av.sentinelone

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ]

Introduction

The tags beginning with av.sentinelone identify events generated by antivirus products belonging to SentinelOne.

Valid tags and data tables

The full tag must have 3 levels. The first two are fixed as av.sentinelone. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
SentinelOne Endpoint Protection Platform (EPP)	`av.sentinelone.events`	`av.sentinelone.events`
SentinelOne Endpoint Protection Platform (EPP)	`av.sentinelone.rfc_5424`	`av.sentinelone.rfc_5424`

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

av.sentinelone.events
av.sentinelone.rfc_5424

av.sentinelone.events

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Field transformation	Source field name	Extra fields
eventdate	`timestamp`
timestamp	`timestamp`		event_time
agent_info_id	`str`
agent_info_uuid	`str`
agent_info_network_status	`str`
agent_info_is_pending_uninstall	`bool`
agent_info_last_active_date	`timestamp`
agent_info_agent_version	`str`
agent_info_registered_at	`timestamp`
agent_info_last_logged_in_user_name	`str`
agent_info_encrypted_applications	`bool`
agent_info_hardware_information_total_memory	`int4`
agent_info_hardware_information_cpu_count	`int4`
agent_info_hardware_information_cpu_id	`str`
agent_info_hardware_information_machine_type	`str`
agent_info_hardware_information_model_name	`str`
agent_info_hardware_information_core_count	`int4`
agent_info_software_information_os_start_time	`timestamp`	`parsedate(agent_info_software_information_os_start_time__tmp, dateformat("YYYY-MM-DDTHH:mm:ssZ"))`	agent_info_software_information_os_start_time__tmp
agent_info_software_information_os_revision	`str`
agent_info_software_information_os_type	`int4`
agent_info_software_information_os_name	`str`
agent_info_software_information_os_arch	`str`
agent_info_is_uninstalled	`bool`
agent_info_users	`str`
agent_info_is_active	`bool`
agent_info_meta_data_created_at	`timestamp`
agent_info_meta_data_updated_at	`timestamp`
agent_info_configuration_research_data	`str`
agent_info_configuration_mitigation_mode	`str`
agent_info_configuration_mitigation_mode_suspicious	`str`
agent_info_configuration_auto_mitigation_actions	`str`
agent_info_configuration_learning_mode	`bool`
agent_info_group_id	`str`
agent_info_user_actions_needed	`int4`
agent_info_assets	`str`
agent_info_external_ip	`str`
agent_info_is_up_to_date	`bool`
agent_info_group_ip	`str`
agent_info_network_information_domain	`str`
agent_info_network_information_computer_name	`str`
agent_info_network_information_interfaces_name_str	`str`	`join(agent_info_network_information_interfaces_name, ",")`	agent_info_network_information_interfaces_name
agent_info_network_information_interfaces_physical_str	`str`	`join(agent_info_network_information_interfaces_physical, ",")`	agent_info_network_information_interfaces_physical
agent_info_network_information_interfaces_inet_str	`str`		agent_info_network_information_interfaces_inet
agent_info_network_information_interfaces_inet6_str	`str`		agent_info_network_information_interfaces_inet6
agent_info_threat_count	`int4`
agent_info_scan_status_status	`int4`
agent_info_scan_status_aborted_at	`timestamp`
agent_info_scan_status_started_at	`timestamp`
agent_info_scan_status_finished_at	`timestamp`
agent_info_is_decommissioned	`bool`
threat_classifier_name	`str`
threat_mitigation_status	`int4`
threat_from_scan	`bool`
threat_suspicious	`bool`
threat_in_quarantine	`bool`
threat_agent	`str`
threat_learning_mode	`bool`
threat_from_cloud	`bool`
threat_is_partial_story	`bool`
threat_mitigation_actions	`str`
threat_id	`str`
threat_browser_type	`str`
threat_annotation_url	`str`
threat_is_cert_valid	`bool`
threat_indicators	`str`
threat_cert_id	`str`
threat_hidden	`bool`
threat_resolved	`bool`
threat_description	`str`
threat_publisher	`str`
threat_mitigation_report_kill_status	`str`
threat_mitigation_report_quarantine_status	`str`
threat_mitigation_report_network_quarantine_status	`str`
threat_mitigation_report_rollback_status	`str`
threat_mitigation_report_remediate_status	`str`
threat_engine_data	`str`
threat_meta_data_created_at	`timestamp`
threat_meta_data_updated_at	`timestamp`
threat_file_id_display_name	`str`
threat_file_id_permission	`str`
threat_file_id_hash_reputation	`str`
threat_file_id_is_system	`bool`
threat_file_id_object_id	`str`
threat_file_id_path	`str`
threat_file_id_content_hash	`str`
threat_file_id_size	`int4`
threat_mitigation_mode	`str`
threat_annotation	`str`
threat_silent_threat	`bool`
threat_marked_as_benign	`str`
threat_whitening_options	`str`
threat_malicious_process_arguments	`str`
threat_extension	`str`
threat_in_learning_mode	`bool`
threat_affected_files	`str`
threat_username	`str`
threat_created_date	`timestamp`
threat_mitigation_mode_suspicious	`str`
threat_malicious_group_id	`str`
threat_agent_version	`str`
hostchain	`str`			✓
tag	`str`			✓
rawMessage	`str`			✓

av.sentinelone.rfc_5424

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
priority	`str`
RFC_Version	`str`
date	`str`
hostname	`str`
app_name	`str`
component_ID	`str`
activity_ID	`str`
activityType	`str`
activityId	`str`
rt	`str`
ip	`str`
deviceAddress	`str`
deviceHostFqdn	`str`
deviceHostName	`str`
siteId	`str`
siteName	`str`
accountId	`str`
accountName	`str`
vendor	`str`
sentinel_eventID	`str`
eventDesc	`str`
eventSeverity	`str`
notificationScope	`str`
agentId	`str`
threatId	`str`
comments	`str`
userId	`str`
description	`str`
secondaryDescription	`str`
createdAt	`str`
groupId	`str`
agentUpdatedVersion	`str`
hash	`str`
osFamily	`str`
updatedAt	`str`
event_description	`str`
cat	`str`
groupName	`str`
originatorName	`str`
originatorVersion	`str`
sourceNetworkState	`str`
sourceOsRevision	`str`
sourceOsType	`str`
sourceAgentUuid	`str`
sourceFqdn	`str`
sourceThreatCount	`str`
sourceMgmtPrecievedAddress	`str`
sourceDnsDomain	`str`
sourceHostName	`str`
sourceUserName	`str`
sourceUserId	`str`
sourceAgentId	`str`
sourceGroupId	`str`
sourceGroupName	`str`
sourceIpAddresses_0	`str`
sourceIpAddresses_1	`str`
sourceMacAddresses_0	`str`
data_uid	`str`
data_creator	`str`
data_osType	`str`
data_ruleId	`str`
data_version	`str`
data_eventId	`str`
data_groupId	`str`
data_interface	`str`
data_ruleName	`str`
data_ruleType	`str`
data_vendorId	`str`
data_eventTime	`str`
data_eventType	`str`
data_productId	`str`
data_scopeName	`str`
data_deviceName	`str`
data_lmpVersion	`str`
data_minorClass	`str`
data_deviceClass	`str`
data_computerName	`str`
data_profileUuids	`str`
data_ruleScopeName	`str`
data_lastLoggedInUserName	`str`
data_siteName	`str`
data_groupName	`str`
data_externalIp	`str`
data_scopeLevel	`str`
data_accountName	`str`
data_macAddresses_0	`str`
data_fullScopeDetails	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓