av.sentinelone
- Juan Tomás Alonso Nieto (Deactivated)
Introduction
The tags beginning with av.sentinelone identify events generated by antivirus products belonging to SentinelOne.
Valid tags and data tables
The full tag must have 3 levels. The first two are fixed as av.sentinelone. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
|---|---|---|
SentinelOne Endpoint Protection Platform (EPP) |
|
|
|
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in these tables:
av.sentinelone.events
Field | Type | Field transformation | Source field name | Extra fields |
|---|---|---|---|---|
eventdate |
|
|
|
|
timestamp |
|
| event_time |
|
agent_info_id |
|
|
|
|
agent_info_uuid |
|
|
|
|
agent_info_network_status |
|
|
|
|
agent_info_is_pending_uninstall |
|
|
|
|
agent_info_last_active_date |
|
|
|
|
agent_info_agent_version |
|
|
|
|
agent_info_registered_at |
|
|
|
|
agent_info_last_logged_in_user_name |
|
|
|
|
agent_info_encrypted_applications |
|
|
|
|
agent_info_hardware_information_total_memory |
|
|
|
|
agent_info_hardware_information_cpu_count |
|
|
|
|
agent_info_hardware_information_cpu_id |
|
|
|
|
agent_info_hardware_information_machine_type |
|
|
|
|
agent_info_hardware_information_model_name |
|
|
|
|
agent_info_hardware_information_core_count |
|
|
|
|
agent_info_software_information_os_start_time |
| parsedate(agent_info_software_information_os_start_time__tmp, dateformat("YYYY-MM-DDTHH:mm:ssZ")) | agent_info_software_information_os_start_time__tmp |
|
agent_info_software_information_os_revision |
|
|
|
|
agent_info_software_information_os_type |
|
|
|
|
agent_info_software_information_os_name |
|
|
|
|
agent_info_software_information_os_arch |
|
|
|
|
agent_info_is_uninstalled |
|
|
|
|
agent_info_users |
|
|
|
|
agent_info_is_active |
|
|
|
|
agent_info_meta_data_created_at |
|
|
|
|
agent_info_meta_data_updated_at |
|
|
|
|
agent_info_configuration_research_data |
|
|
|
|
agent_info_configuration_mitigation_mode |
|
|
|
|
agent_info_configuration_mitigation_mode_suspicious |
|
|
|
|
agent_info_configuration_auto_mitigation_actions |
|
|
|
|
agent_info_configuration_learning_mode |
|
|
|
|
agent_info_group_id |
|
|
|
|
agent_info_user_actions_needed |
|
|
|
|
agent_info_assets |
|
|
|
|
agent_info_external_ip |
|
|
|
|
agent_info_is_up_to_date |
|
|
|
|
agent_info_group_ip |
|
|
|
|
agent_info_network_information_domain |
|
|
|
|
agent_info_network_information_computer_name |
|
|
|
|
agent_info_network_information_interfaces_name_str |
| join(agent_info_network_information_interfaces_name, ",") | agent_info_network_information_interfaces_name |
|
agent_info_network_information_interfaces_physical_str |
| join(agent_info_network_information_interfaces_physical, ",") | agent_info_network_information_interfaces_physical |
|
agent_info_network_information_interfaces_inet_str |
| agent_info_network_information_interfaces_inet |
| |
agent_info_network_information_interfaces_inet6_str |
| agent_info_network_information_interfaces_inet6 |
| |
agent_info_threat_count |
|
|
|
|
agent_info_scan_status_status |
|
|
|
|
agent_info_scan_status_aborted_at |
|
|
|
|
agent_info_scan_status_started_at |
|
|
|
|
agent_info_scan_status_finished_at |
|
|
|
|
agent_info_is_decommissioned |
|
|
|
|
threat_classifier_name |
|
|
|
|
threat_mitigation_status |
|
|
|
|
threat_from_scan |
|
|
|
|
threat_suspicious |
|
|
|
|
threat_in_quarantine |
|
|
|
|
threat_agent |
|
|
|
|
threat_learning_mode |
|
|
|
|
threat_from_cloud |
|
|
|
|
threat_is_partial_story |
|
|
|
|
threat_mitigation_actions |
|
|
|
|
threat_id |
|
|
|
|
threat_browser_type |
|
|
|
|
threat_annotation_url |
|
|
|
|
threat_is_cert_valid |
|
|
|
|
threat_indicators |
|
|
|
|
threat_cert_id |
|
|
|
|
threat_hidden |
|
|
|
|
threat_resolved |
|
|
|
|
threat_description |
|
|
|
|
threat_publisher |
|
|
|
|
threat_mitigation_report_kill_status |
|
|
|
|
threat_mitigation_report_quarantine_status |
|
|
|
|
threat_mitigation_report_network_quarantine_status |
|
|
|
|
threat_mitigation_report_rollback_status |
|
|
|
|
threat_mitigation_report_remediate_status |
|
|
|
|
threat_engine_data |
|
|
|
|
threat_meta_data_created_at |
|
|
|
|
threat_meta_data_updated_at |
|
|
|
|
threat_file_id_display_name |
|
|
|
|
threat_file_id_permission |
|
|
|
|
threat_file_id_hash_reputation |
|
|
|
|
threat_file_id_is_system |
|
|
|
|
threat_file_id_object_id |
|
|
|
|
threat_file_id_path |
|
|
|
|
threat_file_id_content_hash |
|
|
|
|
threat_file_id_size |
|
|
|
|
threat_mitigation_mode |
|
|
|
|
threat_annotation |
|
|
|
|
threat_silent_threat |
|
|
|
|
threat_marked_as_benign |
|
|
|
|
threat_whitening_options |
|
|
|
|
threat_malicious_process_arguments |
|
|
|
|
threat_extension |
|
|
|
|
threat_in_learning_mode |
|
|
|
|
threat_affected_files |
|
|
|
|
threat_username |
|
|
|
|
threat_created_date |
|
|
|
|
threat_mitigation_mode_suspicious |
|
|
|
|
threat_malicious_group_id |
|
|
|
|
threat_agent_version |
|
|
|
|
hostchain |
|
|
| ✓ |
tag |
|
|
| ✓ |
rawMessage |
|
|
| ✓ |
av.sentinelone.rfc_5424
Field | Type | Extra fields |
|---|---|---|
eventdate |
|
|
priority |
|
|
RFC_Version |
|
|
date |
|
|
hostname |
|
|
app_name |
|
|
component_ID |
|
|
activity_ID |
|
|
activityType |
|
|
activityId |
|
|
rt |
|
|
ip |
|
|
deviceAddress |
|
|
deviceHostFqdn |
|
|
deviceHostName |
|
|
siteId |
|
|
siteName |
|
|
accountId |
|
|
accountName |
|
|
vendor |
|
|
sentinel_eventID |
|
|
eventDesc |
|
|
eventSeverity |
|
|
notificationScope |
|
|
agentId |
|
|
threatId |
|
|
comments |
|
|
userId |
|
|
description |
|
|
secondaryDescription |
|
|
createdAt |
|
|
groupId |
|
|
agentUpdatedVersion |
|
|
hash |
|
|
osFamily |
|
|
updatedAt |
|
|
event_description |
|
|
cat |
|
|
groupName |
|
|
originatorName |
|
|
originatorVersion |
|
|
sourceNetworkState |
|
|
sourceOsRevision |
|
|
sourceOsType |
|
|
sourceAgentUuid |
|
|
sourceFqdn |
|
|
sourceThreatCount |
|
|
sourceMgmtPrecievedAddress |
|
|
sourceDnsDomain |
|
|
sourceHostName |
|
|
sourceUserName |
|
|
sourceUserId |
|
|
sourceAgentId |
|
|
sourceGroupId |
|
|
sourceGroupName |
|
|
sourceIpAddresses_0 |
|
|
sourceIpAddresses_1 |
|
|
sourceMacAddresses_0 |
|
|
data_uid |
|
|
data_creator |
|
|
data_osType |
|
|
data_ruleId |
|
|
data_version |
|
|
data_eventId |
|
|
data_groupId |
|
|
data_interface |
|
|
data_ruleName |
|
|
data_ruleType |
|
|
data_vendorId |
|
|
data_eventTime |
|
|
data_eventType |
|
|
data_productId |
|
|
data_scopeName |
|
|
data_deviceName |
|
|
data_lmpVersion |
|
|
data_minorClass |
|
|
data_deviceClass |
|
|
data_computerName |
|
|
data_profileUuids |
|
|
data_ruleScopeName |
|
|
data_lastLoggedInUserName |
|
|
data_siteName |
|
|
data_groupName |
|
|
data_externalIp |
|
|
data_scopeLevel |
|
|
data_accountName |
|
|
data_macAddresses_0 |
|
|
data_fullScopeDetails |
|
|
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |