edr.sentinelone

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 How is the data sent to Devo? ] [ 4 Table structure ]

Introduction

The tags beginning with edr.sentinelone identify events generated by SentinelOne's platform.

Valid tags and data tables

The full tag must have at least 3 levels. The first two are fixed as edr.sentinelone. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
SentinelOne agent events	`edr.sentinelone.agent.agents`	`edr.sentinelone.agent.agents`
SentinelOne agent events	`edr.sentinelone.agent.threats`	`edr.sentinelone.agent.threats`
SentinelOne Deep Visibility	`edr.sentinelone.dv`	`edr.sentinelone.dv`
	`edr.sentinelone.dv.cross_process`	`edr.sentinelone.dv.cross_process`
	`edr.sentinelone.dv.dns`	`edr.sentinelone.dv.dns`
	`edr.sentinelone.dv.driver`	`edr.sentinelone.dv.driver`
	`edr.sentinelone.dv.file`	`edr.sentinelone.dv.file`
	`edr.sentinelone.dv.group`	`edr.sentinelone.dv.group`
	`edr.sentinelone.dv.indicators`	`edr.sentinelone.dv.indicators`
	`edr.sentinelone.dv.ip`	`edr.sentinelone.dv.ip`
	`edr.sentinelone.dv.logins`	`edr.sentinelone.dv.logins`
	`edr.sentinelone.dv.module`	`edr.sentinelone.dv.module`
	`edr.sentinelone.dv.process`	`edr.sentinelone.dv.process`
	`edr.sentinelone.dv.registry`	`edr.sentinelone.dv.registry`
	`edr.sentinelone.dv.scheduled_task`	`edr.sentinelone.dv.scheduled_task`
SentinelOne management events	`edr.sentinelone.management.activities`	`edr.sentinelone.management.activities`

How is the data sent to Devo?

To send events to the edr.sentinelone.dv tables, you must use the SentinelOne Deep Visibility with Cloud Funnel collector.

Table structure

These are the fields displayed in these tables: