av.sentinelone
Introduction
The tags beginning with av.sentinelone
identify events generated by antivirus products belonging to SentinelOne.
Valid tags and data tablesÂ
The full tag must have 3 levels. The first two are fixed as av.sentinelone
. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
SentinelOne Endpoint Protection Platform (EPP) |
|
|
|
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in these tables:
av.sentinelone.events
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
timestamp |
| Â | event_time | Â |
agent_info_id |
| Â | Â | Â |
agent_info_uuid |
| Â | Â | Â |
agent_info_network_status |
| Â | Â | Â |
agent_info_is_pending_uninstall |
| Â | Â | Â |
agent_info_last_active_date |
| Â | Â | Â |
agent_info_agent_version |
| Â | Â | Â |
agent_info_registered_at |
| Â | Â | Â |
agent_info_last_logged_in_user_name |
| Â | Â | Â |
agent_info_encrypted_applications |
| Â | Â | Â |
agent_info_hardware_information_total_memory |
| Â | Â | Â |
agent_info_hardware_information_cpu_count |
| Â | Â | Â |
agent_info_hardware_information_cpu_id |
| Â | Â | Â |
agent_info_hardware_information_machine_type |
| Â | Â | Â |
agent_info_hardware_information_model_name |
| Â | Â | Â |
agent_info_hardware_information_core_count |
| Â | Â | Â |
agent_info_software_information_os_start_time |
| parsedate(agent_info_software_information_os_start_time__tmp, dateformat("YYYY-MM-DDTHH:mm:ssZ")) | agent_info_software_information_os_start_time__tmp | Â |
agent_info_software_information_os_revision |
| Â | Â | Â |
agent_info_software_information_os_type |
| Â | Â | Â |
agent_info_software_information_os_name |
| Â | Â | Â |
agent_info_software_information_os_arch |
| Â | Â | Â |
agent_info_is_uninstalled |
| Â | Â | Â |
agent_info_users |
| Â | Â | Â |
agent_info_is_active |
| Â | Â | Â |
agent_info_meta_data_created_at |
| Â | Â | Â |
agent_info_meta_data_updated_at |
| Â | Â | Â |
agent_info_configuration_research_data |
| Â | Â | Â |
agent_info_configuration_mitigation_mode |
| Â | Â | Â |
agent_info_configuration_mitigation_mode_suspicious |
| Â | Â | Â |
agent_info_configuration_auto_mitigation_actions |
| Â | Â | Â |
agent_info_configuration_learning_mode |
| Â | Â | Â |
agent_info_group_id |
| Â | Â | Â |
agent_info_user_actions_needed |
| Â | Â | Â |
agent_info_assets |
| Â | Â | Â |
agent_info_external_ip |
| Â | Â | Â |
agent_info_is_up_to_date |
| Â | Â | Â |
agent_info_group_ip |
| Â | Â | Â |
agent_info_network_information_domain |
| Â | Â | Â |
agent_info_network_information_computer_name |
| Â | Â | Â |
agent_info_network_information_interfaces_name_str |
| join(agent_info_network_information_interfaces_name, ",") | agent_info_network_information_interfaces_name | Â |
agent_info_network_information_interfaces_physical_str |
| join(agent_info_network_information_interfaces_physical, ",") | agent_info_network_information_interfaces_physical | Â |
agent_info_network_information_interfaces_inet_str |
| agent_info_network_information_interfaces_inet | Â | |
agent_info_network_information_interfaces_inet6_str |
| agent_info_network_information_interfaces_inet6 | Â | |
agent_info_threat_count |
| Â | Â | Â |
agent_info_scan_status_status |
| Â | Â | Â |
agent_info_scan_status_aborted_at |
| Â | Â | Â |
agent_info_scan_status_started_at |
| Â | Â | Â |
agent_info_scan_status_finished_at |
| Â | Â | Â |
agent_info_is_decommissioned |
| Â | Â | Â |
threat_classifier_name |
| Â | Â | Â |
threat_mitigation_status |
| Â | Â | Â |
threat_from_scan |
| Â | Â | Â |
threat_suspicious |
| Â | Â | Â |
threat_in_quarantine |
| Â | Â | Â |
threat_agent |
| Â | Â | Â |
threat_learning_mode |
| Â | Â | Â |
threat_from_cloud |
| Â | Â | Â |
threat_is_partial_story |
| Â | Â | Â |
threat_mitigation_actions |
| Â | Â | Â |
threat_id |
| Â | Â | Â |
threat_browser_type |
| Â | Â | Â |
threat_annotation_url |
| Â | Â | Â |
threat_is_cert_valid |
| Â | Â | Â |
threat_indicators |
| Â | Â | Â |
threat_cert_id |
| Â | Â | Â |
threat_hidden |
| Â | Â | Â |
threat_resolved |
| Â | Â | Â |
threat_description |
| Â | Â | Â |
threat_publisher |
| Â | Â | Â |
threat_mitigation_report_kill_status |
| Â | Â | Â |
threat_mitigation_report_quarantine_status |
| Â | Â | Â |
threat_mitigation_report_network_quarantine_status |
| Â | Â | Â |
threat_mitigation_report_rollback_status |
| Â | Â | Â |
threat_mitigation_report_remediate_status |
| Â | Â | Â |
threat_engine_data |
| Â | Â | Â |
threat_meta_data_created_at |
| Â | Â | Â |
threat_meta_data_updated_at |
| Â | Â | Â |
threat_file_id_display_name |
| Â | Â | Â |
threat_file_id_permission |
| Â | Â | Â |
threat_file_id_hash_reputation |
| Â | Â | Â |
threat_file_id_is_system |
| Â | Â | Â |
threat_file_id_object_id |
| Â | Â | Â |
threat_file_id_path |
| Â | Â | Â |
threat_file_id_content_hash |
| Â | Â | Â |
threat_file_id_size |
| Â | Â | Â |
threat_mitigation_mode |
| Â | Â | Â |
threat_annotation |
| Â | Â | Â |
threat_silent_threat |
| Â | Â | Â |
threat_marked_as_benign |
| Â | Â | Â |
threat_whitening_options |
| Â | Â | Â |
threat_malicious_process_arguments |
| Â | Â | Â |
threat_extension |
| Â | Â | Â |
threat_in_learning_mode |
| Â | Â | Â |
threat_affected_files |
| Â | Â | Â |
threat_username |
| Â | Â | Â |
threat_created_date |
| Â | Â | Â |
threat_mitigation_mode_suspicious |
| Â | Â | Â |
threat_malicious_group_id |
| Â | Â | Â |
threat_agent_version |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  |  | ✓ |
av.sentinelone.rfc_5424
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
priority |
| Â |
RFC_Version |
| Â |
date |
| Â |
hostname |
| Â |
app_name |
| Â |
component_ID |
| Â |
activity_ID |
| Â |
activityType |
| Â |
activityId |
| Â |
rt |
| Â |
ip |
| Â |
deviceAddress |
| Â |
deviceHostFqdn |
| Â |
deviceHostName |
| Â |
siteId |
| Â |
siteName |
| Â |
accountId |
| Â |
accountName |
| Â |
vendor |
| Â |
sentinel_eventID |
| Â |
eventDesc |
| Â |
eventSeverity |
| Â |
notificationScope |
| Â |
agentId |
| Â |
threatId |
| Â |
comments |
| Â |
userId |
| Â |
description |
| Â |
secondaryDescription |
| Â |
createdAt |
| Â |
groupId |
| Â |
agentUpdatedVersion |
| Â |
hash |
| Â |
osFamily |
| Â |
updatedAt |
| Â |
event_description |
| Â |
cat |
| Â |
groupName |
| Â |
originatorName |
| Â |
originatorVersion |
| Â |
sourceNetworkState |
| Â |
sourceOsRevision |
| Â |
sourceOsType |
| Â |
sourceAgentUuid |
| Â |
sourceFqdn |
| Â |
sourceThreatCount |
| Â |
sourceMgmtPrecievedAddress |
| Â |
sourceDnsDomain |
| Â |
sourceHostName |
| Â |
sourceUserName |
| Â |
sourceUserId |
| Â |
sourceAgentId |
| Â |
sourceGroupId |
| Â |
sourceGroupName |
| Â |
sourceIpAddresses_0 |
| Â |
sourceIpAddresses_1 |
| Â |
sourceMacAddresses_0 |
| Â |
data_uid |
| Â |
data_creator |
| Â |
data_osType |
| Â |
data_ruleId |
| Â |
data_version |
| Â |
data_eventId |
| Â |
data_groupId |
| Â |
data_interface |
| Â |
data_ruleName |
| Â |
data_ruleType |
| Â |
data_vendorId |
| Â |
data_eventTime |
| Â |
data_eventType |
| Â |
data_productId |
| Â |
data_scopeName |
| Â |
data_deviceName |
| Â |
data_lmpVersion |
| Â |
data_minorClass |
| Â |
data_deviceClass |
| Â |
data_computerName |
| Â |
data_profileUuids |
| Â |
data_ruleScopeName |
| Â |
data_lastLoggedInUserName |
| Â |
data_siteName |
| Â |
data_groupName |
| Â |
data_externalIp |
| Â |
data_scopeLevel |
| Â |
data_accountName |
| Â |
data_macAddresses_0 |
| Â |
data_fullScopeDetails |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |