elastic · mohitjha-elastic · Nov 27, 2025 · Nov 10, 2025 · Nov 11, 2025 · Nov 11, 2025
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.43.0"
+  changes:
+    - description: Enhance ECS mappings and unify field structures across all data streams.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15931
 - version: "1.42.0"
   changes:
     - description: Improved input section layout by updating titles to include data stream names.

diff --git a/packages/sentinel_one/data_stream/activity/_dev/test/policy/test-all.expected b/packages/sentinel_one/data_stream/activity/_dev/test/policy/test-all.expected
@@ -9,6 +9,7 @@ inputs:
         - config_version: 2
           cursor:
             last_create_at:
+                ignore_empty_value: true
                 value: '[[.last_event.createdAt]]'
           data_stream:
             dataset: sentinel_one.activity

diff --git a/packages/sentinel_one/data_stream/activity/_dev/test/policy/test-default.expected b/packages/sentinel_one/data_stream/activity/_dev/test/policy/test-default.expected
@@ -9,6 +9,7 @@ inputs:
         - config_version: 2
           cursor:
             last_create_at:
+                ignore_empty_value: true
                 value: '[[.last_event.createdAt]]'
           data_stream:
             dataset: sentinel_one.activity

diff --git a/packages/sentinel_one/data_stream/activity/agent/stream/httpjson.yml.hbs b/packages/sentinel_one/data_stream/activity/agent/stream/httpjson.yml.hbs
@@ -42,6 +42,7 @@ response.pagination:
 cursor:
   last_create_at:
     value: '[[.last_event.createdAt]]'
+    ignore_empty_value: true
 response.split:
   target: body.data
   ignore_empty_value: true

@@ -140,10 +140,18 @@ processors:
       field: json.groupId
       target_field: user.group.id
       ignore_missing: true
+  - set:
+      field: group.id
+      copy_from: user.group.id
+      ignore_empty_value: true
   - rename:
       field: json.groupName
       target_field: user.group.name
       ignore_missing: true
+  - set:
+      field: group.name
+      copy_from: user.group.name
+      ignore_empty_value: true
   - rename:
       field: json.accountId
       target_field: sentinel_one.activity.account.id
@@ -156,6 +164,10 @@ processors:
       field: json.accountName
       target_field: sentinel_one.activity.account.name
       ignore_missing: true
+  - set:
+      field: sentinel_one.account.name
+      copy_from: sentinel_one.activity.account.name
+      ignore_empty_value: true
   - rename:
       field: json.agentId
       target_field: sentinel_one.activity.agent.id
@@ -193,14 +205,26 @@ processors:
       field: json.id
       target_field: sentinel_one.activity.id
       ignore_missing: true
+  - set:
+      field: event.id
+      copy_from: sentinel_one.activity.id
+      ignore_empty_value: true
   - rename:
       field: json.siteId
       target_field: sentinel_one.activity.site.id
       ignore_missing: true
+  - set:
+      field: sentinel_one.site.id
+      copy_from: sentinel_one.activity.site.id
+      ignore_empty_value: true
   - rename:
       field: json.siteName
       target_field: sentinel_one.activity.site.name
       ignore_missing: true
+  - set:
+      field: sentinel_one.site.name
+      copy_from: sentinel_one.activity.site.name
+      ignore_empty_value: true
   - rename:
       field: json.threatId
       target_field: sentinel_one.activity.threat.id
@@ -481,10 +505,18 @@ processors:
       field: json.data.threatClassification
       target_field: sentinel_one.activity.data.threat.classification.name
       ignore_missing: true
+  - set:
+      field: sentinel_one.threat_classification.name
+      copy_from: sentinel_one.activity.data.threat.classification.name
+      ignore_empty_value: true
   - rename:
       field: json.data.threatClassificationSource
       target_field: sentinel_one.activity.data.threat.classification.source
       ignore_missing: true
+  - set:
+      field: sentinel_one.threat_classification.source
+      copy_from: sentinel_one.activity.data.threat.classification.source
+      ignore_empty_value: true
   - rename:
       field: json.data.globalStatus
       target_field: sentinel_one.activity.data.global.status

@@ -0,0 +1,22 @@
+- name: sentinel_one
+  type: group
+  fields:
+    - name: account
+      type: group
+      fields:
+        - name: name
+          type: keyword
+    - name: site
+      type: group
+      fields:
+        - name: id
+          type: keyword
+        - name: name
+          type: keyword
+    - name: threat_classification
+      type: group
+      fields:
+        - name: name
+          type: keyword
+        - name: source
+          type: keyword
@@ -1,33 +1,34 @@
 {
     "@timestamp": "2022-04-19T05:14:08.925Z",
     "agent": {
-        "ephemeral_id": "10175f71-9c3d-43ea-9326-e2c1fbfed4fa",
-        "id": "9b7ecf1c-5873-4d71-b82a-5ef8d4ac574e",
-        "name": "elastic-agent-48880",
+        "ephemeral_id": "e221e3f4-db8f-4c12-b101-6e950d362424",
+        "id": "3ed62b3f-4aa4-4865-8f06-3f89c9856903",
+        "name": "elastic-agent-15508",
         "type": "filebeat",
-        "version": "8.18.7"
+        "version": "8.19.7"
     },
     "data_stream": {
         "dataset": "sentinel_one.activity",
-        "namespace": "26410",
+        "namespace": "68291",
         "type": "logs"
     },
     "ecs": {
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "9b7ecf1c-5873-4d71-b82a-5ef8d4ac574e",
-        "snapshot": false,
-        "version": "8.18.7"
+        "id": "3ed62b3f-4aa4-4865-8f06-3f89c9856903",
+        "snapshot": true,
+        "version": "8.19.7"
     },
     "event": {
         "agent_id_status": "verified",
         "category": [
             "configuration"
         ],
-        "created": "2025-09-22T11:35:05.641Z",
+        "created": "2025-11-11T10:38:27.181Z",
         "dataset": "sentinel_one.activity",
-        "ingested": "2025-09-22T11:35:08Z",
+        "id": "1234567890123456789",
+        "ingested": "2025-11-11T10:38:30Z",
         "kind": "event",
         "original": "{\"accountId\":\"3214567890123456789\",\"accountName\":\"Default12\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":\"True\",\"createdAt\":\"2022-04-19T05:14:08.925421Z\",\"data\":{\"accountName\":\"Default\",\"byUser\":\"API\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/default\",\"groupName\":null,\"newValue\":true,\"role\":\"Level\",\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"userScope\":\"account\",\"username\":\"API\"},\"description\":\"API\",\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"The management user API enabled Two factor authentication on the user API.\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-18T05:14:08.922553Z\",\"userId\":\"1234567890123456789\"}",
         "type": [
@@ -44,6 +45,9 @@
         ]
     },
     "sentinel_one": {
+        "account": {
+            "name": "Default12"
+        },
         "activity": {
             "account": {
                 "id": "3214567890123456789",

@@ -9,6 +9,7 @@
                 "category": [
                     "host"
                 ],
+                "id": "13491234512345",
                 "kind": "event",
                 "original": "{\"accountId\":\"12345123451234512345\",\"accountName\":\"Account Name\",\"activeDirectory\":{\"computerDistinguishedName\":null,\"computerMemberOf\":[],\"lastUserDistinguishedName\":null,\"lastUserMemberOf\":[]},\"activeThreats\":7,\"agentVersion\":\"12.x.x.x\",\"allowRemoteShell\":true,\"appsVulnerabilityStatus\":\"not_applicable\",\"cloudProviders\":{},\"computerName\":\"user-test\",\"consoleMigrationStatus\":\"N/A\",\"coreCount\":2,\"missingPermissions\":[\"user-action-needed-bluetooth-per\",\"user_action_needed_fda\"],\"cpuCount\":2,\"cpuId\":\"CPU Name\",\"createdAt\":\"2022-03-18T09:12:00.519500Z\",\"detectionState\":null,\"domain\":\"WORKGROUP\",\"encryptedApplications\":false,\"externalId\":\"\",\"externalIp\":\"81.2.69.143\",\"firewallEnabled\":true,\"firstFullModeTime\":null,\"groupId\":\"1234567890123456789\",\"groupIp\":\"81.2.69.144\",\"groupName\":\"Default Group\",\"id\":\"13491234512345\",\"inRemoteShellSession\":false,\"infected\":true,\"installerType\":\".msi\",\"isActive\":true,\"isDecommissioned\":false,\"isPendingUninstall\":false,\"isUninstalled\":false,\"isUpToDate\":true,\"lastActiveDate\":\"2022-03-17T09:51:28.506000Z\",\"lastIpToMgmt\":\"81.2.69.145\",\"lastLoggedInUserName\":\"\",\"licenseKey\":\"\",\"locationEnabled\":true,\"locationType\":\"not_applicable\",\"locations\":null,\"machineType\":\"server\",\"mitigationMode\":\"detect\",\"mitigationModeSuspicious\":\"detect\",\"modelName\":\"Compute Engine\",\"networkInterfaces\":[{\"gatewayIp\":\"81.2.69.145\",\"gatewayMacAddress\":\"00-00-5E-00-53-00\",\"id\":\"1234567890123456789\",\"inet\":[\"81.2.69.144\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"00-00-5E-00-53-00\"}],\"networkQuarantineEnabled\":false,\"networkStatus\":\"connected\",\"operationalState\":\"na\",\"operationalStateExpiration\":null,\"osArch\":\"64 bit\",\"osName\":\"Linux Server\",\"osRevision\":\"1234\",\"osStartTime\":\"2022-04-06T08:27:14Z\",\"osType\":\"linux\",\"osUsername\":null,\"rangerStatus\":\"Enabled\",\"rangerVersion\":\"21.x.x.x\",\"registeredAt\":\"2022-04-06T08:26:45.515278Z\",\"remoteProfilingState\":\"disabled\",\"remoteProfilingStateExpiration\":null,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"tags\":{\"sentinelone\":[{\"assignedBy\":\"test-user\",\"assignedAt\":\"2018-02-27T04:49:26.257525Z\",\"key\":\"key123\",\"assignedById\":\"123456789012345678\",\"id\":\"123456789012345678\",\"value\":\"value123\"}]},\"threatRebootRequired\":false,\"totalMemory\":1234,\"updatedAt\":\"2022-04-07T08:31:47.481227Z\",\"userActionsNeeded\":[\"reboot_needed\"],\"uuid\":\"XXX35XXX8Xfb4aX0X1X8X12X343X8X30\"}",
                 "type": [
@@ -20,6 +21,7 @@
                 "name": "Default Group"
             },
             "host": {
+                "architecture": "64 bit",
                 "domain": "WORKGROUP",
                 "geo": {
                     "city_name": "London",
@@ -63,6 +65,9 @@
                 ]
             },
             "sentinel_one": {
+                "account": {
+                    "name": "Account Name"
+                },
                 "agent": {
                     "account": {
                         "id": "12345123451234512345",
@@ -166,6 +171,10 @@
                         "reboot_needed"
                     ],
                     "uuid": "XXX35XXX8Xfb4aX0X1X8X12X343X8X30"
+                },
+                "site": {
+                    "id": "1234567890123456789",
+                    "name": "Default site"
                 }
             },
             "tags": [

diff --git a/packages/sentinel_one/data_stream/agent/_dev/test/policy/test-all.expected b/packages/sentinel_one/data_stream/agent/_dev/test/policy/test-all.expected
@@ -9,6 +9,7 @@ inputs:
         - config_version: 2
           cursor:
             last_update_at:
+                ignore_empty_value: true
                 value: '[[.last_event.updatedAt]]'
           data_stream:
             dataset: sentinel_one.agent

diff --git a/packages/sentinel_one/data_stream/agent/_dev/test/policy/test-default.expected b/packages/sentinel_one/data_stream/agent/_dev/test/policy/test-default.expected
@@ -9,6 +9,7 @@ inputs:
         - config_version: 2
           cursor:
             last_update_at:
+                ignore_empty_value: true
                 value: '[[.last_event.updatedAt]]'
           data_stream:
             dataset: sentinel_one.agent

diff --git a/packages/sentinel_one/data_stream/agent/agent/stream/httpjson.yml.hbs b/packages/sentinel_one/data_stream/agent/agent/stream/httpjson.yml.hbs
@@ -42,6 +42,7 @@ response.pagination:
 cursor:
   last_update_at:
     value: '[[.last_event.updatedAt]]'
+    ignore_empty_value: true
 response.split:
   target: body.data
   ignore_empty_value: true

@@ -50,6 +50,10 @@ processors:
       field: json.accountName
       target_field: sentinel_one.agent.account.name
       ignore_missing: true
+  - set:
+      field: sentinel_one.account.name
+      copy_from: sentinel_one.agent.account.name
+      ignore_empty_value: true
   - rename:
       field: json.activeDirectory.computerDistinguishedName
       target_field: sentinel_one.agent.active_directory.computer.name
@@ -272,6 +276,10 @@ processors:
       field: json.id
       target_field: sentinel_one.agent.agent.id
       ignore_missing: true
+  - set:
+      field: event.id
+      copy_from: sentinel_one.agent.agent.id
+      ignore_empty_value: true
   - set:
       field: host.id
       copy_from: sentinel_one.agent.agent.id
@@ -611,6 +619,10 @@ processors:
       field: json.osArch
       target_field: sentinel_one.agent.os.arch
       ignore_missing: true
+  - set:
+      field: host.architecture
+      copy_from: sentinel_one.agent.os.arch
+      ignore_empty_value: true
   - rename:
       field: json.osName
       target_field: host.os.name
@@ -736,10 +748,18 @@ processors:
       field: json.siteId
       target_field: sentinel_one.agent.site.id
       ignore_missing: true
+  - set:
+      field: sentinel_one.site.id
+      copy_from: sentinel_one.agent.site.id
+      ignore_empty_value: true
   - rename:
       field: json.siteName
       target_field: sentinel_one.agent.site.name
       ignore_missing: true
+  - set:
+      field: sentinel_one.site.name
+      copy_from: sentinel_one.agent.site.name
+      ignore_empty_value: true
   - rename:
       field: json.storageName
       target_field: sentinel_one.agent.storage.name

@@ -0,0 +1,15 @@
+- name: sentinel_one
+  type: group
+  fields:
+    - name: account
+      type: group
+      fields:
+        - name: name
+          type: keyword
+    - name: site
+      type: group
+      fields:
+        - name: id
+          type: keyword
+        - name: name
+          type: keyword
@@ -1,33 +1,34 @@
 {
     "@timestamp": "2022-04-07T08:31:47.481Z",
     "agent": {
-        "ephemeral_id": "e30ba73f-f169-4f6a-868b-79481d37c732",
-        "id": "e8901d6d-1c15-41f6-acf8-046dbbd754ce",
-        "name": "elastic-agent-22310",
+        "ephemeral_id": "8ede3676-50f4-4125-8a8e-d75daef6cd2c",
+        "id": "566a386d-cce5-401d-a55a-1f618760f004",
+        "name": "elastic-agent-23551",
         "type": "filebeat",
-        "version": "8.18.7"
+        "version": "8.19.7"
     },
     "data_stream": {
         "dataset": "sentinel_one.agent",
-        "namespace": "13010",
+        "namespace": "54654",
         "type": "logs"
     },
     "ecs": {
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "e8901d6d-1c15-41f6-acf8-046dbbd754ce",
-        "snapshot": false,
-        "version": "8.18.7"
+        "id": "566a386d-cce5-401d-a55a-1f618760f004",
+        "snapshot": true,
+        "version": "8.19.7"
     },
     "event": {
         "agent_id_status": "verified",
         "category": [
             "host"
         ],
-        "created": "2025-09-22T11:35:56.007Z",
+        "created": "2025-11-11T10:31:58.670Z",
         "dataset": "sentinel_one.agent",
-        "ingested": "2025-09-22T11:35:59Z",
+        "id": "13491234512345",
+        "ingested": "2025-11-11T10:32:01Z",
         "kind": "event",
         "original": "{\"accountId\":\"892341123451234512345\",\"accountName\":\"ABC\",\"activeDirectory\":{\"computerDistinguishedName\":null,\"computerMemberOf\":[],\"lastUserDistinguishedName\":null,\"lastUserMemberOf\":[]},\"activeThreats\":7,\"agentVersion\":\"12.x.x.x\",\"allowRemoteShell\":true,\"appsVulnerabilityStatus\":\"not_applicable\",\"cloudProviders\":{},\"computerName\":\"user-test\",\"consoleMigrationStatus\":\"N/A\",\"coreCount\":2,\"cpuCount\":2,\"cpuId\":\"CPU Name\",\"createdAt\":\"2022-03-18T09:12:00.519500Z\",\"detectionState\":null,\"domain\":\"WORKGROUP\",\"encryptedApplications\":false,\"externalId\":\"\",\"externalIp\":\"81.2.69.143\",\"firewallEnabled\":true,\"firstFullModeTime\":null,\"groupId\":\"1234567890123456789\",\"groupIp\":\"81.2.69.144\",\"groupName\":\"Default Group\",\"id\":\"13491234512345\",\"inRemoteShellSession\":false,\"infected\":true,\"installerType\":\".msi\",\"isActive\":true,\"isDecommissioned\":false,\"isPendingUninstall\":false,\"isUninstalled\":false,\"isUpToDate\":true,\"lastActiveDate\":\"2022-03-17T09:51:28.506000Z\",\"lastIpToMgmt\":\"81.2.69.145\",\"lastLoggedInUserName\":\"\",\"licenseKey\":\"\",\"locationEnabled\":true,\"locationType\":\"not_applicable\",\"locations\":null,\"machineType\":\"server\",\"missingPermissions\":[\"user-action-needed-bluetooth-per\",\"user_action_needed_fda\"],\"mitigationMode\":\"detect\",\"mitigationModeSuspicious\":\"detect\",\"modelName\":\"Compute Engine\",\"networkInterfaces\":[{\"gatewayIp\":\"81.2.69.145\",\"gatewayMacAddress\":\"00-00-5E-00-53-00\",\"id\":\"1234567890123456789\",\"inet\":[\"81.2.69.144\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"00-00-5E-00-53-00\"}],\"networkQuarantineEnabled\":false,\"networkStatus\":\"connected\",\"operationalState\":\"na\",\"operationalStateExpiration\":null,\"osArch\":\"64 bit\",\"osName\":\"Linux Server\",\"osRevision\":\"1234\",\"osStartTime\":\"2022-04-06T08:27:14Z\",\"osType\":\"linux\",\"osUsername\":null,\"rangerStatus\":\"Enabled\",\"rangerVersion\":\"21.x.x.x\",\"registeredAt\":\"2022-04-06T08:26:45.515278Z\",\"remoteProfilingState\":\"disabled\",\"remoteProfilingStateExpiration\":null,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"tags\":{\"sentinelone\":[{\"assignedAt\":\"2018-02-27T04:49:26.257525Z\",\"assignedBy\":\"test-user\",\"assignedById\":\"123456789012345678\",\"id\":\"123456789012345678\",\"key\":\"key123\",\"value\":\"value123\"}]},\"threatRebootRequired\":false,\"totalMemory\":1234,\"updatedAt\":\"2022-04-07T08:31:47.481227Z\",\"userActionsNeeded\":[\"reboot_needed\"],\"uuid\":\"XXX35XXX8Xfb4aX0X1X8X12X343X8X30\"}",
         "type": [
@@ -39,6 +40,7 @@
         "name": "Default Group"
     },
     "host": {
+        "architecture": "64 bit",
         "domain": "WORKGROUP",
         "geo": {
             "city_name": "London",
@@ -85,6 +87,9 @@
         ]
     },
     "sentinel_one": {
+        "account": {
+            "name": "ABC"
+        },
         "agent": {
             "account": {
                 "id": "892341123451234512345",
@@ -188,6 +193,10 @@
                 "reboot_needed"
             ],
             "uuid": "XXX35XXX8Xfb4aX0X1X8X12X343X8X30"
+        },
+        "site": {
+            "id": "1234567890123456789",
+            "name": "Default site"
         }
     },
     "tags": [