diff --git a/packages/sentinel_one/changelog.yml b/packages/sentinel_one/changelog.yml index 039fb0ae6d7..6d696ba54ff 100644 --- a/packages/sentinel_one/changelog.yml +++ b/packages/sentinel_one/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "2.0.0" + changes: + - description: | + Unified the site, account, and threat-classification field structures under the `sentinel_one.*` namespace + across all data streams, and removed older fields. + type: breaking-change + link: https://github.com/elastic/integrations/pull/15931 + - description: Enhanced the ECS mappings across all data streams. + type: enhancement + link: https://github.com/elastic/integrations/pull/15931 - version: "1.43.2" changes: - description: Do not log expected empty template results as DEGRADED health in agent or group data streams. diff --git a/packages/sentinel_one/data_stream/activity/_dev/test/pipeline/test-pipeline-activity.log-expected.json b/packages/sentinel_one/data_stream/activity/_dev/test/pipeline/test-pipeline-activity.log-expected.json index dd5cdd85d36..4242bbd593f 100644 --- a/packages/sentinel_one/data_stream/activity/_dev/test/pipeline/test-pipeline-activity.log-expected.json +++ b/packages/sentinel_one/data_stream/activity/_dev/test/pipeline/test-pipeline-activity.log-expected.json @@ -9,6 +9,7 @@ "category": [ "configuration" ], + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":\"True\",\"createdAt\":\"2022-04-18T05:14:08.925421Z\",\"data\":{\"accountName\":\"Default\",\"byUser\":\"API\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/default\",\"groupName\":null,\"newValue\":true,\"role\":\"Level\",\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"userScope\":\"account\",\"username\":\"API\"},\"description\":\"API\",\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"The management user API enabled Two factor authentication on the user API.\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-18T05:14:08.922553Z\",\"userId\":\"1234567890123456789\"}", "type": [ @@ -22,10 +23,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "comments": "True", "data": { @@ -75,6 +78,7 @@ "category": [ "authentication" ], + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-18T05:14:09.240427Z\",\"data\":{\"accountName\":\"Default\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/default\",\"groupName\":null,\"ipAddress\":\"81.2.69.144\",\"reason\":null,\"role\":\"Level\",\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"source\":\"src\",\"userScope\":\"account\",\"username\":\"API\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"The management user API logged in to the management console with IP Address 81.2.69.144\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-18T05:14:09.238430Z\",\"userId\":\"1234567890123456789\"}", "outcome": "success", @@ -109,10 +113,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "data": { "account": { @@ -157,6 +163,7 @@ "category": [ "configuration" ], + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-05T16:11:05.469398Z\",\"data\":{\"accountName\":\"Default\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/default\",\"groupName\":null,\"recoveryEmail\":\"user@example.com\",\"role\":\"Admin\",\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"userScope\":\"account\",\"username\":\"test User\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"User test User added a recovery email user@example.com\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-05T16:11:05.189394Z\",\"userId\":\"1234567890123456789\"}", "type": [ @@ -170,10 +177,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "data": { "account": { @@ -215,12 +224,17 @@ "version": "8.11.0" }, "event": { + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":\"1234567890123456789\",\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-06T08:26:45.579474Z\",\"data\":{\"accountName\":\"Default\",\"computerName\":\"user-computer-name\",\"externalIp\":\"81.2.69.193\",\"fullScopeDetails\":\"Group Default Group in Site Default site of Account Default\",\"fullScopeDetailsPath\":\"test/default\",\"groupName\":\"Default Group\",\"scopeLevel\":\"Group\",\"scopeName\":\"Default Group\",\"siteName\":\"Default site\",\"system\":true,\"username\":null,\"uuid\":\"xxxxxxxxxxxx1d8e12b343e8e30\"},\"description\":null,\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"System initiated a full disk scan to the agent: user-computer-name (81.2.69.144).\",\"secondaryDescription\":null,\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"threatId\":null,\"updatedAt\":\"2022-04-06T08:26:45.579478Z\",\"userId\":null}", "type": [ "info" ] }, + "group": { + "id": "1234567890123456789", + "name": "Default Group" + }, "host": { "geo": { "city_name": "London", @@ -250,10 +264,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "agent": { "id": "1234567890123456789" @@ -281,12 +297,12 @@ "primary": "System initiated a full disk scan to the agent: user-computer-name (81.2.69.144)." }, "id": "1234567890123456789", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "type": 1234, "updated_at": "2022-04-06T08:26:45.579Z" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" } }, "tags": [ @@ -305,12 +321,17 @@ "version": "8.11.0" }, "event": { + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":\"1234567890123456789\",\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-06T08:26:45.582620Z\",\"data\":{\"accountName\":\"Default\",\"computerName\":\"user-computer-name\",\"fullScopeDetails\":\"Group Default Group in Site Default site of Account Default\",\"fullScopeDetailsPath\":\"test/default\",\"group\":\"Default Group\",\"groupName\":\"Default Group\",\"optionalGroups\":[],\"siteName\":\"Default site\"},\"description\":null,\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"user-computer-name subscribed and joined the group Default Group of site Default site.\",\"secondaryDescription\":\"\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"threatId\":null,\"updatedAt\":\"2022-04-06T08:26:45.531543Z\",\"userId\":null}", "type": [ "info" ] }, + "group": { + "id": "1234567890123456789", + "name": "Default Group" + }, "host": { "id": "1234567890123456789", "name": "user-computer-name" @@ -322,10 +343,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "agent": { "id": "1234567890123456789" @@ -348,12 +371,12 @@ "primary": "user-computer-name subscribed and joined the group Default Group of site Default site." }, "id": "1234567890123456789", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "type": 1234, "updated_at": "2022-04-06T08:26:45.531Z" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" } }, "tags": [ @@ -372,12 +395,17 @@ "version": "8.11.0" }, "event": { + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":\"1234567890123456789\",\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-06T08:26:52.843448Z\",\"data\":{\"accountName\":\"Default\",\"computerName\":\"user-computer-name\",\"createdAt\":\"2022-04-06T08:26:52.838073Z\",\"fullScopeDetails\":\"Group Default Group in Site Default site of Account Default\",\"fullScopeDetailsPath\":\"test/default\",\"groupName\":\"Default Group\",\"scopeLevel\":\"Group\",\"scopeName\":\"Default Group\",\"siteName\":\"Default site\",\"status\":\"started\"},\"description\":null,\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"Agent user-computer-name started full disk scan at Wed, 06 Apr 2022, 08:26:52 UTC.\",\"secondaryDescription\":null,\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"threatId\":null,\"updatedAt\":\"2022-04-06T08:26:52.839948Z\",\"userId\":null}", "type": [ "info" ] }, + "group": { + "id": "1234567890123456789", + "name": "Default Group" + }, "host": { "id": "1234567890123456789", "name": "user-computer-name" @@ -389,10 +417,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "agent": { "id": "1234567890123456789" @@ -423,12 +453,12 @@ "primary": "Agent user-computer-name started full disk scan at Wed, 06 Apr 2022, 08:26:52 UTC." }, "id": "1234567890123456789", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "type": 1234, "updated_at": "2022-04-06T08:26:52.839Z" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" } }, "tags": [ @@ -450,6 +480,7 @@ "category": [ "configuration" ], + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-06T08:45:43.122415Z\",\"data\":{\"accountName\":\"Default\",\"description\":null,\"fileContentHash\":\"aaf4c61ddcc5e8a2dabede0f3b482cxxxxxxxxxx\",\"fullScopeDetails\":\"Site Default site of Account Default\",\"fullScopeDetailsPath\":\"test/default\",\"groupName\":null,\"osFamily\":\"osname\",\"scopeLevel\":\"Site\",\"scopeName\":\"Default site\",\"siteName\":\"Default site\",\"username\":\"unknown\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":\"aaf4c61ddcc5e8a2dabede0f3b482cxxxxxxxxxx\",\"id\":\"1234567890123456789\",\"osFamily\":\"osname\",\"primaryDescription\":\"Cloud added or modified osname blacklist hash.\",\"secondaryDescription\":\"6a264eda96e766b41bc14a3c9e9xxxxxxxxxxx\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"threatId\":null,\"updatedAt\":\"2022-04-06T08:45:43.112319Z\",\"userId\":null}", "type": [ @@ -487,10 +518,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "data": { "account": { @@ -513,12 +546,12 @@ "secondary": "6a264eda96e766b41bc14a3c9e9xxxxxxxxxxx" }, "id": "1234567890123456789", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "type": 1234, "updated_at": "2022-04-06T08:45:43.112Z" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" } }, "tags": [ @@ -537,6 +570,7 @@ "category": [ "malware" ], + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":\"1234567890123456789\",\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-06T08:45:54.532670Z\",\"data\":{\"accountName\":\"Default\",\"computerName\":\"user-computer-name\",\"confidenceLevel\":\"level\",\"escapedMaliciousProcessArguments\":null,\"fileContentHash\":\"aaf4c61ddcc5e8a2dabede0f3b482cxxxxxxxxxx\",\"fileDisplayName\":\"default.exe\",\"filePath\":\"\\\\test\\\\default.exe\",\"fullScopeDetails\":\"Group Default Group in Site Default site of Account Default\",\"fullScopeDetailsPath\":\"test/default / Default site / Default Group\",\"groupName\":\"Default Group\",\"siteName\":\"Default site\",\"threatClassification\":\"Trojan\",\"threatClassificationSource\":\"Cloud\",\"username\":null},\"description\":null,\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"Threat with confidence level malicious detected: default.exe\",\"secondaryDescription\":\"6a264eda96e766b41bc14a3c9e99xxxxxxxxxx\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"threatId\":\"1234567890123456789\",\"updatedAt\":\"2022-04-06T08:45:54.527789Z\",\"userId\":null}", "type": [ @@ -550,6 +584,10 @@ "name": "default.exe", "path": "\\test\\default.exe" }, + "group": { + "id": "1234567890123456789", + "name": "Default Group" + }, "host": { "id": "1234567890123456789", "name": "user-computer-name" @@ -564,10 +602,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "agent": { "id": "1234567890123456789" @@ -586,12 +626,6 @@ "group_name": "Default Group", "site": { "name": "Default site" - }, - "threat": { - "classification": { - "name": "Trojan", - "source": "Cloud" - } } }, "description": { @@ -599,15 +633,19 @@ "secondary": "6a264eda96e766b41bc14a3c9e99xxxxxxxxxx" }, "id": "1234567890123456789", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "threat": { "id": "1234567890123456789" }, "type": 1234, "updated_at": "2022-04-06T08:45:54.527Z" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" + }, + "threat_classification": { + "name": "Trojan", + "source": "Cloud" } }, "tags": [ @@ -629,6 +667,7 @@ "category": [ "malware" ], + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":\"1234567890123456789\",\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-06T08:45:55.309279Z\",\"data\":{\"accountName\":\"Default\",\"computerName\":\"user-test\",\"escapedMaliciousProcessArguments\":null,\"fileContentHash\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileDisplayName\":\"default.exe\",\"filePath\":\"/test/path/default.exe\",\"fullScopeDetails\":\"Group Default Group in Site Default site of Account Default\",\"fullScopeDetailsPath\":\"/path/test\",\"globalStatus\":\"success\",\"groupName\":\"Default Group\",\"scopeLevel\":\"Group\",\"scopeName\":\"Default Group\",\"siteName\":\"Default site\",\"threatClassification\":\"Trojan\",\"threatClassificationSource\":\"Cloud\"},\"description\":null,\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"The agent user-computer-name successfully killed the threat: default.exe.\",\"secondaryDescription\":\"/test/path/default.exe\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"threatId\":\"1234567890123456789\",\"updatedAt\":\"2022-04-06T08:45:55.306443Z\",\"userId\":null}", "type": [ @@ -642,6 +681,10 @@ "name": "default.exe", "path": "/test/path/default.exe" }, + "group": { + "id": "1234567890123456789", + "name": "Default Group" + }, "host": { "id": "1234567890123456789", "name": "user-test" @@ -656,10 +699,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "agent": { "id": "1234567890123456789" @@ -682,12 +727,6 @@ }, "site": { "name": "Default site" - }, - "threat": { - "classification": { - "name": "Trojan", - "source": "Cloud" - } } }, "description": { @@ -695,15 +734,19 @@ "secondary": "/test/path/default.exe" }, "id": "1234567890123456789", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "threat": { "id": "1234567890123456789" }, "type": 1234, "updated_at": "2022-04-06T08:45:55.306Z" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" + }, + "threat_classification": { + "name": "Trojan", + "source": "Cloud" } }, "tags": [ @@ -725,6 +768,7 @@ "category": [ "malware" ], + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":\"1234567890123456789\",\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-06T08:45:56.634682Z\",\"data\":{\"accountName\":\"Default\",\"computerName\":\"user-test\",\"escapedMaliciousProcessArguments\":null,\"fileContentHash\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileDisplayName\":\"default.exe\",\"filePath\":\"/test/path/default.exe\",\"fullScopeDetails\":\"Group Default Group in Site Default site of Account Default\",\"fullScopeDetailsPath\":\"/path/test\",\"groupName\":\"Default Group\",\"newStatus\":\"Mitigated\",\"originalStatus\":\"Not mitigated\",\"siteName\":\"Default site\",\"threatClassification\":\"Trojan\",\"threatClassificationSource\":\"Cloud\"},\"description\":null,\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"Status of threat default.exe on agent user-computer-name changed from Not mitigated to Mitigated.\",\"secondaryDescription\":\"/test/path/default.exe\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"threatId\":\"1234567890123456789\",\"updatedAt\":\"2022-04-06T08:45:56.632098Z\",\"userId\":null}", "type": [ @@ -738,6 +782,10 @@ "name": "default.exe", "path": "/test/path/default.exe" }, + "group": { + "id": "1234567890123456789", + "name": "Default Group" + }, "host": { "id": "1234567890123456789", "name": "user-test" @@ -752,10 +800,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "agent": { "id": "1234567890123456789" @@ -777,12 +827,6 @@ }, "site": { "name": "Default site" - }, - "threat": { - "classification": { - "name": "Trojan", - "source": "Cloud" - } } }, "description": { @@ -790,15 +834,19 @@ "secondary": "/test/path/default.exe" }, "id": "1234567890123456789", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "threat": { "id": "1234567890123456789" }, "type": 1234, "updated_at": "2022-04-06T08:45:56.632Z" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" + }, + "threat_classification": { + "name": "Trojan", + "source": "Cloud" } }, "tags": [ @@ -820,6 +868,7 @@ "category": [ "malware" ], + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":\"1234567890123456789\",\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-06T08:45:56.641989Z\",\"data\":{\"accountName\":\"Default\",\"computerName\":\"user-test\",\"downloadUrl\":\"/test/path\",\"escapedMaliciousProcessArguments\":null,\"fileContentHash\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileDisplayName\":\"default.exe\",\"filePath\":\"/test/path/default.exe\",\"fullScopeDetails\":\"Group Default Group in Site Default site of Account Default\",\"fullScopeDetailsPath\":\"/path/test\",\"globalStatus\":null,\"groupName\":\"Default Group\",\"scopeLevel\":\"Group\",\"scopeName\":\"Default Group\",\"siteName\":\"Default site\",\"threatClassification\":\"Trojan\",\"threatClassificationSource\":\"Cloud\"},\"description\":null,\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"The agent user-computer-name successfully quarantined the threat: default.exe.\",\"secondaryDescription\":\"/test/path/default.exe\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"threatId\":\"1234567890123456789\",\"updatedAt\":\"2022-04-06T08:45:56.638698Z\",\"userId\":null}", "type": [ @@ -833,6 +882,10 @@ "name": "default.exe", "path": "/test/path/default.exe" }, + "group": { + "id": "1234567890123456789", + "name": "Default Group" + }, "host": { "id": "1234567890123456789", "name": "user-test" @@ -847,10 +900,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "agent": { "id": "1234567890123456789" @@ -873,12 +928,6 @@ }, "site": { "name": "Default site" - }, - "threat": { - "classification": { - "name": "Trojan", - "source": "Cloud" - } } }, "description": { @@ -886,15 +935,19 @@ "secondary": "/test/path/default.exe" }, "id": "1234567890123456789", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "threat": { "id": "1234567890123456789" }, "type": 1234, "updated_at": "2022-04-06T08:45:56.638Z" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" + }, + "threat_classification": { + "name": "Trojan", + "source": "Cloud" } }, "tags": [ @@ -916,6 +969,7 @@ "category": [ "configuration" ], + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-06T08:46:08.135397Z\",\"data\":{\"accountName\":\"Default\",\"description\":null,\"fileContentHash\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fullScopeDetails\":\"Site Default site of Account Default\",\"fullScopeDetailsPath\":\"/path/test / Default site\",\"groupName\":null,\"osFamily\":\"linux\",\"scopeLevel\":\"Site\",\"scopeName\":\"Default site\",\"siteName\":\"Default site\",\"username\":\"unknown\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"id\":\"1234567890123456789\",\"osFamily\":\"linux\",\"primaryDescription\":\"Cloud added or modified linux blacklist hash.\",\"secondaryDescription\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"threatId\":null,\"updatedAt\":\"2022-04-06T08:46:08.124972Z\",\"userId\":null}", "type": [ @@ -954,10 +1008,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "data": { "account": { @@ -980,12 +1036,12 @@ "secondary": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d" }, "id": "1234567890123456789", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "type": 1234, "updated_at": "2022-04-06T08:46:08.124Z" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" } }, "tags": [ @@ -1001,6 +1057,7 @@ "version": "8.11.0" }, "event": { + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-06T08:51:09.416721Z\",\"data\":{\"accountName\":\"Default\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/path\",\"groupName\":null,\"newValue\":\"not inherited\",\"policy\":{\"id\":\"1234567890123456789\"},\"policyName\":\"1234567890123456789\",\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"username\":\"test User\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"The management user test User turned off policy inheritance for account Default.\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-06T08:51:09.416724Z\",\"userId\":\"1234567890123456789\"}", "type": [ @@ -1014,10 +1071,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "data": { "account": { @@ -1061,6 +1120,7 @@ "version": "8.11.0" }, "event": { + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-06T08:51:09.416733Z\",\"data\":{\"accountName\":\"Default\",\"changedKeys\":[\"contactFreeText\",\"contactCompany\",\"contactEmail\",\"contactPhoneNumber\",\"contactDirectMessage\",\"contactSupportWebsite\",\"contactOther\"],\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"/path/test\",\"groupName\":null,\"newValue\":true,\"policy\":{\"id\":\"1234567890123456789\"},\"policyName\":\"1234567890123456789\",\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"username\":\"test User\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"Agent UI setting was changed for all Sites .\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-06T08:51:09.416734Z\",\"userId\":\"1234567890123456789\"}", "type": [ @@ -1074,10 +1134,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "data": { "account": { @@ -1133,6 +1195,7 @@ "category": [ "malware" ], + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":\"1234567890123456789\",\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-06T08:57:37.680234Z\",\"data\":{\"accountName\":\"Default\",\"computerName\":\"user-test\",\"escapedMaliciousProcessArguments\":\"/path/test\",\"fileContentHash\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileDisplayName\":\"default.txt\",\"fullScopeDetails\":\"Group Default Group in Site Default site of Account Default\",\"fullScopeDetailsPath\":\"/path/test / Default site / Default Group\",\"groupName\":\"Default Group\",\"newConfidenceLevel\":\"malicious\",\"oldConfidenceLevel\":\"suspicious\",\"scopeLevel\":\"Group\",\"scopeName\":\"Default Group\",\"siteName\":\"Default site\",\"threatClassification\":\"Malware\",\"threatClassificationSource\":\"Static\"},\"description\":null,\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"Agent user-computer-name changed the Confidence Level of the threat from suspicious to malicious\",\"secondaryDescription\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"threatId\":\"1234567890123456789\",\"updatedAt\":\"2022-04-06T08:57:37.676697Z\",\"userId\":null}", "type": [ @@ -1145,6 +1208,10 @@ }, "name": "default.txt" }, + "group": { + "id": "1234567890123456789", + "name": "Default Group" + }, "host": { "id": "1234567890123456789", "name": "user-test" @@ -1159,10 +1226,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "agent": { "id": "1234567890123456789" @@ -1193,12 +1262,6 @@ }, "site": { "name": "Default site" - }, - "threat": { - "classification": { - "name": "Malware", - "source": "Static" - } } }, "description": { @@ -1206,15 +1269,19 @@ "secondary": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d" }, "id": "1234567890123456789", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "threat": { "id": "1234567890123456789" }, "type": 1234, "updated_at": "2022-04-06T08:57:37.676Z" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" + }, + "threat_classification": { + "name": "Malware", + "source": "Static" } }, "tags": [ @@ -1233,6 +1300,7 @@ "version": "8.11.0" }, "event": { + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-06T08:59:41.758501Z\",\"data\":{\"accountName\":\"Default\",\"attr\":\"BEHAVIORAL_INDICATORS\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"/path/test\",\"groupName\":null,\"newValue\":true,\"policy\":{\"id\":\"1234567890123456789\"},\"policyName\":\"1234567890123456789\",\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"username\":\"test user\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"The management user test user turned on Deep Visibility configuration \\\"BEHAVIORAL_INDICATORS\\\" for account Default.\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-06T08:59:41.758503Z\",\"userId\":\"1234567890123456789\"}", "type": [ @@ -1246,10 +1314,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "data": { "account": { @@ -1294,12 +1364,17 @@ "version": "8.11.0" }, "event": { + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":\"1234567890123456789\",\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-06T08:26:45.579474Z\",\"data\":{\"accountName\":\"Default\",\"computerName\":\"user-test\",\"ipAddress\":\"81.2.69.143\",\"externalIp\":null,\"fullScopeDetails\":\"Group Default Group in Site Default site of Account Default\",\"fullScopeDetailsPath\":\"/path/test\",\"groupName\":\"Default Group\",\"scopeLevel\":\"Group\",\"scopeName\":\"Default Group\",\"siteName\":\"Default site\",\"system\":true,\"username\":null,\"uuid\":\"fxxxxbx3x4x3xex8xex3x0xxxxx\"},\"description\":null,\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"System initiated a full disk scan to the agent: user-computer-name (81.2.69.144).\",\"secondaryDescription\":null,\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"threatId\":null,\"updatedAt\":\"2022-04-06T08:26:45.579478Z\",\"userId\":null}", "type": [ "info" ] }, + "group": { + "id": "1234567890123456789", + "name": "Default Group" + }, "host": { "geo": { "city_name": "London", @@ -1329,10 +1404,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "agent": { "id": "1234567890123456789" @@ -1360,12 +1437,12 @@ "primary": "System initiated a full disk scan to the agent: user-computer-name (81.2.69.144)." }, "id": "1234567890123456789", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "type": 1234, "updated_at": "2022-04-06T08:26:45.579Z" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" } }, "tags": [ @@ -1387,6 +1464,7 @@ "category": [ "configuration" ], + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-05T16:01:56.995120Z\",\"data\":{\"accountId\":1234567890123456789,\"accountName\":\"Default\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/path\",\"groupName\":null,\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"username\":\"test user\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"created Default account.\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-05T16:01:56.992136Z\",\"userId\":\"1234567890123456789\"}", "type": [ @@ -1400,10 +1478,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "data": { "account": { @@ -1444,6 +1524,7 @@ "category": [ "configuration" ], + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-06T09:00:33.115424Z\",\"data\":{\"accountName\":\"Default\",\"description\":null,\"fileContentHash\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/path\",\"groupName\":null,\"osFamily\":\"linux\",\"scopeLevel\":\"Site\",\"scopeName\":\"Default site\",\"siteName\":\"Default site\",\"username\":\"unknown\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"id\":\"1234567890123456789\",\"osFamily\":\"linux\",\"primaryDescription\":\"Cloud added or modified linux blacklist hash.\",\"secondaryDescription\":\"b06930c9809ab5e4cb6659089ac6fcec470c9c16\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"threatId\":null,\"updatedAt\":\"2022-04-06T09:00:33.104735Z\",\"userId\":null}", "type": [ @@ -1482,10 +1563,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "data": { "account": { @@ -1508,12 +1591,12 @@ "secondary": "b06930c9809ab5e4cb6659089ac6fcec470c9c16" }, "id": "1234567890123456789", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "type": 1234, "updated_at": "2022-04-06T09:00:33.104Z" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" } }, "tags": [ @@ -1532,6 +1615,7 @@ "category": [ "authentication" ], + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-13T03:34:10.933835Z\",\"data\":{\"accountName\":\"Default\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/path\",\"groupName\":null,\"ipAddress\":\"81.2.69.143\",\"reason\":null,\"role\":\"Admin\",\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"source\":\"src\",\"userScope\":\"account\",\"username\":\"test user\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"The management user test User logged in to the management console with IP Address 81.2.69.144\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-13T03:34:10.931846Z\",\"userId\":\"1234567890123456789\"}", "outcome": "success", @@ -1566,10 +1650,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "data": { "account": { @@ -1614,6 +1700,7 @@ "category": [ "configuration" ], + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-18T05:09:27.532131Z\",\"data\":{\"accountName\":\"Default\",\"byUser\":\"test user\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/path\",\"groupName\":null,\"role\":\"Level\",\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"userScope\":\"account\",\"username\":\"test user\"},\"description\":\"\",\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"The management user test User added user test user as Level.\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-18T05:09:27.520345Z\",\"userId\":\"1234567890123456789\"}", "type": [ @@ -1627,10 +1714,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "data": { "account": { @@ -1676,6 +1765,7 @@ "category": [ "configuration" ], + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-18T05:09:27.534319Z\",\"data\":{\"accountName\":\"Default\",\"byUser\":\"test user\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/path\",\"groupName\":null,\"role\":\"Level\",\"roleName\":\"Level\",\"scopeLevel\":\"Account\",\"scopeLevelName\":\"Default\",\"scopeName\":\"Default\",\"siteName\":null,\"userScope\":\"account\",\"username\":\"test user\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"The management user test User added user test user to role Level in scope Default\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-18T05:09:27.531568Z\",\"userId\":\"1234567890123456789\"}", "type": [ @@ -1689,10 +1779,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "data": { "account": { @@ -1741,6 +1833,7 @@ "category": [ "email" ], + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-05T16:11:05.469398Z\",\"data\":{\"accountName\":\"Default\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/default\",\"groupName\":null,\"recoveryEmail\":\"user@example.com\",\"role\":\"Admin\",\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"userScope\":\"account\",\"username\":\"test User\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"The management user test sent a Verification Email to the user test.\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-05T16:11:05.189394Z\",\"userId\":\"1234567890123456789\"}", "type": [ @@ -1754,10 +1847,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "data": { "account": { @@ -1802,6 +1897,7 @@ "category": [ "authentication" ], + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-05T16:11:05.469398Z\",\"data\":{\"accountName\":\"Default\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/default\",\"groupName\":null,\"recoveryEmail\":\"user@example.com\",\"role\":\"Admin\",\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"userScope\":\"account\",\"username\":\"test User\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"The management user Test failed to log in to the management console with IP Address x.x.x.x.\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-05T16:11:05.189394Z\",\"userId\":\"1234567890123456789\"}", "outcome": "failure", @@ -1816,10 +1912,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "data": { "account": { @@ -1861,6 +1959,7 @@ "version": "8.11.0" }, "event": { + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-05T16:11:05.469398Z\",\"data\":{\"accountName\":\"Default\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/default\",\"groupName\":null,\"recoveryEmail\":\"user@example.com\",\"role\":\"Admin\",\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"userScope\":\"account\",\"username\":\"test User\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\": null,\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-05T16:11:05.189394Z\",\"userId\":\"1234567890123456789\"}" }, @@ -1870,10 +1969,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "data": { "account": { @@ -1912,6 +2013,7 @@ "version": "8.11.0" }, "event": { + "id": "1234567890123456789", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-05T16:11:05.469398Z\",\"data\":{\"accountName\":\"Default\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/default\",\"groupName\":null,\"recoveryEmail\":\"user@example.com\",\"role\":\"Admin\",\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"userScope\":\"account\",\"username\":\"test User\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\": null,\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":\"\",\"updatedAt\":\"2022-04-05T16:11:05.189394Z\",\"userId\":\"1234567890123456789\"}" }, @@ -1921,10 +2023,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "data": { "account": { @@ -1966,6 +2070,7 @@ "category": [ "malware" ], + "id": "1234567890123456789", "kind": "alert", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":\"1234567890123456789\",\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-06T08:45:54.532670Z\",\"data\":{\"accountName\":\"Default\",\"computerName\":\"user-computer-name\",\"confidenceLevel\":\"malicious\",\"escapedMaliciousProcessArguments\":null,\"fileContentHash\":\"aaf4c61ddcc5e8a2dabede0f3b482cxxxxxxxxxx\",\"fileDisplayName\":\"default.exe\",\"filePath\":\"\\\\test\\\\default.exe\",\"fullScopeDetails\":\"Group Default Group in Site Default site of Account Default\",\"fullScopeDetailsPath\":\"test/default / Default site / Default Group\",\"groupName\":\"Default Group\",\"siteName\":\"Default site\",\"threatClassification\":\"Trojan\",\"threatClassificationSource\":\"Cloud\",\"username\":null},\"description\":null,\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"Threat with confidence level malicious detected: default.exe\",\"secondaryDescription\":\"6a264eda96e766b41bc14a3c9e99xxxxxxxxxx\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"threatId\":\"1234567890123456789\",\"updatedAt\":\"2022-04-06T08:45:54.527789Z\",\"userId\":null}", "type": [ @@ -1979,6 +2084,10 @@ "name": "default.exe", "path": "\\test\\default.exe" }, + "group": { + "id": "1234567890123456789", + "name": "Default Group" + }, "host": { "id": "1234567890123456789", "name": "user-computer-name" @@ -1993,10 +2102,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, "activity": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "agent": { "id": "1234567890123456789" @@ -2015,12 +2126,6 @@ "group_name": "Default Group", "site": { "name": "Default site" - }, - "threat": { - "classification": { - "name": "Trojan", - "source": "Cloud" - } } }, "description": { @@ -2028,15 +2133,19 @@ "secondary": "6a264eda96e766b41bc14a3c9e99xxxxxxxxxx" }, "id": "1234567890123456789", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "threat": { "id": "1234567890123456789" }, "type": 1234, "updated_at": "2022-04-06T08:45:54.527Z" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" + }, + "threat_classification": { + "name": "Trojan", + "source": "Cloud" } }, "tags": [ diff --git a/packages/sentinel_one/data_stream/activity/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/data_stream/activity/elasticsearch/ingest_pipeline/default.yml index 2147a7560e2..6b0f591909c 100644 --- a/packages/sentinel_one/data_stream/activity/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sentinel_one/data_stream/activity/elasticsearch/ingest_pipeline/default.yml @@ -140,10 +140,18 @@ processors: field: json.groupId target_field: user.group.id ignore_missing: true + - set: + field: group.id + copy_from: user.group.id + ignore_empty_value: true - rename: field: json.groupName target_field: user.group.name ignore_missing: true + - set: + field: group.name + copy_from: user.group.name + ignore_empty_value: true - rename: field: json.accountId target_field: sentinel_one.activity.account.id @@ -154,7 +162,7 @@ processors: ignore_missing: true - rename: field: json.accountName - target_field: sentinel_one.activity.account.name + target_field: sentinel_one.account.name ignore_missing: true - rename: field: json.agentId @@ -193,13 +201,17 @@ processors: field: json.id target_field: sentinel_one.activity.id ignore_missing: true + - set: + field: event.id + copy_from: sentinel_one.activity.id + ignore_empty_value: true - rename: field: json.siteId - target_field: sentinel_one.activity.site.id + target_field: sentinel_one.site.id ignore_missing: true - rename: field: json.siteName - target_field: sentinel_one.activity.site.name + target_field: sentinel_one.site.name ignore_missing: true - rename: field: json.threatId @@ -479,11 +491,11 @@ processors: ignore_missing: true - rename: field: json.data.threatClassification - target_field: sentinel_one.activity.data.threat.classification.name + target_field: sentinel_one.threat_classification.name ignore_missing: true - rename: field: json.data.threatClassificationSource - target_field: sentinel_one.activity.data.threat.classification.source + target_field: sentinel_one.threat_classification.source ignore_missing: true - rename: field: json.data.globalStatus diff --git a/packages/sentinel_one/data_stream/activity/fields/fields.yml b/packages/sentinel_one/data_stream/activity/fields/fields.yml index ed8ad882f8f..1be1186277d 100644 --- a/packages/sentinel_one/data_stream/activity/fields/fields.yml +++ b/packages/sentinel_one/data_stream/activity/fields/fields.yml @@ -7,9 +7,6 @@ - name: id type: keyword description: Related account ID (if applicable). - - name: name - type: keyword - description: Related account name (if applicable). - name: agent type: group fields: @@ -169,9 +166,6 @@ - name: name type: keyword description: Threat classification name. - - name: source - type: keyword - description: Threat classification source. - name: user type: group fields: @@ -198,15 +192,6 @@ - name: id type: keyword description: Activity ID. - - name: site - type: group - fields: - - name: id - type: keyword - description: Related site ID (if applicable). - - name: name - type: keyword - description: Related site name (if applicable). - name: threat type: group fields: diff --git a/packages/sentinel_one/data_stream/activity/fields/unified-fields.yml b/packages/sentinel_one/data_stream/activity/fields/unified-fields.yml new file mode 100644 index 00000000000..be3a786c814 --- /dev/null +++ b/packages/sentinel_one/data_stream/activity/fields/unified-fields.yml @@ -0,0 +1,22 @@ +- name: sentinel_one + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + - name: site + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: threat_classification + type: group + fields: + - name: name + type: keyword + - name: source + type: keyword diff --git a/packages/sentinel_one/data_stream/activity/sample_event.json b/packages/sentinel_one/data_stream/activity/sample_event.json index 8fb9d51d190..92a93e2ab2f 100644 --- a/packages/sentinel_one/data_stream/activity/sample_event.json +++ b/packages/sentinel_one/data_stream/activity/sample_event.json @@ -1,33 +1,34 @@ { "@timestamp": "2022-04-19T05:14:08.925Z", "agent": { - "ephemeral_id": "10175f71-9c3d-43ea-9326-e2c1fbfed4fa", - "id": "9b7ecf1c-5873-4d71-b82a-5ef8d4ac574e", - "name": "elastic-agent-48880", + "ephemeral_id": "e6b8b354-ed66-48eb-8516-c576417e273c", + "id": "7097c76d-ffaf-4c65-9da9-8da760e67c8a", + "name": "elastic-agent-98755", "type": "filebeat", - "version": "8.18.7" + "version": "8.19.7" }, "data_stream": { "dataset": "sentinel_one.activity", - "namespace": "26410", + "namespace": "86823", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "9b7ecf1c-5873-4d71-b82a-5ef8d4ac574e", - "snapshot": false, - "version": "8.18.7" + "id": "7097c76d-ffaf-4c65-9da9-8da760e67c8a", + "snapshot": true, + "version": "8.19.7" }, "event": { "agent_id_status": "verified", "category": [ "configuration" ], - "created": "2025-09-22T11:35:05.641Z", + "created": "2025-11-19T10:35:41.122Z", "dataset": "sentinel_one.activity", - "ingested": "2025-09-22T11:35:08Z", + "id": "1234567890123456789", + "ingested": "2025-11-19T10:35:44Z", "kind": "event", "original": "{\"accountId\":\"3214567890123456789\",\"accountName\":\"Default12\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":\"True\",\"createdAt\":\"2022-04-19T05:14:08.925421Z\",\"data\":{\"accountName\":\"Default\",\"byUser\":\"API\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/default\",\"groupName\":null,\"newValue\":true,\"role\":\"Level\",\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"userScope\":\"account\",\"username\":\"API\"},\"description\":\"API\",\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"The management user API enabled Two factor authentication on the user API.\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-18T05:14:08.922553Z\",\"userId\":\"1234567890123456789\"}", "type": [ @@ -44,10 +45,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Default12" + }, "activity": { "account": { - "id": "3214567890123456789", - "name": "Default12" + "id": "3214567890123456789" }, "comments": "True", "data": { diff --git a/packages/sentinel_one/data_stream/agent/_dev/test/pipeline/test-pipeline-agent.log-expected.json b/packages/sentinel_one/data_stream/agent/_dev/test/pipeline/test-pipeline-agent.log-expected.json index d5cfe5456fb..6326d51598f 100644 --- a/packages/sentinel_one/data_stream/agent/_dev/test/pipeline/test-pipeline-agent.log-expected.json +++ b/packages/sentinel_one/data_stream/agent/_dev/test/pipeline/test-pipeline-agent.log-expected.json @@ -9,6 +9,7 @@ "category": [ "host" ], + "id": "13491234512345", "kind": "event", "original": "{\"accountId\":\"12345123451234512345\",\"accountName\":\"Account Name\",\"activeDirectory\":{\"computerDistinguishedName\":null,\"computerMemberOf\":[],\"lastUserDistinguishedName\":null,\"lastUserMemberOf\":[]},\"activeThreats\":7,\"agentVersion\":\"12.x.x.x\",\"allowRemoteShell\":true,\"appsVulnerabilityStatus\":\"not_applicable\",\"cloudProviders\":{},\"computerName\":\"user-test\",\"consoleMigrationStatus\":\"N/A\",\"coreCount\":2,\"missingPermissions\":[\"user-action-needed-bluetooth-per\",\"user_action_needed_fda\"],\"cpuCount\":2,\"cpuId\":\"CPU Name\",\"createdAt\":\"2022-03-18T09:12:00.519500Z\",\"detectionState\":null,\"domain\":\"WORKGROUP\",\"encryptedApplications\":false,\"externalId\":\"\",\"externalIp\":\"81.2.69.143\",\"firewallEnabled\":true,\"firstFullModeTime\":null,\"groupId\":\"1234567890123456789\",\"groupIp\":\"81.2.69.144\",\"groupName\":\"Default Group\",\"id\":\"13491234512345\",\"inRemoteShellSession\":false,\"infected\":true,\"installerType\":\".msi\",\"isActive\":true,\"isDecommissioned\":false,\"isPendingUninstall\":false,\"isUninstalled\":false,\"isUpToDate\":true,\"lastActiveDate\":\"2022-03-17T09:51:28.506000Z\",\"lastIpToMgmt\":\"81.2.69.145\",\"lastLoggedInUserName\":\"\",\"licenseKey\":\"\",\"locationEnabled\":true,\"locationType\":\"not_applicable\",\"locations\":null,\"machineType\":\"server\",\"mitigationMode\":\"detect\",\"mitigationModeSuspicious\":\"detect\",\"modelName\":\"Compute Engine\",\"networkInterfaces\":[{\"gatewayIp\":\"81.2.69.145\",\"gatewayMacAddress\":\"00-00-5E-00-53-00\",\"id\":\"1234567890123456789\",\"inet\":[\"81.2.69.144\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"00-00-5E-00-53-00\"}],\"networkQuarantineEnabled\":false,\"networkStatus\":\"connected\",\"operationalState\":\"na\",\"operationalStateExpiration\":null,\"osArch\":\"64 bit\",\"osName\":\"Linux Server\",\"osRevision\":\"1234\",\"osStartTime\":\"2022-04-06T08:27:14Z\",\"osType\":\"linux\",\"osUsername\":null,\"rangerStatus\":\"Enabled\",\"rangerVersion\":\"21.x.x.x\",\"registeredAt\":\"2022-04-06T08:26:45.515278Z\",\"remoteProfilingState\":\"disabled\",\"remoteProfilingStateExpiration\":null,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"tags\":{\"sentinelone\":[{\"assignedBy\":\"test-user\",\"assignedAt\":\"2018-02-27T04:49:26.257525Z\",\"key\":\"key123\",\"assignedById\":\"123456789012345678\",\"id\":\"123456789012345678\",\"value\":\"value123\"}]},\"threatRebootRequired\":false,\"totalMemory\":1234,\"updatedAt\":\"2022-04-07T08:31:47.481227Z\",\"userActionsNeeded\":[\"reboot_needed\"],\"uuid\":\"XXX35XXX8Xfb4aX0X1X8X12X343X8X30\"}", "type": [ @@ -20,6 +21,7 @@ "name": "Default Group" }, "host": { + "architecture": "64 bit", "domain": "WORKGROUP", "geo": { "city_name": "London", @@ -63,10 +65,12 @@ ] }, "sentinel_one": { + "account": { + "name": "Account Name" + }, "agent": { "account": { - "id": "12345123451234512345", - "name": "Account Name" + "id": "12345123451234512345" }, "active_threats_count": 7, "agent": { @@ -146,10 +150,6 @@ "started_at": "2022-04-06T08:26:52.838Z", "status": "finished" }, - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "tags": [ { "assigned_at": "2018-02-27T04:49:26.257Z", @@ -166,6 +166,10 @@ "reboot_needed" ], "uuid": "XXX35XXX8Xfb4aX0X1X8X12X343X8X30" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" } }, "tags": [ diff --git a/packages/sentinel_one/data_stream/agent/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/data_stream/agent/elasticsearch/ingest_pipeline/default.yml index 4a55b27aaca..be9d961eae3 100644 --- a/packages/sentinel_one/data_stream/agent/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sentinel_one/data_stream/agent/elasticsearch/ingest_pipeline/default.yml @@ -48,7 +48,7 @@ processors: ignore_missing: true - rename: field: json.accountName - target_field: sentinel_one.agent.account.name + target_field: sentinel_one.account.name ignore_missing: true - rename: field: json.activeDirectory.computerDistinguishedName @@ -272,6 +272,10 @@ processors: field: json.id target_field: sentinel_one.agent.agent.id ignore_missing: true + - set: + field: event.id + copy_from: sentinel_one.agent.agent.id + ignore_empty_value: true - set: field: host.id copy_from: sentinel_one.agent.agent.id @@ -611,6 +615,10 @@ processors: field: json.osArch target_field: sentinel_one.agent.os.arch ignore_missing: true + - set: + field: host.architecture + copy_from: sentinel_one.agent.os.arch + ignore_empty_value: true - rename: field: json.osName target_field: host.os.name @@ -734,11 +742,11 @@ processors: ignore_missing: true - rename: field: json.siteId - target_field: sentinel_one.agent.site.id + target_field: sentinel_one.site.id ignore_missing: true - rename: field: json.siteName - target_field: sentinel_one.agent.site.name + target_field: sentinel_one.site.name ignore_missing: true - rename: field: json.storageName diff --git a/packages/sentinel_one/data_stream/agent/fields/fields.yml b/packages/sentinel_one/data_stream/agent/fields/fields.yml index 0851dde6a78..7017097294d 100644 --- a/packages/sentinel_one/data_stream/agent/fields/fields.yml +++ b/packages/sentinel_one/data_stream/agent/fields/fields.yml @@ -7,9 +7,6 @@ - name: id type: keyword description: A reference to the containing account. - - name: name - type: keyword - description: Name of the containing account. - name: active_directory type: group fields: @@ -269,15 +266,6 @@ - name: status type: keyword description: Last scan status. - - name: site - type: group - fields: - - name: id - type: keyword - description: A reference to the containing site. - - name: name - type: keyword - description: Name of the containing site. - name: storage type: group fields: diff --git a/packages/sentinel_one/data_stream/agent/fields/unified-fields.yml b/packages/sentinel_one/data_stream/agent/fields/unified-fields.yml new file mode 100644 index 00000000000..08ea203e608 --- /dev/null +++ b/packages/sentinel_one/data_stream/agent/fields/unified-fields.yml @@ -0,0 +1,15 @@ +- name: sentinel_one + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + - name: site + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword diff --git a/packages/sentinel_one/data_stream/agent/sample_event.json b/packages/sentinel_one/data_stream/agent/sample_event.json index 47467ea2728..335e69b7d76 100644 --- a/packages/sentinel_one/data_stream/agent/sample_event.json +++ b/packages/sentinel_one/data_stream/agent/sample_event.json @@ -1,33 +1,34 @@ { "@timestamp": "2022-04-07T08:31:47.481Z", "agent": { - "ephemeral_id": "e30ba73f-f169-4f6a-868b-79481d37c732", - "id": "e8901d6d-1c15-41f6-acf8-046dbbd754ce", - "name": "elastic-agent-22310", + "ephemeral_id": "d113dedc-4d4c-4edf-902c-01cfbebee496", + "id": "f4af1d66-97e4-4128-81ef-620bd2b06381", + "name": "elastic-agent-49562", "type": "filebeat", - "version": "8.18.7" + "version": "8.19.7" }, "data_stream": { "dataset": "sentinel_one.agent", - "namespace": "13010", + "namespace": "33892", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "e8901d6d-1c15-41f6-acf8-046dbbd754ce", - "snapshot": false, - "version": "8.18.7" + "id": "f4af1d66-97e4-4128-81ef-620bd2b06381", + "snapshot": true, + "version": "8.19.7" }, "event": { "agent_id_status": "verified", "category": [ "host" ], - "created": "2025-09-22T11:35:56.007Z", + "created": "2025-11-19T10:36:49.199Z", "dataset": "sentinel_one.agent", - "ingested": "2025-09-22T11:35:59Z", + "id": "13491234512345", + "ingested": "2025-11-19T10:36:52Z", "kind": "event", "original": "{\"accountId\":\"892341123451234512345\",\"accountName\":\"ABC\",\"activeDirectory\":{\"computerDistinguishedName\":null,\"computerMemberOf\":[],\"lastUserDistinguishedName\":null,\"lastUserMemberOf\":[]},\"activeThreats\":7,\"agentVersion\":\"12.x.x.x\",\"allowRemoteShell\":true,\"appsVulnerabilityStatus\":\"not_applicable\",\"cloudProviders\":{},\"computerName\":\"user-test\",\"consoleMigrationStatus\":\"N/A\",\"coreCount\":2,\"cpuCount\":2,\"cpuId\":\"CPU Name\",\"createdAt\":\"2022-03-18T09:12:00.519500Z\",\"detectionState\":null,\"domain\":\"WORKGROUP\",\"encryptedApplications\":false,\"externalId\":\"\",\"externalIp\":\"81.2.69.143\",\"firewallEnabled\":true,\"firstFullModeTime\":null,\"groupId\":\"1234567890123456789\",\"groupIp\":\"81.2.69.144\",\"groupName\":\"Default Group\",\"id\":\"13491234512345\",\"inRemoteShellSession\":false,\"infected\":true,\"installerType\":\".msi\",\"isActive\":true,\"isDecommissioned\":false,\"isPendingUninstall\":false,\"isUninstalled\":false,\"isUpToDate\":true,\"lastActiveDate\":\"2022-03-17T09:51:28.506000Z\",\"lastIpToMgmt\":\"81.2.69.145\",\"lastLoggedInUserName\":\"\",\"licenseKey\":\"\",\"locationEnabled\":true,\"locationType\":\"not_applicable\",\"locations\":null,\"machineType\":\"server\",\"missingPermissions\":[\"user-action-needed-bluetooth-per\",\"user_action_needed_fda\"],\"mitigationMode\":\"detect\",\"mitigationModeSuspicious\":\"detect\",\"modelName\":\"Compute Engine\",\"networkInterfaces\":[{\"gatewayIp\":\"81.2.69.145\",\"gatewayMacAddress\":\"00-00-5E-00-53-00\",\"id\":\"1234567890123456789\",\"inet\":[\"81.2.69.144\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"00-00-5E-00-53-00\"}],\"networkQuarantineEnabled\":false,\"networkStatus\":\"connected\",\"operationalState\":\"na\",\"operationalStateExpiration\":null,\"osArch\":\"64 bit\",\"osName\":\"Linux Server\",\"osRevision\":\"1234\",\"osStartTime\":\"2022-04-06T08:27:14Z\",\"osType\":\"linux\",\"osUsername\":null,\"rangerStatus\":\"Enabled\",\"rangerVersion\":\"21.x.x.x\",\"registeredAt\":\"2022-04-06T08:26:45.515278Z\",\"remoteProfilingState\":\"disabled\",\"remoteProfilingStateExpiration\":null,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"tags\":{\"sentinelone\":[{\"assignedAt\":\"2018-02-27T04:49:26.257525Z\",\"assignedBy\":\"test-user\",\"assignedById\":\"123456789012345678\",\"id\":\"123456789012345678\",\"key\":\"key123\",\"value\":\"value123\"}]},\"threatRebootRequired\":false,\"totalMemory\":1234,\"updatedAt\":\"2022-04-07T08:31:47.481227Z\",\"userActionsNeeded\":[\"reboot_needed\"],\"uuid\":\"XXX35XXX8Xfb4aX0X1X8X12X343X8X30\"}", "type": [ @@ -39,6 +40,7 @@ "name": "Default Group" }, "host": { + "architecture": "64 bit", "domain": "WORKGROUP", "geo": { "city_name": "London", @@ -85,10 +87,12 @@ ] }, "sentinel_one": { + "account": { + "name": "ABC" + }, "agent": { "account": { - "id": "892341123451234512345", - "name": "ABC" + "id": "892341123451234512345" }, "active_threats_count": 7, "agent": { @@ -168,10 +172,6 @@ "started_at": "2022-04-06T08:26:52.838Z", "status": "finished" }, - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "tags": [ { "assigned_at": "2018-02-27T04:49:26.257Z", @@ -188,6 +188,10 @@ "reboot_needed" ], "uuid": "XXX35XXX8Xfb4aX0X1X8X12X343X8X30" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" } }, "tags": [ diff --git a/packages/sentinel_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json b/packages/sentinel_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json index 6a81c8a496e..6ae5a5463be 100644 --- a/packages/sentinel_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json +++ b/packages/sentinel_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json @@ -41,7 +41,8 @@ }, "file": { "created": "2018-02-27T04:49:26.257Z", - "mtime": "2018-02-27T04:49:26.257Z" + "mtime": "2018-02-27T04:49:26.257Z", + "path": "string" }, "host": { "ip": [ @@ -134,9 +135,6 @@ }, "sentinel_one": { "alert": { - "agent": { - "site_id": "123456789123456789" - }, "analyst_verdict": "string", "container": { "info": { @@ -237,6 +235,9 @@ "start_time": "2018-02-27T04:49:26.257Z" } } + }, + "site": { + "id": "123456789123456789" } }, "source": { @@ -354,8 +355,7 @@ "machine_type": "server", "os": { "type": "windows" - }, - "site_id": "1402053568582768389" + } }, "analyst_verdict": "Undefined", "dv_event": { @@ -404,6 +404,9 @@ "start_time": "2024-07-03T03:43:24.318Z" } } + }, + "site": { + "id": "1402053568582768389" } }, "tags": [ @@ -513,8 +516,7 @@ "machine_type": "server", "os": { "type": "windows" - }, - "site_id": "1402053568582768389" + } }, "analyst_verdict": "Undefined", "dv_event": { @@ -563,6 +565,9 @@ "start_time": "2024-07-03T03:43:28.330Z" } } + }, + "site": { + "id": "1402053568582768389" } }, "tags": [ diff --git a/packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml index 900b9c04ab8..67c2846f93d 100644 --- a/packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml @@ -69,7 +69,7 @@ processors: ignore_missing: true - rename: field: json.agentDetectionInfo.siteId - target_field: sentinel_one.alert.agent.site_id + target_field: sentinel_one.site.id ignore_missing: true - rename: field: json.agentDetectionInfo.uuid @@ -807,6 +807,10 @@ processors: field: json.targetProcessInfo.tgtFilePath target_field: sentinel_one.alert.target.process.file.path ignore_missing: true + - set: + field: file.path + copy_from: sentinel_one.alert.target.process.file.path + ignore_empty_value: true - remove: field: json - script: diff --git a/packages/sentinel_one/data_stream/alert/fields/fields.yml b/packages/sentinel_one/data_stream/alert/fields/fields.yml index 96d0375dd2e..09cf60b3b32 100644 --- a/packages/sentinel_one/data_stream/alert/fields/fields.yml +++ b/packages/sentinel_one/data_stream/alert/fields/fields.yml @@ -4,9 +4,6 @@ - name: agent type: group fields: - - name: site_id - type: keyword - description: Site id. - name: id type: keyword description: Agent ID. diff --git a/packages/sentinel_one/data_stream/alert/fields/unified-fields.yml b/packages/sentinel_one/data_stream/alert/fields/unified-fields.yml new file mode 100644 index 00000000000..1d18980a00e --- /dev/null +++ b/packages/sentinel_one/data_stream/alert/fields/unified-fields.yml @@ -0,0 +1,8 @@ +- name: sentinel_one + type: group + fields: + - name: site + type: group + fields: + - name: id + type: keyword diff --git a/packages/sentinel_one/data_stream/alert/sample_event.json b/packages/sentinel_one/data_stream/alert/sample_event.json index f5ea7155846..e0e863379d8 100644 --- a/packages/sentinel_one/data_stream/alert/sample_event.json +++ b/packages/sentinel_one/data_stream/alert/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2018-02-27T04:49:26.257Z", "agent": { - "ephemeral_id": "08bbc60c-bcdb-4947-b58b-db2a8b01a1fc", - "id": "18481dc1-1b98-402b-ac39-57dc51f6d92e", - "name": "elastic-agent-93569", + "ephemeral_id": "38d6bc5f-ee5a-4d20-9152-5a802c430eeb", + "id": "9f44ff99-cec0-4435-b939-8f2066427cc8", + "name": "elastic-agent-81341", "type": "filebeat", - "version": "8.18.7" + "version": "8.19.7" }, "container": { "id": "string", @@ -16,7 +16,7 @@ }, "data_stream": { "dataset": "sentinel_one.alert", - "namespace": "33685", + "namespace": "52488", "type": "logs" }, "destination": { @@ -38,19 +38,19 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "18481dc1-1b98-402b-ac39-57dc51f6d92e", - "snapshot": false, - "version": "8.18.7" + "id": "9f44ff99-cec0-4435-b939-8f2066427cc8", + "snapshot": true, + "version": "8.19.7" }, "event": { "agent_id_status": "verified", "category": [ "malware" ], - "created": "2025-09-22T11:51:54.640Z", + "created": "2025-11-19T10:37:39.901Z", "dataset": "sentinel_one.alert", "id": "888456789123456789", - "ingested": "2025-09-22T11:51:57Z", + "ingested": "2025-11-19T10:37:42Z", "kind": "event", "original": "{\"agentDetectionInfo\":{\"machineType\":\"string\",\"name\":\"string\",\"osFamily\":\"string\",\"osName\":\"string\",\"osRevision\":\"string\",\"siteId\":\"123456789123456789\",\"uuid\":\"string\",\"version\":\"3.x.x.x\"},\"alertInfo\":{\"alertId\":\"888456789123456789\",\"analystVerdict\":\"string\",\"createdAt\":\"2018-02-27T04:49:26.257525Z\",\"dnsRequest\":\"string\",\"dnsResponse\":\"string\",\"dstIp\":\"81.2.69.144\",\"dstPort\":\"1234\",\"dvEventId\":\"string\",\"eventType\":\"info\",\"hitType\":\"Events\",\"incidentStatus\":\"open\",\"indicatorCategory\":\"string\",\"indicatorDescription\":\"string\",\"indicatorName\":\"string\",\"loginAccountDomain\":\"string\",\"loginAccountSid\":\"string\",\"loginIsAdministratorEquivalent\":\"string\",\"loginIsSuccessful\":\"string\",\"loginType\":\"login\",\"loginsUserName\":\"string\",\"modulePath\":\"string\",\"moduleSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"netEventDirection\":\"string\",\"registryKeyPath\":\"string\",\"registryOldValue\":\"string\",\"registryOldValueType\":\"string\",\"registryPath\":\"string\",\"registryValue\":\"string\",\"reportedAt\":\"2018-02-27T04:49:26.257525Z\",\"source\":\"string\",\"srcIp\":\"81.2.69.142\",\"srcMachineIp\":\"81.2.69.142\",\"srcPort\":\"1234\",\"tiIndicatorComparisonMethod\":\"string\",\"tiIndicatorSource\":\"string\",\"tiIndicatorType\":\"string\",\"tiIndicatorValue\":\"string\",\"updatedAt\":\"2018-02-27T04:49:26.257525Z\"},\"containerInfo\":{\"id\":\"string\",\"image\":\"string\",\"labels\":\"string\",\"name\":\"string\"},\"kubernetesInfo\":{\"cluster\":\"string\",\"controllerKind\":\"string\",\"controllerLabels\":\"string\",\"controllerName\":\"string\",\"namespace\":\"string\",\"namespaceLabels\":\"string\",\"node\":\"string\",\"pod\":\"string\",\"podLabels\":\"string\"},\"ruleInfo\":{\"description\":\"string\",\"id\":\"string\",\"name\":\"string\",\"scopeLevel\":\"string\",\"severity\":\"Low\",\"treatAsThreat\":\"UNDEFINED\"},\"sourceParentProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"sourceProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"targetProcessInfo\":{\"tgtFileCreatedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"tgtFileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"tgtFileId\":\"string\",\"tgtFileIsSigned\":\"string\",\"tgtFileModifiedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileOldPath\":\"string\",\"tgtFilePath\":\"string\",\"tgtProcCmdLine\":\"string\",\"tgtProcImagePath\":\"string\",\"tgtProcIntegrityLevel\":\"unknown\",\"tgtProcName\":\"string\",\"tgtProcPid\":\"12345\",\"tgtProcSignedStatus\":\"string\",\"tgtProcStorylineId\":\"string\",\"tgtProcUid\":\"string\",\"tgtProcessStartTime\":\"2018-02-27T04:49:26.257525Z\"}}", "severity": 21, @@ -60,7 +60,8 @@ }, "file": { "created": "2018-02-27T04:49:26.257Z", - "mtime": "2018-02-27T04:49:26.257Z" + "mtime": "2018-02-27T04:49:26.257Z", + "path": "string" }, "host": { "ip": [ @@ -155,9 +156,6 @@ }, "sentinel_one": { "alert": { - "agent": { - "site_id": "123456789123456789" - }, "analyst_verdict": "string", "container": { "info": { @@ -258,6 +256,9 @@ "start_time": "2018-02-27T04:49:26.257Z" } } + }, + "site": { + "id": "123456789123456789" } }, "source": { diff --git a/packages/sentinel_one/data_stream/application/_dev/test/pipeline/test-pipeline-application.log-expected.json b/packages/sentinel_one/data_stream/application/_dev/test/pipeline/test-pipeline-application.log-expected.json index 524e3805611..d1a49718b76 100644 --- a/packages/sentinel_one/data_stream/application/_dev/test/pipeline/test-pipeline-application.log-expected.json +++ b/packages/sentinel_one/data_stream/application/_dev/test/pipeline/test-pipeline-application.log-expected.json @@ -8,13 +8,19 @@ "category": [ "package" ], + "id": "2228104980080385459", "kind": "event", "original": "{\"accountName\":\"Elastic\",\"applicationInstallationDate\":\"2023-04-28T07:15:57Z\",\"applicationInstallationPath\":null,\"applicationName\":\"7-Zip\",\"coreCount\":4,\"cpe\":\"cpe:2.3:a:7-zip:7-zip:22.1:*:*:*:*:*:*:*\",\"cpuCount\":2,\"detectionDate\":\"2025-06-02T04:46:51.710561Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"DESKTOP-R1E2DQ2\",\"endpointType\":\"desktop\",\"endpointUuid\":\"187d5f3c7af341079041baeb9f88a511\",\"fileSize\":5601,\"groupName\":\"Default Group\",\"id\":\"2228104980080385459\",\"osArch\":\"64 bit\",\"osName\":\"Windows 10 Pro\",\"osType\":\"windows\",\"osVersion\":\"Windows 10 Pro 19044\",\"siteName\":\"Default site\",\"version\":\"22.01\"}", "type": [ "info" ] }, + "group": { + "name": "Default Group" + }, "host": { + "architecture": "64 bit", + "id": "2162143406517023959", "name": "DESKTOP-R1E2DQ2", "os": { "full": "Windows 10 Pro 19044", @@ -35,8 +41,10 @@ ] }, "sentinel_one": { + "account": { + "name": "Elastic" + }, "application": { - "account_name": "Elastic", "application_installation_date": "2023-04-28T07:15:57.000Z", "application_name": "7-Zip", "core_count": 4, @@ -54,8 +62,10 @@ "os_name": "Windows 10 Pro", "os_type": "windows", "os_version": "Windows 10 Pro 19044", - "site_name": "Default site", "version": "22.01" + }, + "site": { + "name": "Default site" } }, "tags": [ @@ -70,13 +80,19 @@ "category": [ "package" ], + "id": "2228104980315266498", "kind": "event", "original": "{\"accountName\":\"Elastic\",\"applicationInstallationDate\":\"2023-04-19T18:30:00Z\",\"applicationInstallationPath\":null,\"applicationName\":\"Brave\",\"coreCount\":4,\"cpe\":\"cpe:2.3:a:brave:brave:112.1.50.121:*:*:*:*:*:*:*\",\"cpuCount\":2,\"detectionDate\":\"2025-06-02T04:46:51.710582Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"DESKTOP-R1E2DQ2\",\"endpointType\":\"desktop\",\"endpointUuid\":\"187d5f3c7af341079041baeb9f88a511\",\"fileSize\":null,\"groupName\":\"Default Group\",\"id\":\"2228104980315266498\",\"osArch\":\"64 bit\",\"osName\":\"Windows 10 Pro\",\"osType\":\"windows\",\"osVersion\":\"Windows 10 Pro 19044\",\"siteName\":\"Default site\",\"version\":\"112.1.50.121\"}", "type": [ "info" ] }, + "group": { + "name": "Default Group" + }, "host": { + "architecture": "64 bit", + "id": "2162143406517023959", "name": "DESKTOP-R1E2DQ2", "os": { "full": "Windows 10 Pro 19044", @@ -96,8 +112,10 @@ ] }, "sentinel_one": { + "account": { + "name": "Elastic" + }, "application": { - "account_name": "Elastic", "application_installation_date": "2023-04-19T18:30:00.000Z", "application_name": "Brave", "core_count": 4, @@ -114,8 +132,10 @@ "os_name": "Windows 10 Pro", "os_type": "windows", "os_version": "Windows 10 Pro 19044", - "site_name": "Default site", "version": "112.1.50.121" + }, + "site": { + "name": "Default site" } }, "tags": [ @@ -130,13 +150,19 @@ "category": [ "package" ], + "id": "2218357748550497214", "kind": "event", "original": "{\"accountName\":\"Elastic\",\"applicationInstallationDate\":\"2025-03-13T10:45:01Z\",\"applicationInstallationPath\":null,\"applicationName\":\"Elastic Agent\",\"coreCount\":2,\"cpe\":\"cpe:2.3:a:elastic:elastic_agent:8.17.3:*:*:*:*:*:*:*\",\"cpuCount\":1,\"detectionDate\":\"2025-05-19T18:00:51.166610Z\",\"endpointId\":\"2169705024028266268\",\"endpointName\":\"srv-win-defend-03\",\"endpointType\":\"server\",\"endpointUuid\":\"eb655be8be894dae97711ebb9a9091ae\",\"fileSize\":517364,\"groupName\":\"Default Group\",\"id\":\"2218357748550497214\",\"osArch\":\"64 bit\",\"osName\":\"Windows Server 2022 Datacenter\",\"osType\":\"windows\",\"osVersion\":\"Windows Server 2022 Datacenter 20348\",\"siteName\":\"Default site\",\"version\":\"8.17.3\"}", "type": [ "info" ] }, + "group": { + "name": "Default Group" + }, "host": { + "architecture": "64 bit", + "id": "2169705024028266268", "name": "srv-win-defend-03", "os": { "full": "Windows Server 2022 Datacenter 20348", @@ -157,8 +183,10 @@ ] }, "sentinel_one": { + "account": { + "name": "Elastic" + }, "application": { - "account_name": "Elastic", "application_installation_date": "2025-03-13T10:45:01.000Z", "application_name": "Elastic Agent", "core_count": 2, @@ -176,8 +204,10 @@ "os_name": "Windows Server 2022 Datacenter", "os_type": "windows", "os_version": "Windows Server 2022 Datacenter 20348", - "site_name": "Default site", "version": "8.17.3" + }, + "site": { + "name": "Default site" } }, "tags": [ diff --git a/packages/sentinel_one/data_stream/application/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/data_stream/application/elasticsearch/ingest_pipeline/default.yml index 00ee8d914cf..5544e3b2e77 100644 --- a/packages/sentinel_one/data_stream/application/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sentinel_one/data_stream/application/elasticsearch/ingest_pipeline/default.yml @@ -55,7 +55,7 @@ processors: - rename: field: json.accountName tag: rename_accountName - target_field: sentinel_one.application.account_name + target_field: sentinel_one.account.name ignore_missing: true - date: field: json.applicationInstallationDate @@ -144,6 +144,11 @@ processors: tag: rename_endpointId target_field: sentinel_one.application.endpoint_id ignore_missing: true + - set: + field: host.id + tag: set_host_name_from_application_endpoint_id + copy_from: sentinel_one.application.endpoint_id + ignore_empty_value: true - rename: field: json.endpointName tag: rename_endpointName @@ -215,16 +220,30 @@ processors: tag: rename_groupName target_field: sentinel_one.application.group_name ignore_missing: true + - set: + field: group.name + tag: set_group_name + copy_from: sentinel_one.application.group_name + ignore_empty_value: true - rename: field: json.id tag: rename_id target_field: sentinel_one.application.id ignore_missing: true + - set: + field: event.id + copy_from: sentinel_one.application.id + ignore_empty_value: true - rename: field: json.osArch tag: rename_osArch target_field: sentinel_one.application.os_arch ignore_missing: true + - set: + field: host.architecture + tag: set_host_architecture + copy_from: sentinel_one.application.os_arch + ignore_empty_value: true - rename: field: json.osName tag: rename_osName @@ -258,7 +277,7 @@ processors: - rename: field: json.siteName tag: rename_siteName - target_field: sentinel_one.application.site_name + target_field: sentinel_one.site.name ignore_missing: true - rename: field: json.version diff --git a/packages/sentinel_one/data_stream/application/fields/fields.yml b/packages/sentinel_one/data_stream/application/fields/fields.yml index 0b1750f3796..33ea32c3bb7 100644 --- a/packages/sentinel_one/data_stream/application/fields/fields.yml +++ b/packages/sentinel_one/data_stream/application/fields/fields.yml @@ -4,8 +4,6 @@ - name: application type: group fields: - - name: account_name - type: keyword - name: application_installation_date type: date - name: application_installation_path @@ -50,7 +48,5 @@ type: keyword - name: os_version type: keyword - - name: site_name - type: keyword - name: version type: keyword diff --git a/packages/sentinel_one/data_stream/application/fields/unified-fields.yml b/packages/sentinel_one/data_stream/application/fields/unified-fields.yml new file mode 100644 index 00000000000..0487a2705bc --- /dev/null +++ b/packages/sentinel_one/data_stream/application/fields/unified-fields.yml @@ -0,0 +1,13 @@ +- name: sentinel_one + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + - name: site + type: group + fields: + - name: name + type: keyword diff --git a/packages/sentinel_one/data_stream/application/sample_event.json b/packages/sentinel_one/data_stream/application/sample_event.json index 86ddc9c8942..2ea383bdfde 100644 --- a/packages/sentinel_one/data_stream/application/sample_event.json +++ b/packages/sentinel_one/data_stream/application/sample_event.json @@ -1,24 +1,24 @@ { - "@timestamp": "2025-09-22T11:37:35.103Z", + "@timestamp": "2025-11-19T10:38:39.090Z", "agent": { - "ephemeral_id": "f3dbcd35-c358-4dc1-af94-eaabf9b235ed", - "id": "5d3eee3a-3182-4b39-8c6c-cb02286bd750", - "name": "elastic-agent-59605", + "ephemeral_id": "800ab008-1e5a-4db6-8e31-cc61875da3d4", + "id": "0d101c1b-0608-4563-bccd-9de1928b614f", + "name": "elastic-agent-14879", "type": "filebeat", - "version": "8.18.7" + "version": "8.19.7" }, "data_stream": { "dataset": "sentinel_one.application", - "namespace": "44982", + "namespace": "83873", "type": "logs" }, "ecs": { "version": "8.17.0" }, "elastic_agent": { - "id": "5d3eee3a-3182-4b39-8c6c-cb02286bd750", - "snapshot": false, - "version": "8.18.7" + "id": "0d101c1b-0608-4563-bccd-9de1928b614f", + "snapshot": true, + "version": "8.19.7" }, "event": { "agent_id_status": "verified", @@ -26,14 +26,20 @@ "package" ], "dataset": "sentinel_one.application", - "ingested": "2025-09-22T11:37:38Z", + "id": "2218357748550497214", + "ingested": "2025-11-19T10:38:42Z", "kind": "event", "original": "{\"accountName\":\"7-Zip\",\"applicationInstallationDate\":\"2025-04-13T10:45:01Z\",\"applicationInstallationPath\":null,\"applicationName\":\"Igor Pavlov\",\"coreCount\":2,\"cpe\":\"cpe:2.3:a:abc:igor:8.17.3:*:*:*:*:*:*:*\",\"cpuCount\":1,\"detectionDate\":\"2025-06-19T18:00:51.166610Z\",\"endpointId\":\"216970508828266268\",\"endpointName\":\"srv-win-defend-03\",\"endpointType\":\"server\",\"endpointUuid\":\"eb655be8be894dae97711ebb9a9091ae\",\"fileSize\":517364,\"groupName\":\"Default Group\",\"id\":\"2218357748550497214\",\"osArch\":\"64 bit\",\"osName\":\"Windows Server 2022 Datacenter\",\"osType\":\"windows\",\"osVersion\":\"Windows Server 2022 Datacenter 20348\",\"siteName\":\"Default site\",\"version\":\"8.17.3\"}", "type": [ "info" ] }, + "group": { + "name": "Default Group" + }, "host": { + "architecture": "64 bit", + "id": "216970508828266268", "name": "srv-win-defend-03", "os": { "full": "Windows Server 2022 Datacenter 20348", @@ -57,8 +63,10 @@ ] }, "sentinel_one": { + "account": { + "name": "7-Zip" + }, "application": { - "account_name": "7-Zip", "application_installation_date": "2025-04-13T10:45:01.000Z", "application_name": "Igor Pavlov", "core_count": 2, @@ -76,8 +84,10 @@ "os_name": "Windows Server 2022 Datacenter", "os_type": "windows", "os_version": "Windows Server 2022 Datacenter 20348", - "site_name": "Default site", "version": "8.17.3" + }, + "site": { + "name": "Default site" } }, "tags": [ diff --git a/packages/sentinel_one/data_stream/application_risk/sample_event.json b/packages/sentinel_one/data_stream/application_risk/sample_event.json index cfbce58f682..dfe92009990 100644 --- a/packages/sentinel_one/data_stream/application_risk/sample_event.json +++ b/packages/sentinel_one/data_stream/application_risk/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2025-07-29T19:25:47.000Z", "agent": { - "ephemeral_id": "a2feec44-477e-4405-95d0-a4478a26060b", - "id": "4fd69adb-bbe2-4f41-bbee-5673417f7a81", - "name": "elastic-agent-70432", + "ephemeral_id": "519ebcce-3d96-4c5b-a880-3f18b50a195a", + "id": "887e0ce4-9b7b-40e6-ac11-b62380aa2767", + "name": "elastic-agent-11705", "type": "filebeat", - "version": "8.18.7" + "version": "8.19.7" }, "data_stream": { "dataset": "sentinel_one.application_risk", - "namespace": "92576", + "namespace": "55690", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "4fd69adb-bbe2-4f41-bbee-5673417f7a81", - "snapshot": false, - "version": "8.18.7" + "id": "887e0ce4-9b7b-40e6-ac11-b62380aa2767", + "snapshot": true, + "version": "8.19.7" }, "event": { "agent_id_status": "verified", @@ -28,7 +28,7 @@ "created": "2025-06-02T04:46:51.710Z", "dataset": "sentinel_one.application_risk", "id": "2228104980801805822", - "ingested": "2025-09-22T11:38:28Z", + "ingested": "2025-11-19T10:39:33Z", "kind": "state", "original": "{\"application\":\"7-Zip 22.01\",\"applicationName\":\"7-Zip\",\"applicationVendor\":\"Igor Pavlov\",\"applicationVersion\":\"22.01\",\"baseScore\":\"7.00\",\"cveId\":\"CVE-2025-0411\",\"cvssVersion\":\"3.1\",\"daysDetected\":59,\"detectionDate\":\"2025-06-02T04:46:51.710569Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"test_endpoint\",\"endpointType\":\"desktop\",\"id\":\"2228104980801805822\",\"lastScanDate\":\"2025-07-29T19:25:47Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2025-01-20T07:04:04Z\",\"reason\":null,\"severity\":\"HIGH\",\"status\":\"Detected\"}", "outcome": "success", diff --git a/packages/sentinel_one/data_stream/group/_dev/test/pipeline/test-pipeline-group.log-expected.json b/packages/sentinel_one/data_stream/group/_dev/test/pipeline/test-pipeline-group.log-expected.json index bc76ea4e66f..14ef4bfaaaf 100644 --- a/packages/sentinel_one/data_stream/group/_dev/test/pipeline/test-pipeline-group.log-expected.json +++ b/packages/sentinel_one/data_stream/group/_dev/test/pipeline/test-pipeline-group.log-expected.json @@ -36,10 +36,10 @@ "inherits": true, "is_default": true, "registration_token": "eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=", - "site": { - "id": "1234567890123456789" - }, "type": "static" + }, + "site": { + "id": "1234567890123456789" } }, "tags": [ diff --git a/packages/sentinel_one/data_stream/group/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/data_stream/group/elasticsearch/ingest_pipeline/default.yml index a03b4760062..33ec5cf26d2 100644 --- a/packages/sentinel_one/data_stream/group/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sentinel_one/data_stream/group/elasticsearch/ingest_pipeline/default.yml @@ -90,6 +90,10 @@ processors: field: json.id target_field: group.id ignore_missing: true + - set: + field: event.id + copy_from: sentinel_one.agent.agent.id + ignore_empty_value: true - convert: field: json.inherits target_field: sentinel_one.group.inherits @@ -136,7 +140,7 @@ processors: ignore_missing: true - rename: field: json.siteId - target_field: sentinel_one.group.site.id + target_field: sentinel_one.site.id ignore_missing: true - convert: field: json.totalAgents diff --git a/packages/sentinel_one/data_stream/group/fields/fields.yml b/packages/sentinel_one/data_stream/group/fields/fields.yml index 89cd8a37875..e3aea57922f 100644 --- a/packages/sentinel_one/data_stream/group/fields/fields.yml +++ b/packages/sentinel_one/data_stream/group/fields/fields.yml @@ -28,11 +28,6 @@ type: long - name: registration_token type: keyword - - name: site - type: group - fields: - - name: id - type: keyword - name: type type: keyword - name: log.source.address diff --git a/packages/sentinel_one/data_stream/group/fields/unified-fields.yml b/packages/sentinel_one/data_stream/group/fields/unified-fields.yml new file mode 100644 index 00000000000..1d18980a00e --- /dev/null +++ b/packages/sentinel_one/data_stream/group/fields/unified-fields.yml @@ -0,0 +1,8 @@ +- name: sentinel_one + type: group + fields: + - name: site + type: group + fields: + - name: id + type: keyword diff --git a/packages/sentinel_one/data_stream/group/sample_event.json b/packages/sentinel_one/data_stream/group/sample_event.json index db51ddfac4e..54c3ac86c8d 100644 --- a/packages/sentinel_one/data_stream/group/sample_event.json +++ b/packages/sentinel_one/data_stream/group/sample_event.json @@ -1,33 +1,33 @@ { "@timestamp": "2022-04-05T16:01:57.564Z", "agent": { - "ephemeral_id": "19a3b41e-6893-4b82-ae86-4c2e93da02d9", - "id": "14cf6e5d-1727-4dee-a04e-568d68d0491a", - "name": "elastic-agent-16291", + "ephemeral_id": "da92d416-3f7d-47f5-8a18-c844c45a204a", + "id": "8f8db98d-a5de-4e44-9028-92faf7cdb865", + "name": "elastic-agent-24227", "type": "filebeat", - "version": "8.18.7" + "version": "8.19.7" }, "data_stream": { "dataset": "sentinel_one.group", - "namespace": "33426", + "namespace": "64327", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "14cf6e5d-1727-4dee-a04e-568d68d0491a", - "snapshot": false, - "version": "8.18.7" + "id": "8f8db98d-a5de-4e44-9028-92faf7cdb865", + "snapshot": true, + "version": "8.19.7" }, "event": { "agent_id_status": "verified", "category": [ "iam" ], - "created": "2025-09-22T11:39:15.003Z", + "created": "2025-11-19T10:40:29.178Z", "dataset": "sentinel_one.group", - "ingested": "2025-09-22T11:39:17Z", + "ingested": "2025-11-19T10:40:32Z", "kind": "event", "original": "{\"createdAt\":\"2022-04-05T16:01:56.928383Z\",\"creator\":\"Test User\",\"creatorId\":\"1234567890123456789\",\"filterId\":null,\"filterName\":null,\"id\":\"1234567890123456789\",\"inherits\":true,\"isDefault\":true,\"name\":\"Default Group\",\"rank\":null,\"registrationToken\":\"eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=\",\"siteId\":\"1234567890123456789\",\"totalAgents\":1,\"type\":\"static\",\"updatedAt\":\"2022-04-05T16:01:57.564266Z\"}", "type": [ @@ -58,10 +58,10 @@ "inherits": true, "is_default": true, "registration_token": "eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=", - "site": { - "id": "1234567890123456789" - }, "type": "static" + }, + "site": { + "id": "1234567890123456789" } }, "tags": [ diff --git a/packages/sentinel_one/data_stream/threat/_dev/test/pipeline/test-pipeline-threat.log-expected.json b/packages/sentinel_one/data_stream/threat/_dev/test/pipeline/test-pipeline-threat.log-expected.json index 38cdd949767..85afc01f478 100644 --- a/packages/sentinel_one/data_stream/threat/_dev/test/pipeline/test-pipeline-threat.log-expected.json +++ b/packages/sentinel_one/data_stream/threat/_dev/test/pipeline/test-pipeline-threat.log-expected.json @@ -17,6 +17,13 @@ "info" ] }, + "file": { + "path": "default.exe" + }, + "group": { + "id": "1234567890123456789", + "name": "Default Group" + }, "host": { "domain": "WORKGROUP", "geo": { @@ -68,11 +75,17 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" + }, "threat": { "agent": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "active_threats": 7, "group": { @@ -119,8 +132,6 @@ "verdict": "undefined" }, "automatically_resolved": false, - "classification": "Trojan", - "classification_source": "Cloud", "cloudfiles_hash_verdict": "black", "collection": { "id": "1234567890123456789" @@ -150,10 +161,6 @@ "version": "1234" }, "registered_at": "2022-04-06T08:26:45.515Z", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "uuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", "version": "21.x.x" }, @@ -234,6 +241,10 @@ "whitening_option": [ "hash" ] + }, + "threat_classification": { + "name": "Trojan", + "source": "Cloud" } }, "tags": [ @@ -272,6 +283,13 @@ "info" ] }, + "file": { + "path": "test/path/user" + }, + "group": { + "id": "1234567890123456789", + "name": "Default Group" + }, "host": { "domain": "WORKGROUP", "geo": { @@ -323,11 +341,17 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" + }, "threat": { "agent": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "active_threats": 7, "group": { @@ -374,8 +398,6 @@ "verdict": "undefined" }, "automatically_resolved": false, - "classification": "Malware", - "classification_source": "Static", "cloudfiles_hash_verdict": "black", "collection": { "id": "1234567890123456789" @@ -405,10 +427,6 @@ "version": "1234" }, "registered_at": "2022-04-06T08:26:45.515Z", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "uuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", "version": "21.x.x" }, @@ -507,6 +525,10 @@ "path", "file_type" ] + }, + "threat_classification": { + "name": "Malware", + "source": "Static" } }, "tags": [ @@ -572,6 +594,13 @@ "indicator" ] }, + "file": { + "path": "test/path/user" + }, + "group": { + "id": "1234567890123456789", + "name": "Default Group" + }, "host": { "domain": "WORKGROUP", "geo": { @@ -623,11 +652,17 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" + }, "threat": { "agent": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "active_threats": 7, "group": { @@ -674,8 +709,6 @@ "verdict": "undefined" }, "automatically_resolved": false, - "classification": "Exploit", - "classification_source": "Static", "cloudfiles_hash_verdict": "black", "collection": { "id": "1234567890123456789" @@ -705,10 +738,6 @@ "version": "1234" }, "registered_at": "2022-04-06T08:26:45.515Z", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "uuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", "version": "21.x.x" }, @@ -807,6 +836,10 @@ "path", "file_type" ] + }, + "threat_classification": { + "name": "Exploit", + "source": "Static" } }, "tags": [ @@ -872,6 +905,13 @@ "indicator" ] }, + "file": { + "path": "test/path/user" + }, + "group": { + "id": "1234567890123456789", + "name": "Default Group" + }, "host": { "domain": "WORKGROUP", "geo": { @@ -923,11 +963,17 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" + }, "threat": { "agent": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "active_threats": 7, "group": { @@ -974,8 +1020,6 @@ "verdict": "undefined" }, "automatically_resolved": false, - "classification": "PUA", - "classification_source": "Static", "cloudfiles_hash_verdict": "black", "collection": { "id": "1234567890123456789" @@ -1005,10 +1049,6 @@ "version": "1234" }, "registered_at": "2022-04-06T08:26:45.515Z", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "uuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", "version": "21.x.x" }, @@ -1107,6 +1147,10 @@ "path", "file_type" ] + }, + "threat_classification": { + "name": "PUA", + "source": "Static" } }, "tags": [ @@ -1172,6 +1216,13 @@ "info" ] }, + "file": { + "path": "test/path/user" + }, + "group": { + "id": "1234567890123456789", + "name": "Default Group" + }, "host": { "domain": "WORKGROUP", "geo": { @@ -1223,11 +1274,17 @@ ] }, "sentinel_one": { + "account": { + "name": "Default" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" + }, "threat": { "agent": { "account": { - "id": "1234567890123456789", - "name": "Default" + "id": "1234567890123456789" }, "active_threats": 7, "group": { @@ -1274,8 +1331,6 @@ "verdict": "undefined" }, "automatically_resolved": false, - "classification": "Downloader", - "classification_source": "Static", "cloudfiles_hash_verdict": "black", "collection": { "id": "1234567890123456789" @@ -1305,10 +1360,6 @@ "version": "1234" }, "registered_at": "2022-04-06T08:26:45.515Z", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "uuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", "version": "21.x.x" }, @@ -1407,6 +1458,10 @@ "path", "file_type" ] + }, + "threat_classification": { + "name": "Downloader", + "source": "Static" } }, "tags": [ @@ -1472,6 +1527,13 @@ "info" ] }, + "file": { + "path": "/Users/REDACTED/Downloads/uc232a_windows_setup_v1.0.084/UC232A_Windows_Setup.exe" + }, + "group": { + "id": "REDACTED", + "name": "REDACTED" + }, "host": { "domain": "REDACTED", "geo": { @@ -1563,11 +1625,17 @@ ] }, "sentinel_one": { + "account": { + "name": "REDACTED" + }, + "site": { + "id": "REDACTED", + "name": "REDACTED" + }, "threat": { "agent": { "account": { - "id": "1458520677752505410", - "name": "REDACTED" + "id": "1458520677752505410" }, "active_threats": 0, "group": { @@ -1684,8 +1752,6 @@ "verdict": "undefined" }, "automatically_resolved": false, - "classification": "Malware", - "classification_source": "Static", "collection": { "id": "REDACTED" }, @@ -1737,10 +1803,6 @@ "version": "15.1.1 (24B91)" }, "registered_at": "2023-07-04T11:28:10.412Z", - "site": { - "id": "REDACTED", - "name": "REDACTED" - }, "uuid": "REDACTED", "version": "24.3.2.7753" }, @@ -1861,6 +1923,10 @@ "hash", "path" ] + }, + "threat_classification": { + "name": "Malware", + "source": "Static" } }, "tags": [ @@ -1908,6 +1974,13 @@ "info" ] }, + "file": { + "path": "\\\\Device\\\\HarddiskVolume3\\\\Config.Msi\\\\44371a.rbf" + }, + "group": { + "id": "1341132xxx935792047", + "name": "Default Group" + }, "host": { "domain": "domain.local", "geo": { @@ -1960,11 +2033,17 @@ ] }, "sentinel_one": { + "account": { + "name": "MyAccountName" + }, + "site": { + "id": "1341132821910626222", + "name": "windows" + }, "threat": { "agent": { "account": { - "id": "1341089495639499999", - "name": "MyAccountName" + "id": "1341089495639499999" }, "active_threats": 0, "group": { @@ -2008,8 +2087,6 @@ "verdict": "true_positive" }, "automatically_resolved": false, - "classification": "Malware", - "classification_source": "Static", "cloudfiles_hash_verdict": "black", "collection": { "id": "2134739034820830297" @@ -2039,10 +2116,6 @@ "version": "22631" }, "registered_at": "2023-06-01T08:01:56.832Z", - "site": { - "id": "1341132821910626222", - "name": "windows" - }, "uuid": "7faaf3df17314exxx8c063de167b0e416", "version": "24.1.5.277" }, @@ -2126,6 +2199,10 @@ "whitening_option": [ "hash" ] + }, + "threat_classification": { + "name": "Malware", + "source": "Static" } }, "tags": [ diff --git a/packages/sentinel_one/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/data_stream/threat/elasticsearch/ingest_pipeline/default.yml index 2893e8e4923..1d71d1f97dc 100644 --- a/packages/sentinel_one/data_stream/threat/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sentinel_one/data_stream/threat/elasticsearch/ingest_pipeline/default.yml @@ -267,11 +267,11 @@ processors: ignore_missing: true - rename: field: json.agentDetectionInfo.siteId - target_field: sentinel_one.threat.detection.agent.site.id + target_field: sentinel_one.site.id ignore_missing: true - rename: field: json.agentDetectionInfo.siteName - target_field: sentinel_one.threat.detection.agent.site.name + target_field: sentinel_one.site.name ignore_missing: true - rename: field: json.agentRealtimeInfo.accountId @@ -279,7 +279,7 @@ processors: ignore_missing: true - rename: field: json.agentRealtimeInfo.accountName - target_field: sentinel_one.threat.agent.account.name + target_field: sentinel_one.account.name ignore_missing: true - convert: field: json.agentRealtimeInfo.activeThreats @@ -418,10 +418,18 @@ processors: field: json.agentRealtimeInfo.groupId target_field: sentinel_one.threat.agent.group.id ignore_missing: true + - set: + field: group.id + copy_from: sentinel_one.threat.agent.group.id + ignore_empty_value: true - rename: field: json.agentRealtimeInfo.groupName target_field: sentinel_one.threat.agent.group.name ignore_missing: true + - set: + field: group.name + copy_from: sentinel_one.threat.agent.group.name + ignore_empty_value: true - foreach: field: json.agentRealtimeInfo.networkInterfaces processor: @@ -952,11 +960,11 @@ processors: ignore_missing: true - rename: field: json.threatInfo.classification - target_field: sentinel_one.threat.classification + target_field: sentinel_one.threat_classification.name ignore_missing: true - rename: field: json.threatInfo.classificationSource - target_field: sentinel_one.threat.classification_source + target_field: sentinel_one.threat_classification.source ignore_missing: true - rename: field: json.threatInfo.cloudFilesHashVerdict @@ -1032,6 +1040,10 @@ processors: field: json.threatInfo.filePath target_field: threat.indicator.file.path ignore_missing: true + - set: + field: file.path + copy_from: threat.indicator.file.path + ignore_empty_value: true - convert: field: json.threatInfo.fileSize target_field: threat.indicator.file.size diff --git a/packages/sentinel_one/data_stream/threat/fields/fields.yml b/packages/sentinel_one/data_stream/threat/fields/fields.yml index 9304a18ada4..d8999a1dd21 100644 --- a/packages/sentinel_one/data_stream/threat/fields/fields.yml +++ b/packages/sentinel_one/data_stream/threat/fields/fields.yml @@ -10,9 +10,6 @@ - name: id type: keyword description: Account id. - - name: name - type: keyword - description: Account name. - name: active_threats type: long description: Active threats. @@ -136,12 +133,6 @@ - name: id type: keyword description: File Certificate ID. - - name: classification - type: keyword - description: Classification of the threat. - - name: classification_source - type: keyword - description: Source of the threat Classification. - name: cloudfiles_hash_verdict type: keyword description: Cloud files hash verdict. @@ -217,15 +208,6 @@ - name: registered_at type: date description: Time of first registration to management console. - - name: site - type: group - fields: - - name: id - type: keyword - description: Orig site id. - - name: name - type: keyword - description: Orig site name. - name: uuid type: keyword description: UUID of the agent. diff --git a/packages/sentinel_one/data_stream/threat/fields/unified-fields.yml b/packages/sentinel_one/data_stream/threat/fields/unified-fields.yml new file mode 100644 index 00000000000..be3a786c814 --- /dev/null +++ b/packages/sentinel_one/data_stream/threat/fields/unified-fields.yml @@ -0,0 +1,22 @@ +- name: sentinel_one + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + - name: site + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: threat_classification + type: group + fields: + - name: name + type: keyword + - name: source + type: keyword diff --git a/packages/sentinel_one/data_stream/threat/sample_event.json b/packages/sentinel_one/data_stream/threat/sample_event.json index 47ea9503f69..8125d2d1a3f 100644 --- a/packages/sentinel_one/data_stream/threat/sample_event.json +++ b/packages/sentinel_one/data_stream/threat/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2022-04-06T08:54:17.194Z", "agent": { - "ephemeral_id": "1128d81b-01bd-4864-808c-5ad00f4c923b", - "id": "bc9ba90f-141f-42b8-ae9a-e8f473cf41f1", - "name": "elastic-agent-63288", + "ephemeral_id": "402c85c2-f3e1-4ef9-97eb-86f207d4ec64", + "id": "9520e44c-407c-4082-a5c6-6dbaea7f4264", + "name": "elastic-agent-36635", "type": "filebeat", - "version": "8.18.7" + "version": "8.19.7" }, "data_stream": { "dataset": "sentinel_one.threat", - "namespace": "26215", + "namespace": "55649", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "bc9ba90f-141f-42b8-ae9a-e8f473cf41f1", - "snapshot": false, - "version": "8.18.7" + "id": "9520e44c-407c-4082-a5c6-6dbaea7f4264", + "snapshot": true, + "version": "8.19.7" }, "event": { "action": "SentinelOne Cloud", @@ -26,16 +26,23 @@ "category": [ "malware" ], - "created": "2025-09-22T12:02:37.990Z", + "created": "2025-11-19T10:41:22.249Z", "dataset": "sentinel_one.threat", "id": "1234567890123456789", - "ingested": "2025-09-22T12:02:39Z", + "ingested": "2025-11-19T10:41:23Z", "kind": "alert", "original": "{\"agentDetectionInfo\":{\"accountId\":\"111245567890123456789\",\"accountName\":\"Default2\",\"agentDetectionState\":null,\"agentDomain\":\"WORKGROUP\",\"agentIpV4\":\"127.0.0.1\",\"agentIpV6\":\"2a02:cf40::\",\"agentLastLoggedInUpn\":null,\"agentLastLoggedInUserMail\":null,\"agentLastLoggedInUserName\":\"\",\"agentMitigationMode\":\"protect\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentRegisteredAt\":\"2022-04-08T08:26:45.515278Z\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x\",\"cloudProviders\":{},\"externalIp\":\"81.2.69.143\",\"groupId\":\"1444567890123456789\",\"groupName\":\"Default Group\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\"},\"agentRealtimeInfo\":{\"accountId\":\"1456567890123456789\",\"accountName\":\"Default2\",\"activeThreats\":8,\"agentComputerName\":\"test-LINUX\",\"agentDecommissionedAt\":null,\"agentDomain\":\"WORKGROUP\",\"agentId\":\"1234567890123456789\",\"agentInfected\":true,\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"server\",\"agentMitigationMode\":\"detect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentOsType\":\"linux\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x.1234\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"networkInterfaces\":[{\"id\":\"1234567890123456789\",\"inet\":[\"10.0.0.1\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"DE:AD:00:00:BE:EF\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-09T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-09T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"id\":\"1234567890123456789\",\"indicators\":[],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[{\"action\":\"unquarantine\",\"actionsCounters\":{\"failed\":0,\"notFound\":0,\"pendingReboot\":0,\"success\":1,\"total\":1},\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:54:17.198002Z\",\"latestReport\":\"/threats/mitigation-report\",\"mitigationEndedAt\":\"2022-04-06T08:54:17.101000Z\",\"mitigationStartedAt\":\"2022-04-06T08:54:17.101000Z\",\"status\":\"success\"},{\"action\":\"kill\",\"actionsCounters\":null,\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:45:55.303355Z\",\"latestReport\":null,\"mitigationEndedAt\":\"2022-04-06T08:45:55.297364Z\",\"mitigationStartedAt\":\"2022-04-06T08:45:55.297363Z\",\"status\":\"success\"}],\"threatInfo\":{\"analystVerdict\":\"undefined\",\"analystVerdictDescription\":\"Undefined\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":\"\",\"classification\":\"Trojan\",\"classificationSource\":\"Cloud\",\"cloudFilesHashVerdict\":\"black\",\"collectionId\":\"1234567890123456789\",\"confidenceLevel\":\"malicious\",\"createdAt\":\"2022-04-06T08:45:54.519988Z\",\"detectionEngines\":[{\"key\":\"sentinelone_cloud\",\"title\":\"SentinelOne Cloud\"}],\"detectionType\":\"static\",\"engines\":[\"SentinelOne Cloud\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":\"EXE\",\"fileExtensionType\":\"Executable\",\"filePath\":\"default.exe\",\"fileSize\":1234,\"fileVerificationType\":\"NotSigned\",\"identifiedAt\":\"2022-04-06T08:45:53.968000Z\",\"incidentStatus\":\"unresolved\",\"incidentStatusDescription\":\"Unresolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":false,\"maliciousProcessArguments\":null,\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"not_mitigated\",\"mitigationStatusDescription\":\"Not mitigated\",\"originatorProcess\":\"default.exe\",\"pendingActions\":false,\"processUser\":\"test user\",\"publisherName\":\"\",\"reachedEventsLimit\":false,\"rebootRequired\":false,\"sha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"sha256\":null,\"storyline\":\"D0XXXXXXXXXXAF4D\",\"threatId\":\"1234567890123456789\",\"threatName\":\"default.exe\",\"updatedAt\":\"2022-04-06T08:54:17.194122Z\"},\"whiteningOptions\":[\"hash\"]}", "type": [ "info" ] }, + "file": { + "path": "default.exe" + }, + "group": { + "id": "1234567890123456789", + "name": "Default Group" + }, "host": { "domain": "WORKGROUP", "geo": { @@ -92,11 +99,17 @@ ] }, "sentinel_one": { + "account": { + "name": "Default2" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" + }, "threat": { "agent": { "account": { - "id": "1456567890123456789", - "name": "Default2" + "id": "1456567890123456789" }, "active_threats": 8, "group": { @@ -143,8 +156,6 @@ "verdict": "undefined" }, "automatically_resolved": false, - "classification": "Trojan", - "classification_source": "Cloud", "cloudfiles_hash_verdict": "black", "collection": { "id": "1234567890123456789" @@ -174,10 +185,6 @@ "version": "1234" }, "registered_at": "2022-04-08T08:26:45.515Z", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "uuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", "version": "21.x.x" }, @@ -258,6 +265,10 @@ "whitening_option": [ "hash" ] + }, + "threat_classification": { + "name": "Trojan", + "source": "Cloud" } }, "tags": [ diff --git a/packages/sentinel_one/data_stream/threat_event/_dev/test/pipeline/test-pipeline-application.log-expected.json b/packages/sentinel_one/data_stream/threat_event/_dev/test/pipeline/test-pipeline-application.log-expected.json index 30cb77b3e1a..9659d1e7234 100644 --- a/packages/sentinel_one/data_stream/threat_event/_dev/test/pipeline/test-pipeline-application.log-expected.json +++ b/packages/sentinel_one/data_stream/threat_event/_dev/test/pipeline/test-pipeline-application.log-expected.json @@ -65,6 +65,10 @@ ] }, "sentinel_one": { + "site": { + "id": "site_001", + "name": "SiteA" + }, "threat_event": { "active_content": { "file_id": "fileid_001", @@ -167,10 +171,6 @@ "sha256": "sha256_sample", "signature_signed_invalid_reason": "None", "signed_status": "Signed", - "site": { - "id": "site_001", - "name": "SiteA" - }, "src": { "ip": "89.160.20.128", "port": 45678 @@ -270,6 +270,10 @@ ] }, "sentinel_one": { + "site": { + "id": "site_002", + "name": "SiteB" + }, "threat_event": { "active_content": { "file_id": "fileid_002", @@ -372,10 +376,6 @@ "sha256": "sha256_sample2", "signature_signed_invalid_reason": "Invalid", "signed_status": "Unsigned", - "site": { - "id": "site_002", - "name": "SiteB" - }, "src": { "ip": "89.160.20.156", "port": 56789 @@ -475,6 +475,10 @@ ] }, "sentinel_one": { + "site": { + "id": "site_003", + "name": "SiteC" + }, "threat_event": { "active_content": { "file_id": "fileid_003", @@ -577,10 +581,6 @@ "sha256": "sha256_sample3", "signature_signed_invalid_reason": "Expired", "signed_status": "Signed", - "site": { - "id": "site_003", - "name": "SiteC" - }, "src": { "ip": "127.0.0.1", "port": 23456 @@ -681,6 +681,10 @@ ] }, "sentinel_one": { + "site": { + "id": "site_004", + "name": "SiteD" + }, "threat_event": { "active_content": { "file_id": "fileid_004", @@ -783,10 +787,6 @@ "sha256": "sha256_sample4", "signature_signed_invalid_reason": "None", "signed_status": "Signed", - "site": { - "id": "site_004", - "name": "SiteD" - }, "src": { "ip": "127.0.0.1", "port": 34567 diff --git a/packages/sentinel_one/data_stream/threat_event/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/data_stream/threat_event/elasticsearch/ingest_pipeline/default.yml index 75502a61ee3..5a21ef38c50 100644 --- a/packages/sentinel_one/data_stream/threat_event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sentinel_one/data_stream/threat_event/elasticsearch/ingest_pipeline/default.yml @@ -133,12 +133,12 @@ processors: - rename: field: json.siteId tag: rename_siteId - target_field: sentinel_one.threat_event.site.id + target_field: sentinel_one.site.id ignore_missing: true - rename: field: json.siteName tag: rename_siteName - target_field: sentinel_one.threat_event.site.name + target_field: sentinel_one.site.name ignore_missing: true - rename: field: json.pid diff --git a/packages/sentinel_one/data_stream/threat_event/fields/fields.yml b/packages/sentinel_one/data_stream/threat_event/fields/fields.yml index 6e0f674146a..745a9905087 100644 --- a/packages/sentinel_one/data_stream/threat_event/fields/fields.yml +++ b/packages/sentinel_one/data_stream/threat_event/fields/fields.yml @@ -74,13 +74,6 @@ type: keyword - name: ip type: ip - - name: site - type: group - fields: - - name: id - type: keyword - - name: name - type: keyword - name: pid type: keyword - name: src diff --git a/packages/sentinel_one/data_stream/threat_event/fields/unified-fields.yml b/packages/sentinel_one/data_stream/threat_event/fields/unified-fields.yml new file mode 100644 index 00000000000..631a635794b --- /dev/null +++ b/packages/sentinel_one/data_stream/threat_event/fields/unified-fields.yml @@ -0,0 +1,10 @@ +- name: sentinel_one + type: group + fields: + - name: site + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword diff --git a/packages/sentinel_one/data_stream/threat_event/sample_event.json b/packages/sentinel_one/data_stream/threat_event/sample_event.json index ac10de66e7e..f9d89fcbada 100644 --- a/packages/sentinel_one/data_stream/threat_event/sample_event.json +++ b/packages/sentinel_one/data_stream/threat_event/sample_event.json @@ -1,15 +1,15 @@ { "@timestamp": "2025-10-22T11:30:00.000Z", "agent": { - "ephemeral_id": "cb480124-a03c-47cc-9451-f52e3e80bc47", - "id": "0d5383c7-da8f-4e33-a9c8-ea303876fbd9", - "name": "elastic-agent-26678", + "ephemeral_id": "b7dae0a8-8a03-4b8a-8bdd-101df93a42af", + "id": "a8992072-5255-4dac-9197-44b16d9ce68b", + "name": "elastic-agent-69444", "type": "filebeat", - "version": "8.18.7" + "version": "8.19.7" }, "data_stream": { "dataset": "sentinel_one.threat_event", - "namespace": "82630", + "namespace": "93680", "type": "logs" }, "destination": { @@ -20,16 +20,16 @@ "version": "8.17.0" }, "elastic_agent": { - "id": "0d5383c7-da8f-4e33-a9c8-ea303876fbd9", - "snapshot": false, - "version": "8.18.7" + "id": "a8992072-5255-4dac-9197-44b16d9ce68b", + "snapshot": true, + "version": "8.19.7" }, "event": { "agent_id_status": "verified", "created": "2025-10-22T11:30:00.000Z", "dataset": "sentinel_one.threat_event", "id": "id_004", - "ingested": "2025-10-27T07:44:21Z", + "ingested": "2025-11-19T10:42:22Z", "kind": "event", "original": "{\"activeContentFileId\":\"fileid_004\",\"activeContentHash\":\"hash_004\",\"activeContentPath\":\"D:\\\\content\\\\file4\",\"agentDomain\":\"domain4\",\"agentGroupId\":\"group_04\",\"agentId\":\"agent_004\",\"agentInfected\":false,\"agentIp\":\"89.160.20.156\",\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"x64\",\"agentName\":\"Agent_4\",\"agentNetworkStatus\":\"online\",\"agentOs\":\"Windows 10\",\"agentUuid\":\"uuid_004\",\"agentVersion\":\"1.3.0\",\"connectionStatus\":\"active\",\"createdAt\":\"2025-10-22T11:30:00Z\",\"direction\":\"outbound\",\"dnsRequest\":\"google.com\",\"dnsResponse\":\"8.8.8.8\",\"dstIp\":\"89.160.20.128\",\"dstPort\":443,\"eventType\":\"network\",\"fileFullName\":\"C:\\\\Program Files\\\\Chrome\\\\chrome.exe\",\"fileId\":\"file_004\",\"fileMd5\":\"md5_004\",\"fileSha1\":\"sha1_004\",\"fileSha256\":\"sha256_004\",\"fileSize\":\"4096\",\"fileType\":\"exe\",\"hasActiveContent\":false,\"id\":\"id_004\",\"indicatorCategory\":\"spyware\",\"indicatorDescription\":\"tracking software\",\"indicatorMetadata\":\"meta4\",\"indicatorName\":\"Spyware4\",\"loginsBaseType\":\"domain\",\"loginsUserName\":\"user_login4\",\"md5\":\"md5_sample4\",\"networkMethod\":\"GET\",\"networkSource\":\"WAN\",\"networkUrl\":\"https://google.com\",\"objectType\":\"process\",\"oldFileMd5\":\"old_md54\",\"oldFileName\":\"chrome_old.exe\",\"oldFileSha1\":\"old_sha14\",\"oldFileSha256\":\"old_sha2564\",\"parentPid\":\"4001\",\"parentProcessGroupId\":\"group_parent_04\",\"parentProcessIsMalicious\":false,\"parentProcessName\":\"explorer.exe\",\"parentProcessUniqueKey\":\"unique_parent_004\",\"pid\":\"4567\",\"processCmd\":\"chrome.exe --new-tab\",\"processDisplayName\":\"Google Chrome\",\"processGroupId\":\"group_04\",\"processImagePath\":\"C:\\\\Program Files\\\\Chrome\\\\chrome.exe\",\"processImageSha1Hash\":\"sha1_process4\",\"processIntegrityLevel\":\"medium\",\"processIsMalicious\":false,\"processIsRedirectedCommandProcessor\":\"false\",\"processIsWow64\":\"false\",\"processName\":\"chrome.exe\",\"processRoot\":\"C:\\\\\",\"processSessionId\":\"session_004\",\"processStartTime\":\"2025-10-22T11:00:00Z\",\"processSubSystem\":\"subsystem4\",\"processUniqueKey\":\"unique_004\",\"processUserName\":\"user4\",\"protocol\":\"TCP\",\"publisher\":\"Google\",\"registryClassification\":\"application\",\"registryId\":\"reg_004\",\"registryPath\":\"HKCU\\\\Software\\\\Test4\",\"relatedToThreat\":false,\"rpid\":\"rpid_004\",\"sha1\":\"sha1_sample4\",\"sha256\":\"sha256_sample4\",\"signatureSignedInvalidReason\":\"None\",\"signedStatus\":\"Signed\",\"siteId\":\"site_004\",\"siteName\":\"SiteD\",\"srcIp\":\"127.0.0.1\",\"srcPort\":34567,\"storyline\":\"storyline4\",\"taskName\":\"task4\",\"taskPath\":\"C:\\\\Tasks\\\\task4\",\"threatStatus\":\"clean\",\"tid\":\"tid_004\",\"trueContext\":\"context4\",\"user\":\"user4\",\"verifiedStatus\":\"Verified\"}" }, @@ -87,6 +87,10 @@ ] }, "sentinel_one": { + "site": { + "id": "site_004", + "name": "SiteD" + }, "threat_event": { "active_content": { "file_id": "fileid_004", @@ -189,10 +193,6 @@ "sha256": "sha256_sample4", "signature_signed_invalid_reason": "None", "signed_status": "Signed", - "site": { - "id": "site_004", - "name": "SiteD" - }, "src": { "ip": "127.0.0.1", "port": 34567 diff --git a/packages/sentinel_one/docs/README.md b/packages/sentinel_one/docs/README.md index 3c65a1c247e..cae1cf2c1a9 100644 --- a/packages/sentinel_one/docs/README.md +++ b/packages/sentinel_one/docs/README.md @@ -123,33 +123,34 @@ An example event for `activity` looks as following: { "@timestamp": "2022-04-19T05:14:08.925Z", "agent": { - "ephemeral_id": "10175f71-9c3d-43ea-9326-e2c1fbfed4fa", - "id": "9b7ecf1c-5873-4d71-b82a-5ef8d4ac574e", - "name": "elastic-agent-48880", + "ephemeral_id": "e6b8b354-ed66-48eb-8516-c576417e273c", + "id": "7097c76d-ffaf-4c65-9da9-8da760e67c8a", + "name": "elastic-agent-98755", "type": "filebeat", - "version": "8.18.7" + "version": "8.19.7" }, "data_stream": { "dataset": "sentinel_one.activity", - "namespace": "26410", + "namespace": "86823", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "9b7ecf1c-5873-4d71-b82a-5ef8d4ac574e", - "snapshot": false, - "version": "8.18.7" + "id": "7097c76d-ffaf-4c65-9da9-8da760e67c8a", + "snapshot": true, + "version": "8.19.7" }, "event": { "agent_id_status": "verified", "category": [ "configuration" ], - "created": "2025-09-22T11:35:05.641Z", + "created": "2025-11-19T10:35:41.122Z", "dataset": "sentinel_one.activity", - "ingested": "2025-09-22T11:35:08Z", + "id": "1234567890123456789", + "ingested": "2025-11-19T10:35:44Z", "kind": "event", "original": "{\"accountId\":\"3214567890123456789\",\"accountName\":\"Default12\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":\"True\",\"createdAt\":\"2022-04-19T05:14:08.925421Z\",\"data\":{\"accountName\":\"Default\",\"byUser\":\"API\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/default\",\"groupName\":null,\"newValue\":true,\"role\":\"Level\",\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"userScope\":\"account\",\"username\":\"API\"},\"description\":\"API\",\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"The management user API enabled Two factor authentication on the user API.\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-18T05:14:08.922553Z\",\"userId\":\"1234567890123456789\"}", "type": [ @@ -166,10 +167,12 @@ An example event for `activity` looks as following: ] }, "sentinel_one": { + "account": { + "name": "Default12" + }, "activity": { "account": { - "id": "3214567890123456789", - "name": "Default12" + "id": "3214567890123456789" }, "comments": "True", "data": { @@ -231,8 +234,8 @@ An example event for `activity` looks as following: | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | +| sentinel_one.account.name | | keyword | | sentinel_one.activity.account.id | Related account ID (if applicable). | keyword | -| sentinel_one.activity.account.name | Related account name (if applicable). | keyword | | sentinel_one.activity.agent.id | Related agent (if applicable). | keyword | | sentinel_one.activity.comments | Comments. | keyword | | sentinel_one.activity.data.account.id | Related account ID (if applicable). | keyword | @@ -269,7 +272,6 @@ An example event for `activity` looks as following: | sentinel_one.activity.data.status | Status. | keyword | | sentinel_one.activity.data.system | System. | boolean | | sentinel_one.activity.data.threat.classification.name | Threat classification name. | keyword | -| sentinel_one.activity.data.threat.classification.source | Threat classification source. | keyword | | sentinel_one.activity.data.user.name | User name. | keyword | | sentinel_one.activity.data.user.scope | User scope. | keyword | | sentinel_one.activity.data.uuid | UUID. | keyword | @@ -277,11 +279,13 @@ An example event for `activity` looks as following: | sentinel_one.activity.description.secondary | Secondary description. | keyword | | sentinel_one.activity.description_value | | keyword | | sentinel_one.activity.id | Activity ID. | keyword | -| sentinel_one.activity.site.id | Related site ID (if applicable). | keyword | -| sentinel_one.activity.site.name | Related site name (if applicable). | keyword | | sentinel_one.activity.threat.id | Related threat ID (if applicable). | keyword | | sentinel_one.activity.type | Activity type. | long | | sentinel_one.activity.updated_at | Activity last updated time (UTC). | date | +| sentinel_one.site.id | | keyword | +| sentinel_one.site.name | | keyword | +| sentinel_one.threat_classification.name | | keyword | +| sentinel_one.threat_classification.source | | keyword | ### agent @@ -294,33 +298,34 @@ An example event for `agent` looks as following: { "@timestamp": "2022-04-07T08:31:47.481Z", "agent": { - "ephemeral_id": "e30ba73f-f169-4f6a-868b-79481d37c732", - "id": "e8901d6d-1c15-41f6-acf8-046dbbd754ce", - "name": "elastic-agent-22310", + "ephemeral_id": "d113dedc-4d4c-4edf-902c-01cfbebee496", + "id": "f4af1d66-97e4-4128-81ef-620bd2b06381", + "name": "elastic-agent-49562", "type": "filebeat", - "version": "8.18.7" + "version": "8.19.7" }, "data_stream": { "dataset": "sentinel_one.agent", - "namespace": "13010", + "namespace": "33892", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "e8901d6d-1c15-41f6-acf8-046dbbd754ce", - "snapshot": false, - "version": "8.18.7" + "id": "f4af1d66-97e4-4128-81ef-620bd2b06381", + "snapshot": true, + "version": "8.19.7" }, "event": { "agent_id_status": "verified", "category": [ "host" ], - "created": "2025-09-22T11:35:56.007Z", + "created": "2025-11-19T10:36:49.199Z", "dataset": "sentinel_one.agent", - "ingested": "2025-09-22T11:35:59Z", + "id": "13491234512345", + "ingested": "2025-11-19T10:36:52Z", "kind": "event", "original": "{\"accountId\":\"892341123451234512345\",\"accountName\":\"ABC\",\"activeDirectory\":{\"computerDistinguishedName\":null,\"computerMemberOf\":[],\"lastUserDistinguishedName\":null,\"lastUserMemberOf\":[]},\"activeThreats\":7,\"agentVersion\":\"12.x.x.x\",\"allowRemoteShell\":true,\"appsVulnerabilityStatus\":\"not_applicable\",\"cloudProviders\":{},\"computerName\":\"user-test\",\"consoleMigrationStatus\":\"N/A\",\"coreCount\":2,\"cpuCount\":2,\"cpuId\":\"CPU Name\",\"createdAt\":\"2022-03-18T09:12:00.519500Z\",\"detectionState\":null,\"domain\":\"WORKGROUP\",\"encryptedApplications\":false,\"externalId\":\"\",\"externalIp\":\"81.2.69.143\",\"firewallEnabled\":true,\"firstFullModeTime\":null,\"groupId\":\"1234567890123456789\",\"groupIp\":\"81.2.69.144\",\"groupName\":\"Default Group\",\"id\":\"13491234512345\",\"inRemoteShellSession\":false,\"infected\":true,\"installerType\":\".msi\",\"isActive\":true,\"isDecommissioned\":false,\"isPendingUninstall\":false,\"isUninstalled\":false,\"isUpToDate\":true,\"lastActiveDate\":\"2022-03-17T09:51:28.506000Z\",\"lastIpToMgmt\":\"81.2.69.145\",\"lastLoggedInUserName\":\"\",\"licenseKey\":\"\",\"locationEnabled\":true,\"locationType\":\"not_applicable\",\"locations\":null,\"machineType\":\"server\",\"missingPermissions\":[\"user-action-needed-bluetooth-per\",\"user_action_needed_fda\"],\"mitigationMode\":\"detect\",\"mitigationModeSuspicious\":\"detect\",\"modelName\":\"Compute Engine\",\"networkInterfaces\":[{\"gatewayIp\":\"81.2.69.145\",\"gatewayMacAddress\":\"00-00-5E-00-53-00\",\"id\":\"1234567890123456789\",\"inet\":[\"81.2.69.144\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"00-00-5E-00-53-00\"}],\"networkQuarantineEnabled\":false,\"networkStatus\":\"connected\",\"operationalState\":\"na\",\"operationalStateExpiration\":null,\"osArch\":\"64 bit\",\"osName\":\"Linux Server\",\"osRevision\":\"1234\",\"osStartTime\":\"2022-04-06T08:27:14Z\",\"osType\":\"linux\",\"osUsername\":null,\"rangerStatus\":\"Enabled\",\"rangerVersion\":\"21.x.x.x\",\"registeredAt\":\"2022-04-06T08:26:45.515278Z\",\"remoteProfilingState\":\"disabled\",\"remoteProfilingStateExpiration\":null,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"tags\":{\"sentinelone\":[{\"assignedAt\":\"2018-02-27T04:49:26.257525Z\",\"assignedBy\":\"test-user\",\"assignedById\":\"123456789012345678\",\"id\":\"123456789012345678\",\"key\":\"key123\",\"value\":\"value123\"}]},\"threatRebootRequired\":false,\"totalMemory\":1234,\"updatedAt\":\"2022-04-07T08:31:47.481227Z\",\"userActionsNeeded\":[\"reboot_needed\"],\"uuid\":\"XXX35XXX8Xfb4aX0X1X8X12X343X8X30\"}", "type": [ @@ -332,6 +337,7 @@ An example event for `agent` looks as following: "name": "Default Group" }, "host": { + "architecture": "64 bit", "domain": "WORKGROUP", "geo": { "city_name": "London", @@ -378,10 +384,12 @@ An example event for `agent` looks as following: ] }, "sentinel_one": { + "account": { + "name": "ABC" + }, "agent": { "account": { - "id": "892341123451234512345", - "name": "ABC" + "id": "892341123451234512345" }, "active_threats_count": 7, "agent": { @@ -461,10 +469,6 @@ An example event for `agent` looks as following: "started_at": "2022-04-06T08:26:52.838Z", "status": "finished" }, - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "tags": [ { "assigned_at": "2018-02-27T04:49:26.257Z", @@ -481,6 +485,10 @@ An example event for `agent` looks as following: "reboot_needed" ], "uuid": "XXX35XXX8Xfb4aX0X1X8X12X343X8X30" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" } }, "tags": [ @@ -507,8 +515,8 @@ An example event for `agent` looks as following: | host.os.codename | OS codename, if any. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | +| sentinel_one.account.name | | keyword | | sentinel_one.agent.account.id | A reference to the containing account. | keyword | -| sentinel_one.agent.account.name | Name of the containing account. | keyword | | sentinel_one.agent.active_directory.computer.member_of | Computer member of. | keyword | | sentinel_one.agent.active_directory.computer.name | Computer distinguished name. | keyword | | sentinel_one.agent.active_directory.last_user.distinguished_name | Last user distinguished name. | keyword | @@ -576,8 +584,6 @@ An example event for `agent` looks as following: | sentinel_one.agent.scan.finished_at | Finish time of last scan (if applicable). | date | | sentinel_one.agent.scan.started_at | Start time of last scan. | date | | sentinel_one.agent.scan.status | Last scan status. | keyword | -| sentinel_one.agent.site.id | A reference to the containing site. | keyword | -| sentinel_one.agent.site.name | Name of the containing site. | keyword | | sentinel_one.agent.storage.name | Storage name. | keyword | | sentinel_one.agent.storage.type | Storage type. | keyword | | sentinel_one.agent.tags.assigned_at | When tag assigned to the agent. | date | @@ -590,6 +596,8 @@ An example event for `agent` looks as following: | sentinel_one.agent.total_memory | Memory size (MB). | long | | sentinel_one.agent.user_action_needed | A list of pending user actions. | keyword | | sentinel_one.agent.uuid | Agent's universally unique identifier. | keyword | +| sentinel_one.site.id | | keyword | +| sentinel_one.site.name | | keyword | ### alert @@ -602,11 +610,11 @@ An example event for `alert` looks as following: { "@timestamp": "2018-02-27T04:49:26.257Z", "agent": { - "ephemeral_id": "08bbc60c-bcdb-4947-b58b-db2a8b01a1fc", - "id": "18481dc1-1b98-402b-ac39-57dc51f6d92e", - "name": "elastic-agent-93569", + "ephemeral_id": "38d6bc5f-ee5a-4d20-9152-5a802c430eeb", + "id": "9f44ff99-cec0-4435-b939-8f2066427cc8", + "name": "elastic-agent-81341", "type": "filebeat", - "version": "8.18.7" + "version": "8.19.7" }, "container": { "id": "string", @@ -617,7 +625,7 @@ An example event for `alert` looks as following: }, "data_stream": { "dataset": "sentinel_one.alert", - "namespace": "33685", + "namespace": "52488", "type": "logs" }, "destination": { @@ -639,19 +647,19 @@ An example event for `alert` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "18481dc1-1b98-402b-ac39-57dc51f6d92e", - "snapshot": false, - "version": "8.18.7" + "id": "9f44ff99-cec0-4435-b939-8f2066427cc8", + "snapshot": true, + "version": "8.19.7" }, "event": { "agent_id_status": "verified", "category": [ "malware" ], - "created": "2025-09-22T11:51:54.640Z", + "created": "2025-11-19T10:37:39.901Z", "dataset": "sentinel_one.alert", "id": "888456789123456789", - "ingested": "2025-09-22T11:51:57Z", + "ingested": "2025-11-19T10:37:42Z", "kind": "event", "original": "{\"agentDetectionInfo\":{\"machineType\":\"string\",\"name\":\"string\",\"osFamily\":\"string\",\"osName\":\"string\",\"osRevision\":\"string\",\"siteId\":\"123456789123456789\",\"uuid\":\"string\",\"version\":\"3.x.x.x\"},\"alertInfo\":{\"alertId\":\"888456789123456789\",\"analystVerdict\":\"string\",\"createdAt\":\"2018-02-27T04:49:26.257525Z\",\"dnsRequest\":\"string\",\"dnsResponse\":\"string\",\"dstIp\":\"81.2.69.144\",\"dstPort\":\"1234\",\"dvEventId\":\"string\",\"eventType\":\"info\",\"hitType\":\"Events\",\"incidentStatus\":\"open\",\"indicatorCategory\":\"string\",\"indicatorDescription\":\"string\",\"indicatorName\":\"string\",\"loginAccountDomain\":\"string\",\"loginAccountSid\":\"string\",\"loginIsAdministratorEquivalent\":\"string\",\"loginIsSuccessful\":\"string\",\"loginType\":\"login\",\"loginsUserName\":\"string\",\"modulePath\":\"string\",\"moduleSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"netEventDirection\":\"string\",\"registryKeyPath\":\"string\",\"registryOldValue\":\"string\",\"registryOldValueType\":\"string\",\"registryPath\":\"string\",\"registryValue\":\"string\",\"reportedAt\":\"2018-02-27T04:49:26.257525Z\",\"source\":\"string\",\"srcIp\":\"81.2.69.142\",\"srcMachineIp\":\"81.2.69.142\",\"srcPort\":\"1234\",\"tiIndicatorComparisonMethod\":\"string\",\"tiIndicatorSource\":\"string\",\"tiIndicatorType\":\"string\",\"tiIndicatorValue\":\"string\",\"updatedAt\":\"2018-02-27T04:49:26.257525Z\"},\"containerInfo\":{\"id\":\"string\",\"image\":\"string\",\"labels\":\"string\",\"name\":\"string\"},\"kubernetesInfo\":{\"cluster\":\"string\",\"controllerKind\":\"string\",\"controllerLabels\":\"string\",\"controllerName\":\"string\",\"namespace\":\"string\",\"namespaceLabels\":\"string\",\"node\":\"string\",\"pod\":\"string\",\"podLabels\":\"string\"},\"ruleInfo\":{\"description\":\"string\",\"id\":\"string\",\"name\":\"string\",\"scopeLevel\":\"string\",\"severity\":\"Low\",\"treatAsThreat\":\"UNDEFINED\"},\"sourceParentProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"sourceProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"targetProcessInfo\":{\"tgtFileCreatedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"tgtFileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"tgtFileId\":\"string\",\"tgtFileIsSigned\":\"string\",\"tgtFileModifiedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileOldPath\":\"string\",\"tgtFilePath\":\"string\",\"tgtProcCmdLine\":\"string\",\"tgtProcImagePath\":\"string\",\"tgtProcIntegrityLevel\":\"unknown\",\"tgtProcName\":\"string\",\"tgtProcPid\":\"12345\",\"tgtProcSignedStatus\":\"string\",\"tgtProcStorylineId\":\"string\",\"tgtProcUid\":\"string\",\"tgtProcessStartTime\":\"2018-02-27T04:49:26.257525Z\"}}", "severity": 21, @@ -661,7 +669,8 @@ An example event for `alert` looks as following: }, "file": { "created": "2018-02-27T04:49:26.257Z", - "mtime": "2018-02-27T04:49:26.257Z" + "mtime": "2018-02-27T04:49:26.257Z", + "path": "string" }, "host": { "ip": [ @@ -756,9 +765,6 @@ An example event for `alert` looks as following: }, "sentinel_one": { "alert": { - "agent": { - "site_id": "123456789123456789" - }, "analyst_verdict": "string", "container": { "info": { @@ -859,6 +865,9 @@ An example event for `alert` looks as following: "start_time": "2018-02-27T04:49:26.257Z" } } + }, + "site": { + "id": "123456789123456789" } }, "source": { @@ -901,7 +910,6 @@ An example event for `alert` looks as following: | sentinel_one.alert.agent.is_decommissioned | Is decommissioned. | boolean | | sentinel_one.alert.agent.machine_type | Machine type. | keyword | | sentinel_one.alert.agent.os.type | OS type. | keyword | -| sentinel_one.alert.agent.site_id | Site id. | keyword | | sentinel_one.alert.analyst_verdict | Analyst verdict. | keyword | | sentinel_one.alert.container.info.labels | Container info labels. | keyword | | sentinel_one.alert.dv_event.id | DV event id. | keyword | @@ -956,6 +964,7 @@ An example event for `alert` looks as following: | sentinel_one.alert.target.process.proc.storyline_id | Target Process StoryLine ID. | keyword | | sentinel_one.alert.target.process.proc.uid | Target Process Unique ID. | keyword | | sentinel_one.alert.target.process.start_time | Target Process Start Time. | date | +| sentinel_one.site.id | | keyword | ### application @@ -966,26 +975,26 @@ An example event for `application` looks as following: ```json { - "@timestamp": "2025-09-22T11:37:35.103Z", + "@timestamp": "2025-11-19T10:38:39.090Z", "agent": { - "ephemeral_id": "f3dbcd35-c358-4dc1-af94-eaabf9b235ed", - "id": "5d3eee3a-3182-4b39-8c6c-cb02286bd750", - "name": "elastic-agent-59605", + "ephemeral_id": "800ab008-1e5a-4db6-8e31-cc61875da3d4", + "id": "0d101c1b-0608-4563-bccd-9de1928b614f", + "name": "elastic-agent-14879", "type": "filebeat", - "version": "8.18.7" + "version": "8.19.7" }, "data_stream": { "dataset": "sentinel_one.application", - "namespace": "44982", + "namespace": "83873", "type": "logs" }, "ecs": { "version": "8.17.0" }, "elastic_agent": { - "id": "5d3eee3a-3182-4b39-8c6c-cb02286bd750", - "snapshot": false, - "version": "8.18.7" + "id": "0d101c1b-0608-4563-bccd-9de1928b614f", + "snapshot": true, + "version": "8.19.7" }, "event": { "agent_id_status": "verified", @@ -993,14 +1002,20 @@ An example event for `application` looks as following: "package" ], "dataset": "sentinel_one.application", - "ingested": "2025-09-22T11:37:38Z", + "id": "2218357748550497214", + "ingested": "2025-11-19T10:38:42Z", "kind": "event", "original": "{\"accountName\":\"7-Zip\",\"applicationInstallationDate\":\"2025-04-13T10:45:01Z\",\"applicationInstallationPath\":null,\"applicationName\":\"Igor Pavlov\",\"coreCount\":2,\"cpe\":\"cpe:2.3:a:abc:igor:8.17.3:*:*:*:*:*:*:*\",\"cpuCount\":1,\"detectionDate\":\"2025-06-19T18:00:51.166610Z\",\"endpointId\":\"216970508828266268\",\"endpointName\":\"srv-win-defend-03\",\"endpointType\":\"server\",\"endpointUuid\":\"eb655be8be894dae97711ebb9a9091ae\",\"fileSize\":517364,\"groupName\":\"Default Group\",\"id\":\"2218357748550497214\",\"osArch\":\"64 bit\",\"osName\":\"Windows Server 2022 Datacenter\",\"osType\":\"windows\",\"osVersion\":\"Windows Server 2022 Datacenter 20348\",\"siteName\":\"Default site\",\"version\":\"8.17.3\"}", "type": [ "info" ] }, + "group": { + "name": "Default Group" + }, "host": { + "architecture": "64 bit", + "id": "216970508828266268", "name": "srv-win-defend-03", "os": { "full": "Windows Server 2022 Datacenter 20348", @@ -1024,8 +1039,10 @@ An example event for `application` looks as following: ] }, "sentinel_one": { + "account": { + "name": "7-Zip" + }, "application": { - "account_name": "7-Zip", "application_installation_date": "2025-04-13T10:45:01.000Z", "application_name": "Igor Pavlov", "core_count": 2, @@ -1043,8 +1060,10 @@ An example event for `application` looks as following: "os_name": "Windows Server 2022 Datacenter", "os_type": "windows", "os_version": "Windows Server 2022 Datacenter 20348", - "site_name": "Default site", "version": "8.17.3" + }, + "site": { + "name": "Default site" } }, "tags": [ @@ -1068,7 +1087,7 @@ An example event for `application` looks as following: | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | -| sentinel_one.application.account_name | | keyword | +| sentinel_one.account.name | | keyword | | sentinel_one.application.application_installation_date | | date | | sentinel_one.application.application_installation_path | | keyword | | sentinel_one.application.application_name | | keyword | @@ -1091,8 +1110,8 @@ An example event for `application` looks as following: | sentinel_one.application.os_name | | keyword | | sentinel_one.application.os_type | | keyword | | sentinel_one.application.os_version | | keyword | -| sentinel_one.application.site_name | | keyword | | sentinel_one.application.version | | keyword | +| sentinel_one.site.name | | keyword | ### application risk @@ -1105,24 +1124,24 @@ An example event for `application_risk` looks as following: { "@timestamp": "2025-07-29T19:25:47.000Z", "agent": { - "ephemeral_id": "a2feec44-477e-4405-95d0-a4478a26060b", - "id": "4fd69adb-bbe2-4f41-bbee-5673417f7a81", - "name": "elastic-agent-70432", + "ephemeral_id": "519ebcce-3d96-4c5b-a880-3f18b50a195a", + "id": "887e0ce4-9b7b-40e6-ac11-b62380aa2767", + "name": "elastic-agent-11705", "type": "filebeat", - "version": "8.18.7" + "version": "8.19.7" }, "data_stream": { "dataset": "sentinel_one.application_risk", - "namespace": "92576", + "namespace": "55690", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "4fd69adb-bbe2-4f41-bbee-5673417f7a81", - "snapshot": false, - "version": "8.18.7" + "id": "887e0ce4-9b7b-40e6-ac11-b62380aa2767", + "snapshot": true, + "version": "8.19.7" }, "event": { "agent_id_status": "verified", @@ -1132,7 +1151,7 @@ An example event for `application_risk` looks as following: "created": "2025-06-02T04:46:51.710Z", "dataset": "sentinel_one.application_risk", "id": "2228104980801805822", - "ingested": "2025-09-22T11:38:28Z", + "ingested": "2025-11-19T10:39:33Z", "kind": "state", "original": "{\"application\":\"7-Zip 22.01\",\"applicationName\":\"7-Zip\",\"applicationVendor\":\"Igor Pavlov\",\"applicationVersion\":\"22.01\",\"baseScore\":\"7.00\",\"cveId\":\"CVE-2025-0411\",\"cvssVersion\":\"3.1\",\"daysDetected\":59,\"detectionDate\":\"2025-06-02T04:46:51.710569Z\",\"endpointId\":\"2162143406517023959\",\"endpointName\":\"test_endpoint\",\"endpointType\":\"desktop\",\"id\":\"2228104980801805822\",\"lastScanDate\":\"2025-07-29T19:25:47Z\",\"lastScanResult\":\"Succeeded\",\"markType\":\"\",\"markedBy\":null,\"markedDate\":null,\"osType\":\"windows\",\"publishedDate\":\"2025-01-20T07:04:04Z\",\"reason\":null,\"severity\":\"HIGH\",\"status\":\"Detected\"}", "outcome": "success", @@ -1253,33 +1272,33 @@ An example event for `group` looks as following: { "@timestamp": "2022-04-05T16:01:57.564Z", "agent": { - "ephemeral_id": "19a3b41e-6893-4b82-ae86-4c2e93da02d9", - "id": "14cf6e5d-1727-4dee-a04e-568d68d0491a", - "name": "elastic-agent-16291", + "ephemeral_id": "da92d416-3f7d-47f5-8a18-c844c45a204a", + "id": "8f8db98d-a5de-4e44-9028-92faf7cdb865", + "name": "elastic-agent-24227", "type": "filebeat", - "version": "8.18.7" + "version": "8.19.7" }, "data_stream": { "dataset": "sentinel_one.group", - "namespace": "33426", + "namespace": "64327", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "14cf6e5d-1727-4dee-a04e-568d68d0491a", - "snapshot": false, - "version": "8.18.7" + "id": "8f8db98d-a5de-4e44-9028-92faf7cdb865", + "snapshot": true, + "version": "8.19.7" }, "event": { "agent_id_status": "verified", "category": [ "iam" ], - "created": "2025-09-22T11:39:15.003Z", + "created": "2025-11-19T10:40:29.178Z", "dataset": "sentinel_one.group", - "ingested": "2025-09-22T11:39:17Z", + "ingested": "2025-11-19T10:40:32Z", "kind": "event", "original": "{\"createdAt\":\"2022-04-05T16:01:56.928383Z\",\"creator\":\"Test User\",\"creatorId\":\"1234567890123456789\",\"filterId\":null,\"filterName\":null,\"id\":\"1234567890123456789\",\"inherits\":true,\"isDefault\":true,\"name\":\"Default Group\",\"rank\":null,\"registrationToken\":\"eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=\",\"siteId\":\"1234567890123456789\",\"totalAgents\":1,\"type\":\"static\",\"updatedAt\":\"2022-04-05T16:01:57.564266Z\"}", "type": [ @@ -1310,10 +1329,10 @@ An example event for `group` looks as following: "inherits": true, "is_default": true, "registration_token": "eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=", - "site": { - "id": "1234567890123456789" - }, "type": "static" + }, + "site": { + "id": "1234567890123456789" } }, "tags": [ @@ -1353,8 +1372,8 @@ An example event for `group` looks as following: | sentinel_one.group.is_default | | boolean | | sentinel_one.group.rank | | long | | sentinel_one.group.registration_token | | keyword | -| sentinel_one.group.site.id | | keyword | | sentinel_one.group.type | | keyword | +| sentinel_one.site.id | | keyword | ### threat @@ -1367,24 +1386,24 @@ An example event for `threat` looks as following: { "@timestamp": "2022-04-06T08:54:17.194Z", "agent": { - "ephemeral_id": "1128d81b-01bd-4864-808c-5ad00f4c923b", - "id": "bc9ba90f-141f-42b8-ae9a-e8f473cf41f1", - "name": "elastic-agent-63288", + "ephemeral_id": "402c85c2-f3e1-4ef9-97eb-86f207d4ec64", + "id": "9520e44c-407c-4082-a5c6-6dbaea7f4264", + "name": "elastic-agent-36635", "type": "filebeat", - "version": "8.18.7" + "version": "8.19.7" }, "data_stream": { "dataset": "sentinel_one.threat", - "namespace": "26215", + "namespace": "55649", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "bc9ba90f-141f-42b8-ae9a-e8f473cf41f1", - "snapshot": false, - "version": "8.18.7" + "id": "9520e44c-407c-4082-a5c6-6dbaea7f4264", + "snapshot": true, + "version": "8.19.7" }, "event": { "action": "SentinelOne Cloud", @@ -1392,16 +1411,23 @@ An example event for `threat` looks as following: "category": [ "malware" ], - "created": "2025-09-22T12:02:37.990Z", + "created": "2025-11-19T10:41:22.249Z", "dataset": "sentinel_one.threat", "id": "1234567890123456789", - "ingested": "2025-09-22T12:02:39Z", + "ingested": "2025-11-19T10:41:23Z", "kind": "alert", "original": "{\"agentDetectionInfo\":{\"accountId\":\"111245567890123456789\",\"accountName\":\"Default2\",\"agentDetectionState\":null,\"agentDomain\":\"WORKGROUP\",\"agentIpV4\":\"127.0.0.1\",\"agentIpV6\":\"2a02:cf40::\",\"agentLastLoggedInUpn\":null,\"agentLastLoggedInUserMail\":null,\"agentLastLoggedInUserName\":\"\",\"agentMitigationMode\":\"protect\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentRegisteredAt\":\"2022-04-08T08:26:45.515278Z\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x\",\"cloudProviders\":{},\"externalIp\":\"81.2.69.143\",\"groupId\":\"1444567890123456789\",\"groupName\":\"Default Group\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\"},\"agentRealtimeInfo\":{\"accountId\":\"1456567890123456789\",\"accountName\":\"Default2\",\"activeThreats\":8,\"agentComputerName\":\"test-LINUX\",\"agentDecommissionedAt\":null,\"agentDomain\":\"WORKGROUP\",\"agentId\":\"1234567890123456789\",\"agentInfected\":true,\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"server\",\"agentMitigationMode\":\"detect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentOsType\":\"linux\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x.1234\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"networkInterfaces\":[{\"id\":\"1234567890123456789\",\"inet\":[\"10.0.0.1\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"DE:AD:00:00:BE:EF\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-09T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-09T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"id\":\"1234567890123456789\",\"indicators\":[],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[{\"action\":\"unquarantine\",\"actionsCounters\":{\"failed\":0,\"notFound\":0,\"pendingReboot\":0,\"success\":1,\"total\":1},\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:54:17.198002Z\",\"latestReport\":\"/threats/mitigation-report\",\"mitigationEndedAt\":\"2022-04-06T08:54:17.101000Z\",\"mitigationStartedAt\":\"2022-04-06T08:54:17.101000Z\",\"status\":\"success\"},{\"action\":\"kill\",\"actionsCounters\":null,\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:45:55.303355Z\",\"latestReport\":null,\"mitigationEndedAt\":\"2022-04-06T08:45:55.297364Z\",\"mitigationStartedAt\":\"2022-04-06T08:45:55.297363Z\",\"status\":\"success\"}],\"threatInfo\":{\"analystVerdict\":\"undefined\",\"analystVerdictDescription\":\"Undefined\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":\"\",\"classification\":\"Trojan\",\"classificationSource\":\"Cloud\",\"cloudFilesHashVerdict\":\"black\",\"collectionId\":\"1234567890123456789\",\"confidenceLevel\":\"malicious\",\"createdAt\":\"2022-04-06T08:45:54.519988Z\",\"detectionEngines\":[{\"key\":\"sentinelone_cloud\",\"title\":\"SentinelOne Cloud\"}],\"detectionType\":\"static\",\"engines\":[\"SentinelOne Cloud\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":\"EXE\",\"fileExtensionType\":\"Executable\",\"filePath\":\"default.exe\",\"fileSize\":1234,\"fileVerificationType\":\"NotSigned\",\"identifiedAt\":\"2022-04-06T08:45:53.968000Z\",\"incidentStatus\":\"unresolved\",\"incidentStatusDescription\":\"Unresolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":false,\"maliciousProcessArguments\":null,\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"not_mitigated\",\"mitigationStatusDescription\":\"Not mitigated\",\"originatorProcess\":\"default.exe\",\"pendingActions\":false,\"processUser\":\"test user\",\"publisherName\":\"\",\"reachedEventsLimit\":false,\"rebootRequired\":false,\"sha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"sha256\":null,\"storyline\":\"D0XXXXXXXXXXAF4D\",\"threatId\":\"1234567890123456789\",\"threatName\":\"default.exe\",\"updatedAt\":\"2022-04-06T08:54:17.194122Z\"},\"whiteningOptions\":[\"hash\"]}", "type": [ "info" ] }, + "file": { + "path": "default.exe" + }, + "group": { + "id": "1234567890123456789", + "name": "Default Group" + }, "host": { "domain": "WORKGROUP", "geo": { @@ -1458,11 +1484,17 @@ An example event for `threat` looks as following: ] }, "sentinel_one": { + "account": { + "name": "Default2" + }, + "site": { + "id": "1234567890123456789", + "name": "Default site" + }, "threat": { "agent": { "account": { - "id": "1456567890123456789", - "name": "Default2" + "id": "1456567890123456789" }, "active_threats": 8, "group": { @@ -1509,8 +1541,6 @@ An example event for `threat` looks as following: "verdict": "undefined" }, "automatically_resolved": false, - "classification": "Trojan", - "classification_source": "Cloud", "cloudfiles_hash_verdict": "black", "collection": { "id": "1234567890123456789" @@ -1540,10 +1570,6 @@ An example event for `threat` looks as following: "version": "1234" }, "registered_at": "2022-04-08T08:26:45.515Z", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, "uuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", "version": "21.x.x" }, @@ -1624,6 +1650,10 @@ An example event for `threat` looks as following: "whitening_option": [ "hash" ] + }, + "threat_classification": { + "name": "Trojan", + "source": "Cloud" } }, "tags": [ @@ -1665,8 +1695,10 @@ An example event for `threat` looks as following: | host.os.codename | OS codename, if any. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | +| sentinel_one.account.name | | keyword | +| sentinel_one.site.id | | keyword | +| sentinel_one.site.name | | keyword | | sentinel_one.threat.agent.account.id | Account id. | keyword | -| sentinel_one.threat.agent.account.name | Account name. | keyword | | sentinel_one.threat.agent.active_threats | Active threats. | long | | sentinel_one.threat.agent.decommissioned_at | Decommissioned at. | boolean | | sentinel_one.threat.agent.group.id | Group id. | keyword | @@ -1700,8 +1732,6 @@ An example event for `threat` looks as following: | sentinel_one.threat.automatically_resolved | Automatically resolved. | boolean | | sentinel_one.threat.browser_type | Browser type. | keyword | | sentinel_one.threat.certificate.id | File Certificate ID. | keyword | -| sentinel_one.threat.classification | Classification of the threat. | keyword | -| sentinel_one.threat.classification_source | Source of the threat Classification. | keyword | | sentinel_one.threat.cloudfiles_hash_verdict | Cloud files hash verdict. | keyword | | sentinel_one.threat.collection.id | Collection id. | keyword | | sentinel_one.threat.confidence_level | SentinelOne threat confidence level. | keyword | @@ -1719,8 +1749,6 @@ An example event for `threat` looks as following: | sentinel_one.threat.detection.agent.os.name | Orig agent OS name. | keyword | | sentinel_one.threat.detection.agent.os.version | Orig agent OS revision. | keyword | | sentinel_one.threat.detection.agent.registered_at | Time of first registration to management console. | date | -| sentinel_one.threat.detection.agent.site.id | Orig site id. | keyword | -| sentinel_one.threat.detection.agent.site.name | Orig site name. | keyword | | sentinel_one.threat.detection.agent.uuid | UUID of the agent. | keyword | | sentinel_one.threat.detection.agent.version | Orig agent version. | keyword | | sentinel_one.threat.detection.cloud_providers | Cloud providers for this agent. | flattened | @@ -1784,6 +1812,8 @@ An example event for `threat` looks as following: | sentinel_one.threat.storyline | Storyline identifier from agent. | keyword | | sentinel_one.threat.threat_id | Threat id. | keyword | | sentinel_one.threat.whitening_option | Whitening options. | keyword | +| sentinel_one.threat_classification.name | | keyword | +| sentinel_one.threat_classification.source | | keyword | ### threat event @@ -1796,15 +1826,15 @@ An example event for `threat_event` looks as following: { "@timestamp": "2025-10-22T11:30:00.000Z", "agent": { - "ephemeral_id": "cb480124-a03c-47cc-9451-f52e3e80bc47", - "id": "0d5383c7-da8f-4e33-a9c8-ea303876fbd9", - "name": "elastic-agent-26678", + "ephemeral_id": "b7dae0a8-8a03-4b8a-8bdd-101df93a42af", + "id": "a8992072-5255-4dac-9197-44b16d9ce68b", + "name": "elastic-agent-69444", "type": "filebeat", - "version": "8.18.7" + "version": "8.19.7" }, "data_stream": { "dataset": "sentinel_one.threat_event", - "namespace": "82630", + "namespace": "93680", "type": "logs" }, "destination": { @@ -1815,16 +1845,16 @@ An example event for `threat_event` looks as following: "version": "8.17.0" }, "elastic_agent": { - "id": "0d5383c7-da8f-4e33-a9c8-ea303876fbd9", - "snapshot": false, - "version": "8.18.7" + "id": "a8992072-5255-4dac-9197-44b16d9ce68b", + "snapshot": true, + "version": "8.19.7" }, "event": { "agent_id_status": "verified", "created": "2025-10-22T11:30:00.000Z", "dataset": "sentinel_one.threat_event", "id": "id_004", - "ingested": "2025-10-27T07:44:21Z", + "ingested": "2025-11-19T10:42:22Z", "kind": "event", "original": "{\"activeContentFileId\":\"fileid_004\",\"activeContentHash\":\"hash_004\",\"activeContentPath\":\"D:\\\\content\\\\file4\",\"agentDomain\":\"domain4\",\"agentGroupId\":\"group_04\",\"agentId\":\"agent_004\",\"agentInfected\":false,\"agentIp\":\"89.160.20.156\",\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"x64\",\"agentName\":\"Agent_4\",\"agentNetworkStatus\":\"online\",\"agentOs\":\"Windows 10\",\"agentUuid\":\"uuid_004\",\"agentVersion\":\"1.3.0\",\"connectionStatus\":\"active\",\"createdAt\":\"2025-10-22T11:30:00Z\",\"direction\":\"outbound\",\"dnsRequest\":\"google.com\",\"dnsResponse\":\"8.8.8.8\",\"dstIp\":\"89.160.20.128\",\"dstPort\":443,\"eventType\":\"network\",\"fileFullName\":\"C:\\\\Program Files\\\\Chrome\\\\chrome.exe\",\"fileId\":\"file_004\",\"fileMd5\":\"md5_004\",\"fileSha1\":\"sha1_004\",\"fileSha256\":\"sha256_004\",\"fileSize\":\"4096\",\"fileType\":\"exe\",\"hasActiveContent\":false,\"id\":\"id_004\",\"indicatorCategory\":\"spyware\",\"indicatorDescription\":\"tracking software\",\"indicatorMetadata\":\"meta4\",\"indicatorName\":\"Spyware4\",\"loginsBaseType\":\"domain\",\"loginsUserName\":\"user_login4\",\"md5\":\"md5_sample4\",\"networkMethod\":\"GET\",\"networkSource\":\"WAN\",\"networkUrl\":\"https://google.com\",\"objectType\":\"process\",\"oldFileMd5\":\"old_md54\",\"oldFileName\":\"chrome_old.exe\",\"oldFileSha1\":\"old_sha14\",\"oldFileSha256\":\"old_sha2564\",\"parentPid\":\"4001\",\"parentProcessGroupId\":\"group_parent_04\",\"parentProcessIsMalicious\":false,\"parentProcessName\":\"explorer.exe\",\"parentProcessUniqueKey\":\"unique_parent_004\",\"pid\":\"4567\",\"processCmd\":\"chrome.exe --new-tab\",\"processDisplayName\":\"Google Chrome\",\"processGroupId\":\"group_04\",\"processImagePath\":\"C:\\\\Program Files\\\\Chrome\\\\chrome.exe\",\"processImageSha1Hash\":\"sha1_process4\",\"processIntegrityLevel\":\"medium\",\"processIsMalicious\":false,\"processIsRedirectedCommandProcessor\":\"false\",\"processIsWow64\":\"false\",\"processName\":\"chrome.exe\",\"processRoot\":\"C:\\\\\",\"processSessionId\":\"session_004\",\"processStartTime\":\"2025-10-22T11:00:00Z\",\"processSubSystem\":\"subsystem4\",\"processUniqueKey\":\"unique_004\",\"processUserName\":\"user4\",\"protocol\":\"TCP\",\"publisher\":\"Google\",\"registryClassification\":\"application\",\"registryId\":\"reg_004\",\"registryPath\":\"HKCU\\\\Software\\\\Test4\",\"relatedToThreat\":false,\"rpid\":\"rpid_004\",\"sha1\":\"sha1_sample4\",\"sha256\":\"sha256_sample4\",\"signatureSignedInvalidReason\":\"None\",\"signedStatus\":\"Signed\",\"siteId\":\"site_004\",\"siteName\":\"SiteD\",\"srcIp\":\"127.0.0.1\",\"srcPort\":34567,\"storyline\":\"storyline4\",\"taskName\":\"task4\",\"taskPath\":\"C:\\\\Tasks\\\\task4\",\"threatStatus\":\"clean\",\"tid\":\"tid_004\",\"trueContext\":\"context4\",\"user\":\"user4\",\"verifiedStatus\":\"Verified\"}" }, @@ -1882,6 +1912,10 @@ An example event for `threat_event` looks as following: ] }, "sentinel_one": { + "site": { + "id": "site_004", + "name": "SiteD" + }, "threat_event": { "active_content": { "file_id": "fileid_004", @@ -1984,10 +2018,6 @@ An example event for `threat_event` looks as following: "sha256": "sha256_sample4", "signature_signed_invalid_reason": "None", "signed_status": "Signed", - "site": { - "id": "site_004", - "name": "SiteD" - }, "src": { "ip": "127.0.0.1", "port": 34567 @@ -2039,6 +2069,8 @@ An example event for `threat_event` looks as following: | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | +| sentinel_one.site.id | | keyword | +| sentinel_one.site.name | | keyword | | sentinel_one.threat_event.active_content.file_id | | keyword | | sentinel_one.threat_event.active_content.hash | | keyword | | sentinel_one.threat_event.active_content.path | | keyword | @@ -2120,8 +2152,6 @@ An example event for `threat_event` looks as following: | sentinel_one.threat_event.sha256 | | keyword | | sentinel_one.threat_event.signature_signed_invalid_reason | | keyword | | sentinel_one.threat_event.signed_status | | keyword | -| sentinel_one.threat_event.site.id | | keyword | -| sentinel_one.threat_event.site.name | | keyword | | sentinel_one.threat_event.src.ip | | ip | | sentinel_one.threat_event.src.port | | long | | sentinel_one.threat_event.storyline | | keyword | diff --git a/packages/sentinel_one/elasticsearch/transform/latest_application/fields/fields.yml b/packages/sentinel_one/elasticsearch/transform/latest_application/fields/fields.yml index 0b1750f3796..33ea32c3bb7 100644 --- a/packages/sentinel_one/elasticsearch/transform/latest_application/fields/fields.yml +++ b/packages/sentinel_one/elasticsearch/transform/latest_application/fields/fields.yml @@ -4,8 +4,6 @@ - name: application type: group fields: - - name: account_name - type: keyword - name: application_installation_date type: date - name: application_installation_path @@ -50,7 +48,5 @@ type: keyword - name: os_version type: keyword - - name: site_name - type: keyword - name: version type: keyword diff --git a/packages/sentinel_one/elasticsearch/transform/latest_application/fields/unified-fields.yml b/packages/sentinel_one/elasticsearch/transform/latest_application/fields/unified-fields.yml new file mode 100644 index 00000000000..0487a2705bc --- /dev/null +++ b/packages/sentinel_one/elasticsearch/transform/latest_application/fields/unified-fields.yml @@ -0,0 +1,13 @@ +- name: sentinel_one + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + - name: site + type: group + fields: + - name: name + type: keyword diff --git a/packages/sentinel_one/elasticsearch/transform/latest_threat_event/fields/fields.yml b/packages/sentinel_one/elasticsearch/transform/latest_threat_event/fields/fields.yml index 6e0f674146a..745a9905087 100644 --- a/packages/sentinel_one/elasticsearch/transform/latest_threat_event/fields/fields.yml +++ b/packages/sentinel_one/elasticsearch/transform/latest_threat_event/fields/fields.yml @@ -74,13 +74,6 @@ type: keyword - name: ip type: ip - - name: site - type: group - fields: - - name: id - type: keyword - - name: name - type: keyword - name: pid type: keyword - name: src diff --git a/packages/sentinel_one/elasticsearch/transform/latest_threat_event/fields/unified-fields.yml b/packages/sentinel_one/elasticsearch/transform/latest_threat_event/fields/unified-fields.yml new file mode 100644 index 00000000000..631a635794b --- /dev/null +++ b/packages/sentinel_one/elasticsearch/transform/latest_threat_event/fields/unified-fields.yml @@ -0,0 +1,10 @@ +- name: sentinel_one + type: group + fields: + - name: site + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword diff --git a/packages/sentinel_one/kibana/dashboard/sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538.json b/packages/sentinel_one/kibana/dashboard/sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538.json index 54ea2048b10..9fbe6113ffd 100644 --- a/packages/sentinel_one/kibana/dashboard/sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538.json +++ b/packages/sentinel_one/kibana/dashboard/sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538.json @@ -1339,7 +1339,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "sentinel_one.threat.classification" + "sourceField": "sentinel_one.threat_classification.name" }, "92c9fb3d-991c-4c5e-b5e4-f73d60aed93f": { "customLabel": true, diff --git a/packages/sentinel_one/kibana/dashboard/sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538.json b/packages/sentinel_one/kibana/dashboard/sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538.json index f09b9a11f5b..678cf49e23b 100644 --- a/packages/sentinel_one/kibana/dashboard/sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538.json +++ b/packages/sentinel_one/kibana/dashboard/sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538.json @@ -470,7 +470,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "sentinel_one.agent.site.name" + "sourceField": "sentinel_one.site.name" }, "ab4aa055-75f5-45bc-8d34-883bc47f771a": { "customLabel": true, diff --git a/packages/sentinel_one/kibana/dashboard/sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538.json b/packages/sentinel_one/kibana/dashboard/sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538.json index 6ed22e0f948..48f4c7e8c9e 100644 --- a/packages/sentinel_one/kibana/dashboard/sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538.json +++ b/packages/sentinel_one/kibana/dashboard/sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538.json @@ -13,7 +13,7 @@ "190539a5-7f91-472c-9560-76230cae2e61": { "explicitInput": { "dataViewId": "logs-*", - "fieldName": "sentinel_one.activity.site.id", + "fieldName": "sentinel_one.site.id", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -276,7 +276,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "sentinel_one.activity.account.name" + "sourceField": "sentinel_one.account.name" } }, "incompleteColumns": {} diff --git a/packages/sentinel_one/manifest.yml b/packages/sentinel_one/manifest.yml index 55a11dd9519..9643c6ab7c2 100644 --- a/packages/sentinel_one/manifest.yml +++ b/packages/sentinel_one/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.4.0" name: sentinel_one title: SentinelOne -version: "1.43.2" +version: "2.0.0" description: Collect logs from SentinelOne with Elastic Agent. type: integration categories: