elastic · mohitjha-elastic · Nov 27, 2025 · Nov 10, 2025 · Nov 11, 2025 · Nov 11, 2025
@@ -1,4 +1,14 @@
 # newer versions go on top
+- version: "2.0.0"
+  changes:
+    - description: |
+        Unified the site, account, and threat-classification field structures under the `sentinel_one.*` namespace
+        across all data streams, and removed older fields.
+      type: breaking-change
+      link: https://github.com/elastic/integrations/pull/15931
+    - description: Enhanced the ECS mappings across all data streams.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15931
 - version: "1.43.2"
   changes:
     - description: Do not log expected empty template results as DEGRADED health in agent or group data streams.

@@ -140,10 +140,18 @@ processors:
       field: json.groupId
       target_field: user.group.id
       ignore_missing: true
+  - set:
+      field: group.id
+      copy_from: user.group.id
+      ignore_empty_value: true
   - rename:
       field: json.groupName
       target_field: user.group.name
       ignore_missing: true
+  - set:
+      field: group.name
+      copy_from: user.group.name
+      ignore_empty_value: true
   - rename:
       field: json.accountId
       target_field: sentinel_one.activity.account.id
@@ -154,7 +162,7 @@ processors:
       ignore_missing: true
   - rename:
       field: json.accountName
-      target_field: sentinel_one.activity.account.name
+      target_field: sentinel_one.account.name
       ignore_missing: true
   - rename:
       field: json.agentId
@@ -193,13 +201,17 @@ processors:
       field: json.id
       target_field: sentinel_one.activity.id
       ignore_missing: true
+  - set:
+      field: event.id
+      copy_from: sentinel_one.activity.id
+      ignore_empty_value: true
   - rename:
       field: json.siteId
-      target_field: sentinel_one.activity.site.id
+      target_field: sentinel_one.site.id
       ignore_missing: true
   - rename:
       field: json.siteName
-      target_field: sentinel_one.activity.site.name
+      target_field: sentinel_one.site.name
       ignore_missing: true
   - rename:
       field: json.threatId
@@ -479,11 +491,11 @@ processors:
       ignore_missing: true
   - rename:
       field: json.data.threatClassification
-      target_field: sentinel_one.activity.data.threat.classification.name
+      target_field: sentinel_one.threat_classification.name
       ignore_missing: true
   - rename:
       field: json.data.threatClassificationSource
-      target_field: sentinel_one.activity.data.threat.classification.source
+      target_field: sentinel_one.threat_classification.source
       ignore_missing: true
   - rename:
       field: json.data.globalStatus

@@ -7,9 +7,6 @@
         - name: id
           type: keyword
           description: Related account ID (if applicable).
-        - name: name
-          type: keyword
-          description: Related account name (if applicable).
     - name: agent
       type: group
       fields:
@@ -169,9 +166,6 @@
                 - name: name
                   type: keyword
                   description: Threat classification name.
-                - name: source
-                  type: keyword
-                  description: Threat classification source.
         - name: user
           type: group
           fields:
@@ -198,15 +192,6 @@
     - name: id
       type: keyword
       description: Activity ID.
-    - name: site
-      type: group
-      fields:
-        - name: id
-          type: keyword
-          description: Related site ID (if applicable).
-        - name: name
-          type: keyword
-          description: Related site name (if applicable).
     - name: threat
       type: group
       fields:

@@ -0,0 +1,22 @@
+- name: sentinel_one
+  type: group
+  fields:
+    - name: account
+      type: group
+      fields:
+        - name: name
+          type: keyword
+    - name: site
+      type: group
+      fields:
+        - name: id
+          type: keyword
+        - name: name
+          type: keyword
+    - name: threat_classification
+      type: group
+      fields:
+        - name: name
+          type: keyword
+        - name: source
+          type: keyword
@@ -1,33 +1,34 @@
 {
     "@timestamp": "2022-04-19T05:14:08.925Z",
     "agent": {
-        "ephemeral_id": "10175f71-9c3d-43ea-9326-e2c1fbfed4fa",
-        "id": "9b7ecf1c-5873-4d71-b82a-5ef8d4ac574e",
-        "name": "elastic-agent-48880",
+        "ephemeral_id": "e6b8b354-ed66-48eb-8516-c576417e273c",
+        "id": "7097c76d-ffaf-4c65-9da9-8da760e67c8a",
+        "name": "elastic-agent-98755",
         "type": "filebeat",
-        "version": "8.18.7"
+        "version": "8.19.7"
     },
     "data_stream": {
         "dataset": "sentinel_one.activity",
-        "namespace": "26410",
+        "namespace": "86823",
         "type": "logs"
     },
     "ecs": {
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "9b7ecf1c-5873-4d71-b82a-5ef8d4ac574e",
-        "snapshot": false,
-        "version": "8.18.7"
+        "id": "7097c76d-ffaf-4c65-9da9-8da760e67c8a",
+        "snapshot": true,
+        "version": "8.19.7"
     },
     "event": {
         "agent_id_status": "verified",
         "category": [
             "configuration"
         ],
-        "created": "2025-09-22T11:35:05.641Z",
+        "created": "2025-11-19T10:35:41.122Z",
         "dataset": "sentinel_one.activity",
-        "ingested": "2025-09-22T11:35:08Z",
+        "id": "1234567890123456789",
+        "ingested": "2025-11-19T10:35:44Z",
         "kind": "event",
         "original": "{\"accountId\":\"3214567890123456789\",\"accountName\":\"Default12\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":\"True\",\"createdAt\":\"2022-04-19T05:14:08.925421Z\",\"data\":{\"accountName\":\"Default\",\"byUser\":\"API\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/default\",\"groupName\":null,\"newValue\":true,\"role\":\"Level\",\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"userScope\":\"account\",\"username\":\"API\"},\"description\":\"API\",\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"The management user API enabled Two factor authentication on the user API.\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-18T05:14:08.922553Z\",\"userId\":\"1234567890123456789\"}",
         "type": [
@@ -44,10 +45,12 @@
         ]
     },
     "sentinel_one": {
+        "account": {
+            "name": "Default12"
+        },
         "activity": {
             "account": {
-                "id": "3214567890123456789",
-                "name": "Default12"
+                "id": "3214567890123456789"
             },
             "comments": "True",
             "data": {

@@ -9,6 +9,7 @@
                 "category": [
                     "host"
                 ],
+                "id": "13491234512345",
                 "kind": "event",
                 "original": "{\"accountId\":\"12345123451234512345\",\"accountName\":\"Account Name\",\"activeDirectory\":{\"computerDistinguishedName\":null,\"computerMemberOf\":[],\"lastUserDistinguishedName\":null,\"lastUserMemberOf\":[]},\"activeThreats\":7,\"agentVersion\":\"12.x.x.x\",\"allowRemoteShell\":true,\"appsVulnerabilityStatus\":\"not_applicable\",\"cloudProviders\":{},\"computerName\":\"user-test\",\"consoleMigrationStatus\":\"N/A\",\"coreCount\":2,\"missingPermissions\":[\"user-action-needed-bluetooth-per\",\"user_action_needed_fda\"],\"cpuCount\":2,\"cpuId\":\"CPU Name\",\"createdAt\":\"2022-03-18T09:12:00.519500Z\",\"detectionState\":null,\"domain\":\"WORKGROUP\",\"encryptedApplications\":false,\"externalId\":\"\",\"externalIp\":\"81.2.69.143\",\"firewallEnabled\":true,\"firstFullModeTime\":null,\"groupId\":\"1234567890123456789\",\"groupIp\":\"81.2.69.144\",\"groupName\":\"Default Group\",\"id\":\"13491234512345\",\"inRemoteShellSession\":false,\"infected\":true,\"installerType\":\".msi\",\"isActive\":true,\"isDecommissioned\":false,\"isPendingUninstall\":false,\"isUninstalled\":false,\"isUpToDate\":true,\"lastActiveDate\":\"2022-03-17T09:51:28.506000Z\",\"lastIpToMgmt\":\"81.2.69.145\",\"lastLoggedInUserName\":\"\",\"licenseKey\":\"\",\"locationEnabled\":true,\"locationType\":\"not_applicable\",\"locations\":null,\"machineType\":\"server\",\"mitigationMode\":\"detect\",\"mitigationModeSuspicious\":\"detect\",\"modelName\":\"Compute Engine\",\"networkInterfaces\":[{\"gatewayIp\":\"81.2.69.145\",\"gatewayMacAddress\":\"00-00-5E-00-53-00\",\"id\":\"1234567890123456789\",\"inet\":[\"81.2.69.144\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"00-00-5E-00-53-00\"}],\"networkQuarantineEnabled\":false,\"networkStatus\":\"connected\",\"operationalState\":\"na\",\"operationalStateExpiration\":null,\"osArch\":\"64 bit\",\"osName\":\"Linux Server\",\"osRevision\":\"1234\",\"osStartTime\":\"2022-04-06T08:27:14Z\",\"osType\":\"linux\",\"osUsername\":null,\"rangerStatus\":\"Enabled\",\"rangerVersion\":\"21.x.x.x\",\"registeredAt\":\"2022-04-06T08:26:45.515278Z\",\"remoteProfilingState\":\"disabled\",\"remoteProfilingStateExpiration\":null,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"tags\":{\"sentinelone\":[{\"assignedBy\":\"test-user\",\"assignedAt\":\"2018-02-27T04:49:26.257525Z\",\"key\":\"key123\",\"assignedById\":\"123456789012345678\",\"id\":\"123456789012345678\",\"value\":\"value123\"}]},\"threatRebootRequired\":false,\"totalMemory\":1234,\"updatedAt\":\"2022-04-07T08:31:47.481227Z\",\"userActionsNeeded\":[\"reboot_needed\"],\"uuid\":\"XXX35XXX8Xfb4aX0X1X8X12X343X8X30\"}",
                 "type": [
@@ -20,6 +21,7 @@
                 "name": "Default Group"
             },
             "host": {
+                "architecture": "64 bit",
                 "domain": "WORKGROUP",
                 "geo": {
                     "city_name": "London",
@@ -63,10 +65,12 @@
                 ]
             },
             "sentinel_one": {
+                "account": {
+                    "name": "Account Name"
+                },
                 "agent": {
                     "account": {
-                        "id": "12345123451234512345",
-                        "name": "Account Name"
+                        "id": "12345123451234512345"
                     },
                     "active_threats_count": 7,
                     "agent": {
@@ -146,10 +150,6 @@
                         "started_at": "2022-04-06T08:26:52.838Z",
                         "status": "finished"
                     },
-                    "site": {
-                        "id": "1234567890123456789",
-                        "name": "Default site"
-                    },
                     "tags": [
                         {
                             "assigned_at": "2018-02-27T04:49:26.257Z",
@@ -166,6 +166,10 @@
                         "reboot_needed"
                     ],
                     "uuid": "XXX35XXX8Xfb4aX0X1X8X12X343X8X30"
+                },
+                "site": {
+                    "id": "1234567890123456789",
+                    "name": "Default site"
                 }
             },
             "tags": [

@@ -48,7 +48,7 @@ processors:
       ignore_missing: true
   - rename:
       field: json.accountName
-      target_field: sentinel_one.agent.account.name
+      target_field: sentinel_one.account.name
       ignore_missing: true
   - rename:
       field: json.activeDirectory.computerDistinguishedName
@@ -272,6 +272,10 @@ processors:
       field: json.id
       target_field: sentinel_one.agent.agent.id
       ignore_missing: true
+  - set:
+      field: event.id
+      copy_from: sentinel_one.agent.agent.id
+      ignore_empty_value: true
   - set:
       field: host.id
       copy_from: sentinel_one.agent.agent.id
@@ -611,6 +615,10 @@ processors:
       field: json.osArch
       target_field: sentinel_one.agent.os.arch
       ignore_missing: true
+  - set:
+      field: host.architecture
+      copy_from: sentinel_one.agent.os.arch
+      ignore_empty_value: true
   - rename:
       field: json.osName
       target_field: host.os.name
@@ -734,11 +742,11 @@ processors:
       ignore_missing: true
   - rename:
       field: json.siteId
-      target_field: sentinel_one.agent.site.id
+      target_field: sentinel_one.site.id
       ignore_missing: true
   - rename:
       field: json.siteName
-      target_field: sentinel_one.agent.site.name
+      target_field: sentinel_one.site.name
       ignore_missing: true
   - rename:
       field: json.storageName

@@ -7,9 +7,6 @@
         - name: id
           type: keyword
           description: A reference to the containing account.
-        - name: name
-          type: keyword
-          description: Name of the containing account.
     - name: active_directory
       type: group
       fields:
@@ -269,15 +266,6 @@
         - name: status
           type: keyword
           description: Last scan status.
-    - name: site
-      type: group
-      fields:
-        - name: id
-          type: keyword
-          description: A reference to the containing site.
-        - name: name
-          type: keyword
-          description: Name of the containing site.
     - name: storage
       type: group
       fields:

@@ -0,0 +1,15 @@
+- name: sentinel_one
+  type: group
+  fields:
+    - name: account
+      type: group
+      fields:
+        - name: name
+          type: keyword
+    - name: site
+      type: group
+      fields:
+        - name: id
+          type: keyword
+        - name: name
+          type: keyword