Document toolboxDocument toolbox

edr.sentinelone

Introduction

The tags beginning with edr.sentinelone identify events generated by SentinelOne's platform.

Valid tags and data tables

The full tag must have at least 3 levels. The first two are fixed as edr.sentinelone. The third level identifies the type of events sent, and the fourth level indicates the event subtype. 

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

SentinelOne agent events

edr.sentinelone.agent.agents

edr.sentinelone.agent.agents

edr.sentinelone.agent.threats

edr.sentinelone.agent.threats

SentinelOne Deep Visibility

edr.sentinelone.dv

edr.sentinelone.dv

edr.sentinelone.dv.cross_process

edr.sentinelone.dv.cross_process

edr.sentinelone.dv.dns

edr.sentinelone.dv.dns

edr.sentinelone.dv.driver

edr.sentinelone.dv.driver

edr.sentinelone.dv.file

edr.sentinelone.dv.file

edr.sentinelone.dv.group

edr.sentinelone.dv.group

edr.sentinelone.dv.indicators

edr.sentinelone.dv.indicators

edr.sentinelone.dv.ip

edr.sentinelone.dv.ip

edr.sentinelone.dv.logins

edr.sentinelone.dv.logins

edr.sentinelone.dv.module

edr.sentinelone.dv.module

edr.sentinelone.dv.process

edr.sentinelone.dv.process

edr.sentinelone.dv.registry

edr.sentinelone.dv.registry

edr.sentinelone.dv.scheduled_task

edr.sentinelone.dv.scheduled_task

edr.sentinelone.dv.url

edr.sentinelone.dv.url

SentinelOne management events

edr.sentinelone.management.activities

edr.sentinelone.management.activities

How is the data sent to Devo?

To send events to the edr.sentinelone.dv tables, you must use the SentinelOne Deep Visibility with Cloud Funnel collector.

Table structure

These are the fields displayed in these tables: