Document toolboxDocument toolbox

endpoint.sentinelone

Owned by Juan Tomás Alonso Nieto (Deactivated), created
Last updated: Oct 19, 2023
1 min read
[ 1 Introduction ] [ 2 Valid tags and data tables  ] [ 3 Table structure ]

Introduction

The tags beginning with endpoint.sentinelone identify events generated by

Valid tags and data tables 

The full tag must have 4 levels. The first two are fixed as endpoint.sentinelone. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

SentinelOne Singularity Mobile

endpoint.sentinelone.mobile.audit

endpoint.sentinelone.mobile.audit

endpoint.sentinelone.mobile.threat

endpoint.sentinelone.mobile.threat

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

endpoint.sentinelone.mobile.audit

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

priority

str

 

version

str

 

msg_timestamp

str

 

msg_tag

str

 

msg_source

str

 

msg_type

str

 

user

str

 

action

str

 

date

str

 

hostchain

str

 ✓

tag

str

 ✓

rawMessage

str

 ✓

endpoint.sentinelone.mobile.threat

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

priority

str

 

version

str

 

msg_timestamp

str

 

msg_tag

str

 

msg_source

str

 

msg_type

str

 

system_token

str

 

severity

int4

 

event_id

str

 

forensics

str

 

mitigated

bool

 

location

str

 

eventtimestamp

str

 

user_info

str

 

device_owner

str

 

device_info__device_time

str

 

device_info__tag1

str

 

device_info__tag2

str

 

device_info__app

str

 

device_info__operator

str

 

device_info__imei

str

 

device_info__zdid

str

 

device_info__app_version

str

 

device_info__zapp_instance_id

str

 

device_info__os

str

 

device_info__jailbroken

bool

 

device_info__os_version

str

 

device_info__model

str

 

device_info__device_id

str

 

device_info__type

str

 

threat__name

str

 

threat__category

str

 

threat__general

str

 

threat__threat_uuid

str

 

threat__display_name

str

 

threat__mitre_tactics

str

 

threat__child_threat_uuids

str

 

account_id

str

 

team_id

str

 

team_name

str

 

hostchain

str

 ✓

tag

str

 ✓

rawMessage

str

 ✓