_image_sha1	`str`
src_process_tgt_file_creation_count	`int8`
src_process_indicator_injection_count	`int8`
src_process_module_count	`int8`
src_process_parent_name	`str`
i_version	`str`
os_src_process_signed_status	`str`
driver_start_type	`int8`
sca_atlantis_ingest_time	`timestamp`
src_process_image_md5	`str`
src_process_indicator_reconnaissance_count	`int8`
src_process_storyline_id	`str`
src_process_child_proc_count	`int8`
mgmt_url	`str`
src_process_cross_process_open_process_count	`int8`
src_process_subsystem	`str`
meta_event_name	`str`
src_process_parent_integrity_level	`str`
os_src_process_user	`str`
os_src_process_image_binary_is_executable	`bool`
src_process_indicator_exploitation_count	`int8`
src_process_parent_storyline_id	`str`
driver_pe_sha1	`str`
tgt_file_creation_time	`int8`
i_scheme	`str`
src_process_integrity_level	`str`
os_src_process_pid	`int8`
src_process_net_conn_in_count	`int8`
event_time	`timestamp`
timestamp	`timestamp`
account_id	`str`
data_source_name	`str`
endpoint_name	`str`
tgt_file_size	`int8`
src_process_image_sha1	`str`
src_process_is_storyline_root	`bool`
src_process_parent_image_path	`str`
tgt_file_sha1	`str`
os_src_process_is_native64_bit	`bool`
data_source_vendor	`str`
src_process_pid	`int8`
os_src_process_uid	`str`
tgt_file_is_signed	`str`
sca_ingest_time	`timestamp`
data_source_category	`str`
src_process_cmdline	`str`
src_process_publisher	`str`
src_process_cross_process_thread_create_count	`int8`
src_process_parent_is_native64_bit	`bool`
os_src_process_is_storyline_root	`bool`
src_process_parent_is_redirect_cmd_processor	`bool`
tgt_file_description	`str`
os_src_process_integrity_level	`str`
driver_certificate_thumbprint_algorithm	`int8`
src_process_signed_status	`str`
src_process_cross_process_count	`int8`
os_src_process_subsystem	`str`
tgt_file_is_executable	`bool`
event_id	`str`
src_process_parent_cmdline	`str`
src_process_image_path	`str`
src_process_tgt_file_modification_count	`int8`
os_src_process_name	`str`
src_process_indicator_evasion_count	`int8`
src_process_net_conn_out_count	`int8`
tgt_file_path	`str`
tgt_file_extension	`str`
os_src_process_start_time	`timestamp`
src_process_cross_process_dup_thread_handle_count	`int8`
endpoint_os	`str`
src_process_tgt_file_deletion_count	`int8`
src_process_start_time	`timestamp`
mgmt_id	`str`
os_name	`str`
tgt_file_type	`str`
src_process_display_name	`str`
tgt_file_sha256	`str`
src_process_is_native64_bit	`bool`
src_process_parent_session_id	`int8`
os_src_process_session_id	`int8`
src_process_uid	`str`
src_process_parent_image_md5	`str`
os_src_process_verified_status	`str`
src_process_indicator_infostealer_count	`int8`
src_process_indicator_boot_configuration_update_count	`int8`
process_unique_key	`str`
driver_pe_sha256	`str`
agent_version	`str`
src_process_parent_uid	`str`
src_process_parent_image_sha256	`str`
src_process_session_id	`int8`
src_process_net_conn_count	`int8`
mgmt_os_revision	`str`
driver_is_loaded_before_monitor	`bool`
os_src_process_image_path	`str`
group_id	`str`
driver_certificate_thumbprint	`str`
src_process_is_redirect_cmd_processor	`bool`
src_process_verified_status	`str`
src_process_parent_publisher	`str`
src_process_parent_start_time	`timestamp`
src_process_dns_count	`int8`
endpoint_type	`str`
trace_id	`str`
src_process_name	`str`
tgt_file_md5	`str`
agent_uuid	`str`
os_src_process_display_name	`str`
src_process_image_sha256	`str`
src_process_indicator_general_count	`int8`
tgt_file_internal_name	`str`
src_process_cross_process_out_of_storyline_count	`int8`
src_process_registry_change_count	`int8`
packet_id	`str`
src_process_indicator_persistence_count	`int8`
src_process_parent_signed_status	`str`
src_process_parent_user	`str`
tgt_file_id	`str`
driver_load_verdict	`str`
os_src_process_storyline_id	`str`
event_type	`str`
task_path	`str`
src_process_indicator_post_exploitation_count	`int8`
src_process_parent_pid	`int8`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
tag7
tag7
edr.sentinelone.dv.file

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
src_process_parent_is_storyline_root	`bool`
event_category	`str`
tgt_file_modification_time	`timestamp`
src_process_parent_image_sha1	`str`
site_id	`str`
tgt_file_location	`str`
src_process_image_binary_is_executable	`bool`
src_process_parent_display_name	`str`
src_process_user	`str`
src_process_parent_subsystem	`str`
src_process_indicator_ransomware_count	`int8`
src_process_cross_process_dup_remote_process_handle_count	`int8`
src_process_tgt_file_creation_count	`int8`
src_process_indicator_injection_count	`int8`
src_process_module_count	`int8`
src_process_parent_name	`str`
i_version	`str`
sca_atlantis_ingest_time	`timestamp`
src_process_image_md5	`str`
src_process_indicator_reconnaissance_count	`int8`
src_process_storyline_id	`str`
src_process_child_proc_count	`int8`
mgmt_url	`str`
src_process_cross_process_open_process_count	`int8`
src_process_subsystem	`str`
meta_event_name	`str`
src_process_parent_integrity_level	`str`
src_process_indicator_exploitation_count	`int8`
src_process_parent_storyline_id	`str`
tgt_file_creation_time	`timestamp`
i_scheme	`str`
src_process_integrity_level	`str`
src_process_net_conn_in_count	`int8`
event_time	`timestamp`
timestamp	`timestamp`
account_id	`str`
data_source_name	`str`
endpoint_name	`str`
tgt_file_size	`int8`
src_process_image_sha1	`str`
src_process_is_storyline_root	`bool`
src_process_parent_image_path	`str`
data_source_vendor	`str`
src_process_pid	`int8`
sca_ingest_time	`timestamp`
data_source_category	`str`
src_process_cmdline	`str`
src_process_publisher	`str`
src_process_cross_process_thread_create_count	`int8`
src_process_parent_is_native64_bit	`bool`
src_process_parent_is_redirect_cmd_processor	`bool`
src_process_signed_status	`str`
src_process_cross_process_count	`int8`
tgt_file_is_executable	`bool`
event_id	`str`
src_process_parent_cmdline	`str`
src_process_image_path	`str`
src_process_tgt_file_modification_count	`int8`
src_process_indicator_evasion_count	`int8`
src_process_net_conn_out_count	`int8`
tgt_file_path	`str`
src_process_cross_process_dup_thread_handle_count	`int8`
endpoint_os	`str`
src_process_tgt_file_deletion_count	`int8`
src_process_start_time	`timestamp`
mgmt_id	`str`
os_name	`str`
tgt_file_type	`str`
src_process_display_name	`str`
src_process_is_native64_bit	`bool`
src_process_parent_session_id	`int8`
src_process_uid	`str`
src_process_parent_image_md5	`str`
src_process_indicator_infostealer_count	`int8`
src_process_indicator_boot_configuration_update_count	`int8`
process_unique_key	`str`
agent_version	`str`
src_process_parent_uid	`str`
src_process_parent_image_sha256	`str`
src_process_session_id	`int8`
src_process_net_conn_count	`int8`
mgmt_os_revision	`str`
group_id	`str`
src_process_is_redirect_cmd_processor	`bool`
src_process_verified_status	`str`
src_process_parent_publisher	`str`
src_process_parent_start_time	`timestamp`
src_process_dns_count	`int8`
endpoint_type	`str`
trace_id	`str`
src_process_name	`str`
agent_uuid	`str`
src_process_image_sha256	`str`
src_process_indicator_general_count	`int8`
src_process_cross_process_out_of_storyline_count	`int8`
src_process_registry_change_count	`int8`
packet_id	`str`
src_process_indicator_persistence_count	`int8`
src_process_parent_signed_status	`str`
src_process_parent_user	`str`
tgt_file_id	`str`
event_type	`str`
task_path	`str`
src_process_indicator_post_exploitation_count	`int8`
src_process_parent_pid	`int8`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
tag8
tag8
edr.sentinelone.dv.group

Rw tab

title	9-12

edr.sentinelone.dv.indicators
edr.sentinelone.dv.ip
edr.sentinelone.dv.logins
edr.sentinelone.dv.module

Anchor
tag9
tag9
edr.sentinelone.dv.indicators

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
src_process_parent_is_storyline_root	`bool`
event_category	`str`
src_process_parent_image_sha1	`str`
site_id	`str`
src_process_image_binary_is_executable	`bool`
src_process_parent_display_name	`str`
src_process_user	`str`
src_process_parent_subsystem	`str`
indicator_category	`str`
src_process_indicator_ransomware_count	`int8`
src_process_cross_process_dup_remote_process_handle_count	`int8`
src_process_tgt_file_creation_count	`int8`
src_process_indicator_injection_count	`int8`
indicator_description	`str`
src_process_module_count	`int8`
src_process_parent_name	`str`
i_version	`str`
sca_atlantis_ingest_time	`timestamp`
src_process_image_md5	`str`
src_process_indicator_reconnaissance_count	`int8`
src_process_storyline_id	`str`
src_process_child_proc_count	`int8`
mgmt_url	`str`
src_process_cross_process_open_process_count	`int8`
src_process_subsystem	`str`
meta_event_name	`str`
src_process_parent_integrity_level	`str`
src_process_indicator_exploitation_count	`int8`
src_process_parent_storyline_id	`str`
i_scheme	`str`
src_process_integrity_level	`str`
src_process_net_conn_in_count	`int8`
event_time	`timestamp`
timestamp	`timestamp`
account_id	`str`
data_source_name	`str`
endpoint_name	`str`
src_process_image_sha1	`str`
src_process_is_storyline_root	`bool`
src_process_parent_image_path	`str`
src_process_tid	`int8`
data_source_vendor	`str`
src_process_pid	`int8`
tgt_file_is_signed	`str`
sca_ingest_time	`timestamp`
data_source_category	`str`
src_process_cmdline	`str`
src_process_publisher	`str`
src_process_cross_process_thread_create_count	`int8`
src_process_parent_is_native64_bit	`bool`
src_process_parent_is_redirect_cmd_processor	`bool`
src_process_signed_status	`str`
src_process_cross_process_count	`int8`
event_id	`str`
src_process_parent_cmdline	`str`
src_process_image_path	`str`
src_process_tgt_file_modification_count	`int8`
src_process_indicator_evasion_count	`int8`
src_process_net_conn_out_count	`int8`
src_process_cross_process_dup_thread_handle_count	`int8`
endpoint_os	`str`
src_process_tgt_file_deletion_count	`int8`
src_process_start_time	`timestamp`
mgmt_id	`str`
os_name	`str`
src_process_display_name	`str`
src_process_is_native64_bit	`bool`
src_process_parent_session_id	`int8`
src_process_uid	`str`
src_process_parent_image_md5	`str`
src_process_indicator_infostealer_count	`int8`
src_process_indicator_boot_configuration_update_count	`int8`
process_unique_key	`str`
agent_version	`str`
src_process_parent_uid	`str`
src_process_parent_image_sha256	`str`
src_process_session_id	`int8`
src_process_net_conn_count	`int8`
mgmt_os_revision	`str`
group_id	`str`
src_process_is_redirect_cmd_processor	`bool`
src_process_verified_status	`str`
src_process_parent_publisher	`str`
src_process_parent_start_time	`timestamp`
src_process_dns_count	`int8`
endpoint_type	`str`
trace_id	`str`
src_process_name	`str`
agent_uuid	`str`
src_process_image_sha256	`str`
src_process_indicator_general_count	`int8`
indicator_name	`str`
src_process_cross_process_out_of_storyline_count	`int8`
src_process_registry_change_count	`int8`
packet_id	`str`
src_process_indicator_persistence_count	`int8`
src_process_parent_signed_status	`str`
src_process_parent_user	`str`
event_type	`str`
src_process_indicator_post_exploitation_count	`int8`
src_process_parent_pid	`int8`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
tag10
tag10
edr.sentinelone.dv.ip

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
src_process_parent_is_storyline_root	`bool`
event_category	`str`
src_process_parent_image_sha1	`str`
site_id	`str`
src_process_image_binary_is_executable	`bool`
src_process_parent_display_name	`str`
src_process_user	`str`
src_process_parent_subsystem	`str`
src_process_indicator_ransomware_count	`int8`
src_process_cross_process_dup_remote_process_handle_count	`int8`
src_process_tgt_file_creation_count	`int8`
src_process_indicator_injection_count	`int8`
src_process_module_count	`int8`
src_process_parent_name	`str`
i_version	`str`
sca_atlantis_ingest_time	`timestamp`
src_process_image_md5	`str`
src_process_indicator_reconnaissance_count	`int8`
src_process_storyline_id	`str`
src_process_child_proc_count	`int8`
mgmt_url	`str`
src_process_cross_process_open_process_count	`int8`
src_process_subsystem	`str`
meta_event_name	`str`
src_process_parent_integrity_level	`str`
src_port_number	`int8`
event_network_protocol_name	`str`
src_process_indicator_exploitation_count	`int8`
src_process_parent_storyline_id	`str`
i_scheme	`str`
src_process_integrity_level	`str`
src_process_net_conn_in_count	`int8`
event_time	`timestamp`
timestamp	`timestamp`
account_id	`str`
data_source_name	`str`
endpoint_name	`str`
src_process_image_sha1	`str`
src_process_is_storyline_root	`bool`
src_process_parent_image_path	`str`
dst_port_number	`int8`
data_source_vendor	`str`
src_process_pid	`int8`
tgt_file_is_signed	`str`
sca_ingest_time	`timestamp`
data_source_category	`str`
src_process_cmdline	`str`
src_process_publisher	`str`
src_process_cross_process_thread_create_count	`int8`
src_process_parent_is_native64_bit	`bool`
src_process_parent_is_redirect_cmd_processor	`bool`
src_process_signed_status	`str`
src_process_cross_process_count	`int8`
event_id	`str`
src_process_parent_cmdline	`str`
src_process_image_path	`str`
src_process_tgt_file_modification_count	`int8`
src_process_indicator_evasion_count	`int8`
src_process_net_conn_out_count	`int8`
event_network_direction	`str`
src_process_cross_process_dup_thread_handle_count	`int8`
endpoint_os	`str`
src_process_tgt_file_deletion_count	`int8`
src_ip_address	`ip4`
src_process_start_time	`timestamp`
mgmt_id	`str`
os_name	`str`
src_process_display_name	`str`
src_process_is_native64_bit	`bool`
src_process_parent_session_id	`int8`
src_process_uid	`str`
src_process_parent_image_md5	`str`
event_network_connection_status	`str`
src_process_indicator_infostealer_count	`int8`
src_process_indicator_boot_configuration_update_count	`int8`
process_unique_key	`str`
agent_version	`str`
src_process_parent_uid	`str`
src_process_parent_image_sha256	`str`
src_process_session_id	`int8`
src_process_net_conn_count	`int8`
mgmt_os_revision	`str`
dst_ip_address	`ip4`
group_id	`str`
src_process_is_redirect_cmd_processor	`bool`
src_process_verified_status	`str`
src_process_parent_publisher	`str`
src_process_parent_start_time	`timestamp`
src_process_dns_count	`int8`
endpoint_type	`str`
trace_id	`str`
src_process_name	`str`
agent_uuid	`str`
src_process_image_sha256	`str`
src_process_indicator_general_count	`int8`
src_process_cross_process_out_of_storyline_count	`int8`
src_process_registry_change_count	`int8`
packet_id	`str`
src_process_indicator_persistence_count	`int8`
src_process_parent_signed_status	`str`
src_process_parent_user	`str`
event_type	`str`
event_repetition_count	`int8`
src_process_indicator_post_exploitation_count	`int8`
src_process_parent_pid	`int8`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
tag11
tag11
edr.sentinelone.dv.logins

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
src_process_parent_is_storyline_root	`bool`
event_category	`str`
src_process_parent_image_sha1	`str`
site_id	`str`
src_process_image_binary_is_executable	`bool`
src_process_parent_display_name	`str`
src_process_user	`str`
src_process_parent_subsystem	`str`
src_process_indicator_ransomware_count	`int8`
src_process_cross_process_dup_remote_process_handle_count	`int8`
src_process_tgt_file_creation_count	`int8`
src_process_indicator_injection_count	`int8`
src_process_module_count	`int8`
src_process_parent_name	`str`
i_version	`str`
sca_atlantis_ingest_time	`timestamp`
src_process_image_md5	`str`
src_process_indicator_reconnaissance_count	`int8`
src_process_storyline_id	`str`
src_process_child_proc_count	`int8`
mgmt_url	`str`
src_process_cross_process_open_process_count	`int8`
src_process_subsystem	`str`
meta_event_name	`str`
event_login_type	`str`
src_process_parent_integrity_level	`str`
src_process_indicator_exploitation_count	`int8`
src_process_parent_storyline_id	`str`
event_login_login_is_successful	`bool`
i_scheme	`str`
src_process_integrity_level	`str`
src_process_net_conn_in_count	`int8`
event_time	`timestamp`
src_endpoint_ip_address	`ip4`
timestamp	`timestamp`
account_id	`str`
data_source_name	`str`
endpoint_name	`str`
src_process_image_sha1	`str`
src_process_is_storyline_root	`bool`
src_process_parent_image_path	`str`
data_source_vendor	`str`
src_process_pid	`int8`
tgt_file_is_signed	`str`
sca_ingest_time	`timestamp`
data_source_category	`str`
src_process_cmdline	`str`
src_process_publisher	`str`
src_process_cross_process_thread_create_count	`int8`
src_process_parent_is_native64_bit	`bool`
src_process_parent_is_redirect_cmd_processor	`bool`
src_process_signed_status	`str`
src_process_cross_process_count	`int8`
event_id	`str`
src_process_parent_cmdline	`str`
event_login_account_name	`str`
src_process_image_path	`str`
src_process_tgt_file_modification_count	`int8`
src_process_indicator_evasion_count	`int8`
src_process_net_conn_out_count	`int8`
src_process_cross_process_dup_thread_handle_count	`int8`
endpoint_os	`str`
src_process_tgt_file_deletion_count	`int8`
src_process_start_time	`timestamp`
mgmt_id	`str`
os_name	`str`
src_process_display_name	`str`
src_process_is_native64_bit	`bool`
src_process_parent_session_id	`int8`
event_login_failure_reason	`str`
src_process_uid	`str`
src_process_parent_image_md5	`str`
event_login_session_id	`int8`
src_process_indicator_infostealer_count	`int8`
src_process_indicator_boot_configuration_update_count	`int8`
process_unique_key	`str`
agent_version	`str`
src_process_parent_uid	`str`
src_process_parent_image_sha256	`str`
event_login_user_name	`str`
src_process_session_id	`int8`
src_process_net_conn_count	`int8`
mgmt_os_revision	`str`
group_id	`str`
src_process_is_redirect_cmd_processor	`bool`
src_process_verified_status	`str`
src_process_parent_publisher	`str`
src_process_parent_start_time	`timestamp`
src_process_dns_count	`int8`
event_login_account_domain	`str`
endpoint_type	`str`
trace_id	`str`
src_process_name	`str`
agent_uuid	`str`
src_process_image_sha256	`str`
src_process_indicator_general_count	`int8`
src_process_cross_process_out_of_storyline_count	`int8`
src_process_registry_change_count	`int8`
packet_id	`str`
src_process_indicator_persistence_count	`int8`
src_process_parent_signed_status	`str`
src_process_parent_user	`str`
event_type	`str`
src_process_indicator_post_exploitation_count	`int8`
event_login_account_sid	`str`
src_process_parent_pid	`int8`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
tag12
tag12
edr.sentinelone.dv.module

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
src_process_parent_is_storyline_root	`bool`
event_category	`str`
src_process_parent_image_sha1	`str`
site_id	`str`
src_process_image_binary_is_executable	`bool`
src_process_parent_display_name	`str`
src_process_user	`str`
src_process_parent_subsystem	`str`
src_process_indicator_ransomware_count	`int8`
src_process_cross_process_dup_remote_process_handle_count	`int8`
src_process_tgt_file_creation_count	`int8`
src_process_indicator_injection_count	`int8`
src_process_module_count	`int8`
src_process_parent_name	`str`
i_version	`str`
sca_atlantis_ingest_time	`timestamp`
src_process_image_md5	`str`
src_process_indicator_reconnaissance_count	`int8`
src_process_storyline_id	`str`
src_process_child_proc_count	`int8`
mgmt_url	`str`
src_process_cross_process_open_process_count	`int8`
src_process_subsystem	`str`
meta_event_name	`str`
src_process_parent_integrity_level	`str`
src_process_indicator_exploitation_count	`int8`
src_process_parent_storyline_id	`str`
i_scheme	`str`
src_process_integrity_level	`str`
module_sha1	`str`
src_process_net_conn_in_count	`int8`
event_time	`timestamp`
timestamp	`timestamp`
account_id	`str`
data_source_name	`str`
endpoint_name	`str`
src_process_image_sha1	`str`
src_process_is_storyline_root	`bool`
src_process_parent_image_path	`str`
data_source_vendor	`str`
src_process_pid	`int8`
tgt_file_is_signed	`str`
sca_ingest_time	`timestamp`
data_source_category	`str`
src_process_cmdline	`str`
src_process_publisher	`str`
src_process_cross_process_thread_create_count	`int8`
src_process_parent_is_native64_bit	`bool`
module_path	`str`
src_process_parent_is_redirect_cmd_processor	`bool`
src_process_signed_status	`str`
src_process_cross_process_count	`int8`
event_id	`str`
src_process_parent_cmdline	`str`
src_process_image_path	`str`
src_process_tgt_file_modification_count	`int8`
src_process_indicator_evasion_count	`int8`
src_process_net_conn_out_count	`int8`
src_process_cross_process_dup_thread_handle_count	`int8`
endpoint_os	`str`
src_process_tgt_file_deletion_count	`int8`
src_process_start_time	`timestamp`
mgmt_id	`str`
os_name	`str`
src_process_display_name	`str`
src_process_is_native64_bit	`bool`
src_process_parent_session_id	`int8`
src_process_uid	`str`
src_process_parent_image_md5	`str`
src_process_indicator_infostealer_count	`int8`
src_process_indicator_boot_configuration_update_count	`int8`
process_unique_key	`str`
agent_version	`str`
src_process_parent_uid	`str`
src_process_parent_image_sha256	`str`
src_process_session_id	`int8`
src_process_net_conn_count	`int8`
mgmt_os_revision	`str`
group_id	`str`
src_process_is_redirect_cmd_processor	`bool`
src_process_verified_status	`str`
src_process_parent_publisher	`str`
src_process_parent_start_time	`timestamp`
src_process_dns_count	`int8`
endpoint_type	`str`
trace_id	`str`
src_process_name	`str`
agent_uuid	`str`
src_process_image_sha256	`str`
src_process_indicator_general_count	`int8`
src_process_cross_process_out_of_storyline_count	`int8`
src_process_registry_change_count	`int8`
packet_id	`str`
src_process_indicator_persistence_count	`int8`
src_process_parent_signed_status	`str`
src_process_parent_user	`str`
event_type	`str`
src_process_indicator_post_exploitation_count	`int8`
src_process_parent_pid	`int8`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Rw tab

title	13-1617

edr.sentinelone.dv.process
edr.sentinelone.dv.registry
edr.sentinelone.dv.scheduled_task
edr.sentinelone.dv.url
edr.sentinelone.management.activities

Anchor
tag13
tag13
edr.sentinelone.dv.process

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
tgt_process_display_name	`str`
src_process_parent_is_storyline_root	`bool`
event_category	`str`
src_process_parent_image_sha1	`str`
site_id	`str`
src_process_image_binary_is_executable	`bool`
src_process_parent_display_name	`str`
tgt_process_storyline_id	`str`
tgt_process_is_native64_bit	`bool`
src_process_user	`str`
src_process_parent_subsystem	`str`
src_process_indicator_ransomware_count	`int8`
src_process_cross_process_dup_remote_process_handle_count	`int8`
src_process_tgt_file_creation_count	`int8`
src_process_indicator_injection_count	`int8`
src_process_module_count	`int8`
src_process_parent_name	`str`
i_version	`str`
sca_atlantis_ingest_time	`timestamp`
src_process_image_md5	`str`
src_process_indicator_reconnaissance_count	`int8`
src_process_storyline_id	`str`
src_process_child_proc_count	`int8`
mgmt_url	`str`
tgt_process_image_binary_is_executable	`bool`
src_process_cross_process_open_process_count	`int8`
tgt_process_subsystem	`str`
tgt_process_image_sha256	`str`
src_process_subsystem	`str`
meta_event_name	`str`
src_process_parent_integrity_level	`str`
tgt_process_publisher	`str`
src_process_indicator_exploitation_count	`int8`
src_process_parent_storyline_id	`str`
tgt_process_verified_status	`str`
tgt_process_image_path	`str`
i_scheme	`str`
src_process_integrity_level	`str`
tgt_process_integrity_level	`str`
src_process_net_conn_in_count	`int8`
tgt_process_image_md5	`str`
event_time	`timestamp`
timestamp	`timestamp`
account_id	`str`
data_source_name	`str`
endpoint_name	`str`
src_process_image_sha1	`str`
src_process_is_storyline_root	`bool`
src_process_parent_image_path	`str`
data_source_vendor	`str`
src_process_pid	`int8`
tgt_file_is_signed	`str`
sca_ingest_time	`timestamp`
data_source_category	`str`
src_process_cmdline	`str`
src_process_publisher	`str`
src_process_cross_process_thread_create_count	`int8`
src_process_parent_is_native64_bit	`bool`
tgt_process_image_sha1	`str`
src_process_parent_is_redirect_cmd_processor	`bool`
src_process_signed_status	`str`
src_process_cross_process_count	`int8`
event_id	`str`
src_process_parent_cmdline	`str`
src_process_image_path	`str`
src_process_tgt_file_modification_count	`int8`
src_process_indicator_evasion_count	`int8`
src_process_net_conn_out_count	`int8`
tgt_process_pid	`int8`
src_process_cross_process_dup_thread_handle_count	`int8`
tgt_process_name	`str`
endpoint_os	`str`
tgt_process_signed_status	`str`
src_process_tgt_file_deletion_count	`int8`
src_process_start_time	`timestamp`
mgmt_id	`str`
os_name	`str`
tgt_process_cmdline	`str`
src_process_display_name	`str`
src_process_is_native64_bit	`bool`
src_process_parent_session_id	`int8`
src_process_uid	`str`
src_process_parent_image_md5	`str`
src_process_indicator_infostealer_count	`int8`
src_process_indicator_boot_configuration_update_count	`int8`
process_unique_key	`str`
tgt_process_uid	`str`
tgt_process_is_storyline_root	`bool`
agent_version	`str`
src_process_parent_uid	`str`
src_process_parent_image_sha256	`str`
src_process_session_id	`int8`
src_process_net_conn_count	`int8`
mgmt_os_revision	`str`
group_id	`str`
src_process_is_redirect_cmd_processor	`bool`
src_process_verified_status	`str`
tgt_process_start_time	`timestamp`
src_process_parent_publisher	`str`
src_process_parent_start_time	`timestamp`
src_process_dns_count	`int8`
endpoint_type	`str`
trace_id	`str`
src_process_name	`str`
agent_uuid	`str`
src_process_image_sha256	`str`
tgt_process_user	`str`
src_process_indicator_general_count	`int8`
src_process_cross_process_out_of_storyline_count	`int8`
src_process_registry_change_count	`int8`
packet_id	`str`
tgt_process_session_id	`int8`
src_process_indicator_persistence_count	`int8`
src_process_parent_signed_status	`str`
src_process_parent_user	`str`
tgt_process_is_redirect_cmd_processor	`bool`
event_type	`str`
src_process_indicator_post_exploitation_count	`int8`
src_process_parent_pid	`int8`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
tag14
tag14
edr.sentinelone.dv.registry

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
src_process_parent_is_storyline_root	`bool`
event_category	`str`
src_process_parent_image_sha1	`str`
site_id	`str`
registry_value_full_size	`int8`
src_process_image_binary_is_executable	`bool`
src_process_parent_display_name	`str`
src_process_user	`str`
src_process_parent_subsystem	`str`
src_process_indicator_ransomware_count	`int8`
registry_old_value_type	`str`
src_process_cross_process_dup_remote_process_handle_count	`int8`
src_process_tgt_file_creation_count	`int8`
src_process_indicator_injection_count	`int8`
src_process_module_count	`int8`
src_process_parent_name	`str`
i_version	`str`
sca_atlantis_ingest_time	`timestamp`
src_process_image_md5	`str`
src_process_indicator_reconnaissance_count	`int8`
src_process_storyline_id	`str`
src_process_child_proc_count	`int8`
mgmt_url	`str`
src_process_cross_process_open_process_count	`int8`
registry_old_value_full_size	`int8`
src_process_subsystem	`str`
meta_event_name	`str`
src_process_parent_integrity_level	`str`
src_process_indicator_exploitation_count	`int8`
src_process_parent_storyline_id	`str`
i_scheme	`str`
src_process_integrity_level	`str`
src_process_net_conn_in_count	`int8`
event_time	`timestamp`
timestamp	`timestamp`
account_id	`str`
data_source_name	`str`
endpoint_name	`str`
src_process_image_sha1	`str`
src_process_is_storyline_root	`bool`
src_process_parent_image_path	`str`
data_source_vendor	`str`
src_process_pid	`int8`
tgt_file_is_signed	`str`
sca_ingest_time	`timestamp`
data_source_category	`str`
src_process_cmdline	`str`
src_process_publisher	`str`
src_process_cross_process_thread_create_count	`int8`
src_process_parent_is_native64_bit	`bool`
src_process_parent_is_redirect_cmd_processor	`bool`
src_process_signed_status	`str`
src_process_cross_process_count	`int8`
event_id	`str`
src_process_parent_cmdline	`str`
registry_value	`str`
src_process_image_path	`str`
src_process_tgt_file_modification_count	`int8`
src_process_indicator_evasion_count	`int8`
src_process_net_conn_out_count	`int8`
src_process_cross_process_dup_thread_handle_count	`int8`
endpoint_os	`str`
src_process_tgt_file_deletion_count	`int8`
src_process_start_time	`timestamp`
mgmt_id	`str`
os_name	`str`
registry_key_path	`str`
src_process_display_name	`str`
src_process_is_native64_bit	`bool`
src_process_parent_session_id	`int8`
src_process_uid	`str`
src_process_parent_image_md5	`str`
src_process_indicator_infostealer_count	`int8`
src_process_indicator_boot_configuration_update_count	`int8`
process_unique_key	`str`
registry_value_type	`str`
agent_version	`str`
src_process_parent_uid	`str`
src_process_parent_image_sha256	`str`
src_process_session_id	`int8`
src_process_net_conn_count	`int8`
mgmt_os_revision	`str`
group_id	`str`
src_process_is_redirect_cmd_processor	`bool`
src_process_verified_status	`str`
src_process_parent_publisher	`str`
src_process_parent_start_time	`timestamp`
src_process_dns_count	`int8`
endpoint_type	`str`
trace_id	`str`
src_process_name	`str`
registry_old_value_is_complete	`bool`
agent_uuid	`str`
src_process_image_sha256	`str`
src_process_indicator_general_count	`int8`
src_process_cross_process_out_of_storyline_count	`int8`
src_process_registry_change_count	`int8`
packet_id	`str`
src_process_indicator_persistence_count	`int8`
src_process_parent_signed_status	`str`
src_process_parent_user	`str`
event_type	`str`
src_process_indicator_post_exploitation_count	`int8`
registry_value_is_complete	`bool`
src_process_parent_pid	`int8`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
tag15
tag15
edr.sentinelone.dv.scheduled_task

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
src_process_parent_is_storyline_root	`bool`
event_category	`str`
src_process_parent_image_sha1	`str`
site_id	`str`
os_src_process_is_redirect_cmd_processor	`bool`
src_process_image_binary_is_executable	`bool`
src_process_parent_display_name	`str`
os_src_process_image_md5	`str`
os_src_process_cross_process_open_process_count	`int8`
os_src_process_publisher	`str`
os_src_process_cross_process_dup_thread_handle_count	`int8`
src_process_user	`str`
os_src_process_indicator_persistence_count	`int8`
src_process_parent_subsystem	`str`
src_process_indicator_ransomware_count	`int8`
src_process_cross_process_dup_remote_process_handle_count	`int8`
os_src_process_cross_process_out_of_storyline_count	`int8`
os_src_process_image_sha1	`str`
src_process_tgt_file_creation_count	`int8`
os_src_process_child_proc_count	`int8`
src_process_indicator_injection_count	`int8`
os_src_process_indicator_reconnaissance_count	`int8`
src_process_module_count	`int8`
src_process_parent_name	`str`
i_version	`str`
os_src_process_signed_status	`str`
sca_atlantis_ingest_time	`timestamp`
src_process_image_md5	`str`
src_process_indicator_reconnaissance_count	`int8`
src_process_storyline_id	`str`
src_process_child_proc_count	`int8`
mgmt_url	`str`
src_process_cross_process_open_process_count	`int8`
os_src_process_cross_process_thread_create_count	`int8`
os_src_process_module_count	`int8`
os_src_process_indicator_post_exploitation_count	`int8`
os_src_process_indicator_infostealer_count	`int8`
src_process_subsystem	`str`
meta_event_name	`str`
src_process_parent_integrity_level	`str`
os_src_process_user	`str`
os_src_process_image_binary_is_executable	`bool`
task_name	`str`
os_src_process_tgt_file_modification_count	`int8`
src_process_indicator_exploitation_count	`int8`
os_src_process_registry_change_count	`int8`
src_process_parent_storyline_id	`str`
os_src_process_net_conn_in_count	`int8`
i_scheme	`str`
src_process_integrity_level	`str`
os_src_process_indicator_injection_count	`int8`
os_src_process_pid	`int8`
src_process_net_conn_in_count	`int8`
event_time	`timestamp`
timestamp	`timestamp`
account_id	`str`
data_source_name	`str`
os_src_process_cross_process_count	`int8`
endpoint_name	`str`
src_process_image_sha1	`str`
src_process_is_storyline_root	`bool`
src_process_parent_image_path	`str`
os_src_process_is_native64_bit	`bool`
data_source_vendor	`str`
src_process_pid	`int8`
os_src_process_uid	`str`
tgt_file_is_signed	`str`
sca_ingest_time	`timestamp`
data_source_category	`str`
src_process_cmdline	`str`
src_process_publisher	`str`
src_process_cross_process_thread_create_count	`int8`
src_process_parent_is_native64_bit	`bool`
os_src_process_is_storyline_root	`bool`
src_process_parent_is_redirect_cmd_processor	`bool`
os_src_process_integrity_level	`str`
src_process_signed_status	`str`
src_process_cross_process_count	`int8`
os_src_process_subsystem	`str`
event_id	`str`
os_src_process_cross_process_dup_remote_process_handle_count	`int8`
os_src_process_tgt_file_creation_count	`int8`
src_process_parent_cmdline	`str`
src_process_image_path	`str`
src_process_tgt_file_modification_count	`int8`
os_src_process_name	`str`
src_process_indicator_evasion_count	`int8`
src_process_net_conn_out_count	`int8`
os_src_process_start_time	`timestamp`
src_process_cross_process_dup_thread_handle_count	`int8`
endpoint_os	`str`
os_src_process_net_conn_out_count	`int8`
os_src_process_image_sha256	`str`
src_process_tgt_file_deletion_count	`int8`
src_process_start_time	`timestamp`
mgmt_id	`str`
os_src_process_indicator_ransomware_count	`int8`
os_src_process_net_conn_count	`int8`
os_name	`str`
os_src_process_indicator_general_count	`int8`
src_process_display_name	`str`
os_src_process_dns_count	`int8`
src_process_is_native64_bit	`bool`
src_process_parent_session_id	`int8`
os_src_process_session_id	`int8`
src_process_uid	`str`
src_process_parent_image_md5	`str`
os_src_process_verified_status	`str`
os_src_process_cmdline	`str`
src_process_indicator_infostealer_count	`int8`
src_process_indicator_boot_configuration_update_count	`int8`
process_unique_key	`str`
agent_version	`str`
src_process_parent_uid	`str`
src_process_parent_image_sha256	`str`
src_process_session_id	`int8`
src_process_net_conn_count	`int8`
mgmt_os_revision	`str`
os_src_process_image_path	`str`
group_id	`str`
os_src_process_indicator_boot_configuration_update_count	`int8`
src_process_is_redirect_cmd_processor	`bool`
src_process_verified_status	`str`
src_process_parent_publisher	`str`
src_process_parent_start_time	`timestamp`
os_src_process_indicator_exploitation_count	`int8`
src_process_dns_count	`int8`
os_src_process_tgt_file_deletion_count	`int8`
os_src_process_indicator_evasion_count	`int8`
endpoint_type	`str`
trace_id	`str`
src_process_name	`str`
agent_uuid	`str`
os_src_process_display_name	`str`
src_process_image_sha256	`str`
src_process_indicator_general_count	`int8`
src_process_cross_process_out_of_storyline_count	`int8`
src_process_registry_change_count	`int8`
packet_id	`str`
src_process_indicator_persistence_count	`int8`
src_process_parent_signed_status	`str`
src_process_parent_user	`str`
os_src_process_storyline_id	`str`
event_type	`str`
src_process_indicator_post_exploitation_count	`int8`
src_process_parent_pid	`int8`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor

tag16

tag151

tag16

tag151
edr.sentinelone.

management

dv.

activities

url

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`

accountId

dataAccountName

str

dataFullScopeDetails

str

dataGroupName

str

dataScopeLevel

str

dataScopeName

str

dataSiteName

str

dataUsername

str

dataDescription

str

dataFileContentHash

str

dataComputerName

str

dataFilePath

str

dataFileFisplayName

str

dataThreatClassification

str

dataThreatClassificationSource

str

dataStatus

str

dataOsFamily

str

dataAgentipv4

ip4

dataAlertid

int4

dataDetectedat

timestamp

dataDnsrequest

str

dataDnsresponse

str

dataDstip

str

dataDstport

int4

dataDveventid

str

dataDveventtype

str

dataExternalip

ip4

dataFullScopeDetailsPath

str

dataIndicatorcategory

str

dataIndicatordescription

str

dataIndicatorname

str

dataK8sclustername

str

dataK8scontainerid

str

dataK8scontainerimage

str

dataK8scontainerlabels

str

dataK8scontainername

str

dataK8scontrollerkind

str

dataK8scontrollerlabels

str

dataK8scontrollername

str

dataK8snamespace

str

dataK8snamespacelabels

str

dataK8snode

str

dataK8spod

str

dataK8spodlabels

str

dataLoginaccountdomain

str

dataLoginaccountsid

str

dataLoginisadministratorequivalent

str

dataLoginissuccessful

str

dataLoginsusername

str

dataLogintype

str

dataModulepath

str

dataModulesha1

str

dataNeteventdirection

str

dataOrigagentmachinetype

str

dataOrigagentname

str

dataOrigagentosfamily

str

dataOrigagentosname

str

dataOrigagentosrevision

str

dataOrigagentsiteid

str

dataOrigagentuuid

str

dataOrigagentversion

ip4

dataPhysical

str

dataRegistrykeypath

str

dataRegistryoldvalue

str

dataRegistryoldvaluetype

str

dataRegistrypath

str

dataRegistryvalue

str

dataRuledescription

str

dataRuleid

int4

dataRulename

str

dataRulescopeid

int4

dataRulescopelevel

str

dataScopeId

int4

dataSeverity

str

dataSourcename

str

dataSourceparentprocesscommandline

str

dataSourceparentprocessintegritylevel

str

dataSourceparentprocesskey

str

dataSourceparentprocessmd5

str

dataSourceparentprocessname

str

dataSourceparentprocesspath

str

dataSourceparentprocesspid

int4

dataSourceparentprocesssha1

str

dataSourceparentprocesssha256

str

dataSourceparentprocesssigneridentity

str

dataSourceparentprocessTESTttime

timestamp

dataSourceparentprocessstoryline

str

dataSourceparentprocesssubsystem

str

dataSourceparentprocessusername

str

dataSourceprocesscommandline

str

dataSourceprocessfilepath

str

dataSourceprocessfilesigneridentity

str

dataSourceprocessintegritylevel

str

dataSourceprocesskey

str

dataSourceprocessmd5

str

dataSourceprocessname

str

dataSourceprocesspid

int4

dataSourceprocesssha1

str

dataSourceprocesssha256

str

dataSourceprocessTESTttime

timestamp

dataSourceprocessstoryline

str

dataSourceprocesssubsystem

str

dataSourceprocessusername

str

dataSrcip

str

dataSrcmachineip

str

dataSrcport

int4

dataSystemUser

int4

dataTgtfilecreatedat

str

dataTgtfilehashsha1

str

dataTgtfilehashsha256

str

dataTgtfileid

str

dataTgtfileissigned

str

dataTgtfilemodifiedat

str

dataTgtfileoldpath

str

dataTgtfilepath

str

dataTgtproccmdline

str

dataTgtprocessTESTttime

str

dataTgtprocimagepath

str

dataTgtprocintegritylevel

str

dataTgtprocname

str

dataTgtprocpid

int4

dataTgtprocsignedstatus

str

dataTgtprocstorylineid

str

dataTgtprocuid

str

dataTiindicatorcomparisonmethod

str

dataTiindicatorsource

str

dataTiindicatortype

str

dataTiindicatorvalue

str

dataUserId

int4

description

str

groupId

str

groupName

str

hash

str

id

str

osFamily

str

primaryDescription

str

secondaryDescription

str

siteId

str

siteName

str

threatId

str

updatedAt

timestamp

userId

str

hostchain

str

✓

tag

str

✓

rawMessage


src_process_image_path	`str`

accountName

str

activityType

int4

agentId

str

agentUpdatedVersion

str

comments

str

createdAt

timestamp

rawData

str

dataAccountId

int8


src_process_parent_is_storyline_root	`bool`
event_category	`str`
site_id	`str`
endpoint_os	`str`
src_process_parent_display_name	`str`
src_process_start_time	`timestamp`
mgmt_id	`str`
os_name	`str`
src_process_user	`str`
src_process_parent_subsystem	`str`
src_process_display_name	`str`
src_process_is_native64_bit	`bool`
src_process_parent_session_id	`str`
src_process_uid	`str`
i_version	`str`
src_process_parent_name	`str`
process_unique_key	`str`
src_process_image_md5	`str`
src_process_storyline_id	`str`
mgmt_url	`str`
agent_version	`str`
src_process_parent_uid	`str`
src_process_session_id	`str`
mgmt_os_revision	`str`
src_process_subsystem	`str`
meta_event_name	`str`
src_process_parent_integrity_level	`str`
group_id	`str`
src_process_parent_storyline_id	`str`
src_process_is_redirect_cmd_processor	`bool`
src_process_verified_status	`str`
src_process_parent_publisher	`str`
src_process_parent_start_time	`timestamp`
endpoint_type	`str`
src_process_integrity_level	`str`
i_scheme	`str`
trace_id	`str`
site_name	`str`
url_address	`str`
src_process_name	`str`
agent_uuid	`str`
event_time	`timestamp`
src_process_image_sha256	`str`
timestamp	`timestamp`
account_id	`str`
data_source_name	`str`
endpoint_name	`str`
src_process_image_sha1	`str`
src_process_is_storyline_root	`bool`
packet_id	`str`
src_process_parent_image_path	`str`
src_process_parent_signed_status	`str`
src_process_parent_user	`str`
data_source_vendor	`str`
src_process_pid	`str`
tgt_file_is_signed	`str`
src_process_cmdline	`str`
src_process_publisher	`str`
data_source_category	`str`
src_process_parent_is_native64_bit	`bool`
src_process_parent_is_redirect_cmd_processor	`bool`
event_type	`str`
src_process_signed_status	`str`
event_id	`str`
src_process_parent_cmdline	`str`
src_process_parent_pid	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Versions Compared

Old Version 11

New Version Current

Key

Valid tags and data tables

How is the data sent to Devo?

Anchor
tag1
tag1
edr.sentinelone.agent.agents

Anchor
tag2
tag2
edr.sentinelone.agent.threats

Anchor
tag3
tag3
edr.sentinelone.dv

Anchor
tag4
tag4
edr.sentinelone.dv.cross_process

Anchor
tag5
tag5
edr.sentinelone.dv.dns

Anchor
tag6
tag6
edr.sentinelone.dv.driver

Anchor
tag7
tag7
edr.sentinelone.dv.file

Anchor
tag8
tag8
edr.sentinelone.dv.group

Anchor
tag9
tag9
edr.sentinelone.dv.indicators

Anchor
tag10
tag10
edr.sentinelone.dv.ip

Anchor
tag11
tag11
edr.sentinelone.dv.logins

Anchor
tag12
tag12
edr.sentinelone.dv.module

Anchor
tag13
tag13
edr.sentinelone.dv.process

Anchor
tag14
tag14
edr.sentinelone.dv.registry

Anchor
tag15
tag15
edr.sentinelone.dv.scheduled_task

Anchor

tag151

tag151
edr.sentinelone.

dv.

url

Anchor
tag16
tag16
edr.sentinelone.management.activities

Page Comparison

Versions Compared

Old Version 11

New Version Current

Key

Valid tags and data tables

How is the data sent to Devo?

Anchortag1tag1edr.sentinelone.agent.agents

Anchortag2tag2edr.sentinelone.agent.threats

Anchortag3tag3edr.sentinelone.dv

Anchortag4tag4edr.sentinelone.dv.cross_process

Anchortag5tag5edr.sentinelone.dv.dns

Anchortag6tag6edr.sentinelone.dv.driver

Anchortag7tag7edr.sentinelone.dv.file

Anchortag8tag8edr.sentinelone.dv.group

Anchortag9tag9edr.sentinelone.dv.indicators

Anchortag10tag10edr.sentinelone.dv.ip

Anchortag11tag11edr.sentinelone.dv.logins

Anchortag12tag12edr.sentinelone.dv.module

Anchortag13tag13edr.sentinelone.dv.process

Anchortag14tag14edr.sentinelone.dv.registry

Anchortag15tag15edr.sentinelone.dv.scheduled_task

Anchor

tag151

tag151edr.sentinelone.

dv.

url

Anchortag16tag16edr.sentinelone.management.activities

Anchor
tag1
tag1
edr.sentinelone.agent.agents

Anchor
tag2
tag2
edr.sentinelone.agent.threats

Anchor
tag3
tag3
edr.sentinelone.dv

Anchor
tag4
tag4
edr.sentinelone.dv.cross_process

Anchor
tag5
tag5
edr.sentinelone.dv.dns

Anchor
tag6
tag6
edr.sentinelone.dv.driver

Anchor
tag7
tag7
edr.sentinelone.dv.file

Anchor
tag8
tag8
edr.sentinelone.dv.group

Anchor
tag9
tag9
edr.sentinelone.dv.indicators

Anchor
tag10
tag10
edr.sentinelone.dv.ip

Anchor
tag11
tag11
edr.sentinelone.dv.logins

Anchor
tag12
tag12
edr.sentinelone.dv.module

Anchor
tag13
tag13
edr.sentinelone.dv.process

Anchor
tag14
tag14
edr.sentinelone.dv.registry

Anchor
tag15
tag15
edr.sentinelone.dv.scheduled_task

tag151
edr.sentinelone.

Anchor
tag16
tag16
edr.sentinelone.management.activities