You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 10
Next »
Introduction
The tags beginning with edr.sentinelone
identify events generated by SentinelOne's platform.
The full tag must have at least 3 levels. The first two are fixed as edr.sentinelone
. The third level identifies the type of events sent, and the fourth level indicates the event subtype.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|
SentinelOne agent events | edr.sentinelone.agent.agents
| edr.sentinelone.agent.agents
|
edr.sentinelone.agent.threats
| edr.sentinelone.agent.threats
|
SentinelOne Deep Visibility | edr.sentinelone.dv
| edr.sentinelone.dv
|
edr.sentinelone.dv.cross_process
| edr.sentinelone.dv.cross_process
|
edr.sentinelone.dv.dns
| edr.sentinelone.dv.dns
|
edr.sentinelone.dv.driver
| edr.sentinelone.dv.driver
|
edr.sentinelone.dv.file
| edr.sentinelone.dv.file
|
edr.sentinelone.dv.group
| edr.sentinelone.dv.group
|
edr.sentinelone.dv.indicators
| edr.sentinelone.dv.indicators
|
edr.sentinelone.dv.ip
| edr.sentinelone.dv.ip
|
edr.sentinelone.dv.logins
| edr.sentinelone.dv.logins
|
edr.sentinelone.dv.module
| edr.sentinelone.dv.module
|
edr.sentinelone.dv.process
| edr.sentinelone.dv.process
|
edr.sentinelone.dv.registry
| edr.sentinelone.dv.registry
|
edr.sentinelone.dv.scheduled_task
| edr.sentinelone.dv.scheduled_task
|
SentinelOne management events | edr.sentinelone.management.activities
| edr.sentinelone.management.activities
|
Table structure
These are the fields displayed in these tables: