Collect SentinelOne EDR logs
This document describes how you can collect SentinelOne EDR logs by setting up a Google Security Operations feed.
For more information, see Data ingestion to Google Security Operations.
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser
with the SENTINEL_EDR
ingestion label.
Configure SentinelOne EDR
- Sign in to the Device Management console with the viewer account.
- Select User Name > My User.
- In the dialog, click Generate API Token.
- Copy and save the API token.
Configure a feed in Google Security Operations to ingest SentinelOne EDR logs
- Go to SIEM Settings > Feeds.
- Click Add New.
- Enter a unique name for the Field Name.
- Select Google Cloud Storage as the Source Type.
- Select SentinelOne EDR as the Log Type.
- Click Get a Service Account. Google Security Operations provides a unique service account that Google Security Operations uses to ingest data.
- Configure access for the service account to access the Cloud Storage objects. For more information, see Grant access to the Google Security Operations service account.
- Click Next.
- Configure the following mandatory input parameters:
- Storage bucket URI
- URI is a
- Source deletion option
- Click Next and then click Submit.
For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type.
If you encounter issues when you create feeds, contact Google Security Operations support.
Field mapping reference
This parser extracts SentinelOne EDR logs, transforms them into UDM, and handles both legacy and Cloud Funnel (v1 and v2) formats. It performs extensive field mapping, including network connections, process events, file and registry activities, scheduled tasks, and threat intelligence indicators, leveraging conditional logic based on event types and data sources. The parser also handles MITRE ATT&CK framework mapping and various data normalization tasks like timestamp conversion and string manipulation.
SentinelOne Parser UDM Mapping
Log Field | UDM Mapping | Logic |
---|---|---|
@timestamp |
metadata.event_timestamp |
The timestamp of the event as recorded by SentinelOne. Parsed from the @timestamp field in the raw log. |
agentDetectionInfo.accountId |
metadata.product_deployment_id |
The ID of the account in SentinelOne. |
agentDetectionInfo.accountName |
principal.administrative_domain |
The name of the account in SentinelOne. |
agentDetectionInfo.agentDomain |
principal.administrative_domain |
The domain of the agent. |
agentDetectionInfo.agentIpV4 |
principal.ip , principal.asset.ip |
The IPv4 address of the agent. |
agentDetectionInfo.agentLastLoggedInUserName |
principal.user.user_display_name |
The username of the last logged-in user on the agent. |
agentDetectionInfo.agentMachineType |
principal.asset.machine_type |
The type of machine the agent is installed on (e.g., desktop, server, laptop). |
agentDetectionInfo.agentMitigationMode |
N/A | The mitigation mode of the agent. Not mapped to UDM. |
agentDetectionInfo.agentNetworkStatus |
N/A | The network status of the agent. Not mapped to UDM. |
agentDetectionInfo.agentOsName |
principal.asset.platform_software.platform |
The operating system name of the agent. |
agentDetectionInfo.agentOsRevision |
principal.asset.platform_software.platform_version |
The operating system revision of the agent. |
agentDetectionInfo.agentRegisteredAt |
principal.asset.first_discover_time |
The timestamp when the agent was registered. |
agentDetectionInfo.agentUuid |
principal.asset.asset_id , principal.asset.product_object_id |
The UUID of the agent. Formatted as "Device ID: {uuid}". |
agentDetectionInfo.agentVersion |
metadata.product_version |
The version of the SentinelOne agent. |
agentDetectionInfo.externalIp |
principal.ip , principal.asset.ip |
The external IP address of the agent. |
agentDetectionInfo.groupId |
principal.user.group_identifiers |
The ID of the group the agent belongs to. |
agentDetectionInfo.groupName |
principal.group.group_display_name |
The name of the group the agent belongs to. |
agentDetectionInfo.siteId |
principal.namespace |
The ID of the site the agent belongs to. |
agentDetectionInfo.siteName |
principal.location.name |
The name of the site the agent belongs to. |
agentRealtimeInfo.accountId |
metadata.product_deployment_id |
The ID of the account in SentinelOne. |
agentRealtimeInfo.accountName |
principal.administrative_domain |
The name of the account in SentinelOne. |
agentRealtimeInfo.activeThreats |
N/A | The number of active threats on the agent. Not mapped to UDM. |
agentRealtimeInfo.agentComputerName |
principal.hostname , principal.asset.hostname |
The hostname of the agent's computer. |
agentRealtimeInfo.agentDecommissionedAt |
N/A | Indicates if the agent is decommissioned. Not mapped to UDM. |
agentRealtimeInfo.agentDomain |
principal.administrative_domain |
The domain of the agent. |
agentRealtimeInfo.agentId |
N/A | The ID of the agent. Not mapped to UDM. |
agentRealtimeInfo.agentInfected |
N/A | Indicates if the agent is infected. Not mapped to UDM. |
agentRealtimeInfo.agentIsActive |
N/A | Indicates if the agent is active. Not mapped to UDM. |
agentRealtimeInfo.agentIsDecommissioned |
N/A | Indicates if the agent is decommissioned. Not mapped to UDM. |
agentRealtimeInfo.agentMachineType |
principal.asset.machine_type |
The type of machine the agent is installed on (e.g., desktop, server, laptop). |
agentRealtimeInfo.agentMitigationMode |
N/A | The mitigation mode of the agent. Not mapped to UDM. |
agentRealtimeInfo.agentNetworkStatus |
N/A | The network status of the agent. Not mapped to UDM. |
agentRealtimeInfo.agentOsName |
principal.asset.platform_software.platform |
The operating system name of the agent. |
agentRealtimeInfo.agentOsRevision |
principal.asset.platform_software.platform_version |
The operating system revision of the agent. |
agentRealtimeInfo.agentOsType |
principal.platform |
The operating system type of the agent. |
agentRealtimeInfo.agentUuid |
principal.asset.asset_id , principal.asset.product_object_id |
The UUID of the agent. Formatted as "Device ID: {uuid}". |
agentRealtimeInfo.agentVersion |
metadata.product_version |
The version of the SentinelOne agent. |
agentRealtimeInfo.groupId |
principal.user.group_identifiers |
The ID of the group the agent belongs to. |
agentRealtimeInfo.groupName |
principal.group.group_display_name |
The name of the group the agent belongs to. |
agentRealtimeInfo.networkInterfaces |
principal.ip , principal.asset.ip , principal.mac |
Network interface information, including IP addresses and MAC addresses. |
agentRealtimeInfo.operationalState |
N/A | The operational state of the agent. Not mapped to UDM. |
agentRealtimeInfo.rebootRequired |
N/A | Indicates if a reboot is required. Not mapped to UDM. |
agentRealtimeInfo.scanAbortedAt |
N/A | The timestamp when a scan was aborted. Not mapped to UDM. |
agentRealtimeInfo.scanFinishedAt |
N/A | The timestamp when a scan finished. Not mapped to UDM. |
agentRealtimeInfo.scanStartedAt |
N/A | The timestamp when a scan started. Not mapped to UDM. |
agentRealtimeInfo.scanStatus |
N/A | The status of a scan. Not mapped to UDM. |
agentRealtimeInfo.siteId |
principal.namespace |
The ID of the site the agent belongs to. |
agentRealtimeInfo.siteName |
principal.location.name |
The name of the site the agent belongs to. |
agentRealtimeInfo.storageName |
N/A | The storage name. Not mapped to UDM. |
agentRealtimeInfo.storageType |
N/A | The storage type. Not mapped to UDM. |
agentRealtimeInfo.userActionsNeeded |
N/A | User actions needed. Not mapped to UDM. |
batch.customer_id |
N/A | The customer ID. Not mapped to UDM. |
batch.collector_id |
N/A | The collector ID. Not mapped to UDM. |
batch.type |
metadata.log_type |
The type of the batch. |
collection_time |
metadata.collected_timestamp |
The time when the log was collected. |
create_time |
metadata.event_timestamp |
The time when the event was created. |
data |
(Various) | The main data payload of the SentinelOne event. Fields within this object are mapped to various UDM fields depending on the event type. |
event.activityType |
N/A | The type of activity. Not mapped to UDM. |
event.agentId |
metadata.product_deployment_id |
The ID of the agent. |
event.agentUpdatedVersion |
N/A | The updated version of the agent. Not mapped to UDM. |
event.comments |
N/A | Comments associated with the event. Not mapped to UDM. |
event.createdAt |
metadata.event_timestamp |
The time when the event was created. |
event.data |
(Various) | Data associated with the event. Fields within this object are mapped to various UDM fields depending on the event type. |
event.description |
metadata.product_event_type |
The description of the event. |
event.destinationAddress.address |
target.ip |
The IP address of the destination. |
event.destinationAddress.port |
target.port |
The port of the destination. |
event.direction |
network.direction |
The direction of the network connection. Mapped to "INBOUND" or "OUTBOUND". |
event.executable.commandLine |
principal.process.command_line , target.process.command_line |
The command line of the executable. |
event.executable.creationTime.millisecondsSinceEpoch |
N/A | The creation time of the executable. Not mapped to UDM. |
event.executable.full_path |
principal.process.file.full_path , target.process.file.full_path |
The full path of the executable. |
event.executable.hashes.md5 |
principal.process.file.md5 , target.process.file.md5 |
The MD5 hash of the executable. |
event.executable.hashes.sha1 |
principal.process.file.sha1 , target.process.file.sha1 |
The SHA1 hash of the executable. |
event.executable.hashes.sha256 |
principal.process.file.sha256 , target.process.file.sha256 |
The SHA256 hash of the executable. |
event.executable.isDir |
N/A | Indicates if the executable is a directory. Not mapped to UDM. |
event.executable.isKernelModule |
N/A | Indicates if the executable is a kernel module. Not mapped to UDM. |
event.executable.name |
N/A | The name of the executable. Not mapped to UDM. |
event.executable.node.key.value |
N/A | The node key value of the executable. Not mapped to UDM. |
event.executable.owner.name |
N/A | The owner name of the executable. Not mapped to UDM. |
event.executable.owner.sid |
N/A | The owner SID of the executable. Not mapped to UDM. |
event.executable.pUnix |
N/A | The pUnix value of the executable. Not mapped to UDM. |
event.executable.signature.signed.identity |
principal.resource.attribute.labels , target.resource.attribute.labels |
The identity of the signed executable. Formatted as "Source Signature Signed Identity: {identity}". |
event.executable.signature.signed.valid |
N/A | Indicates if the signature is valid. Not mapped to UDM. |
event.executable.signature.unsigned |
N/A | Indicates if the executable is unsigned. Not mapped to UDM. |
event.executable.sizeBytes |
principal.process.file.size , target.process.file.size |
The size of the executable in bytes. |
event.excluded |
N/A | Indicates if the event is excluded. Not mapped to UDM. |
event.file.creationTime.millisecondsSinceEpoch |
N/A | The creation time of the file. Not mapped to UDM. |
event.file.full_path |
target.file.full_path |
The full path of the file. |
event.file.hashes.md5 |
target.process.file.md5 |
The MD5 hash of the file. |
event.file.hashes.sha1 |
target.process.file.sha1 |
The SHA1 hash of the file. |
event.file.hashes.sha256 |
target.process.file.sha256 |
The SHA256 hash of the file. |
event.file.isDir |
N/A | Indicates if the file is a directory. Not mapped to UDM. |
event.file.isKernelModule |
N/A | Indicates if the file is a kernel module. Not mapped to UDM. |
event.file.node.key.value |
N/A | The node key value of the file. Not mapped to UDM. |
event.file.owner.name |
N/A | The owner name of the file. Not mapped to UDM. |
event.file.owner.sid |
N/A | The owner SID of the file. Not mapped to UDM. |
event.file.pUnix |
N/A | The pUnix value of the file. Not mapped to UDM. |
event.file.signature.unsigned |
N/A | Indicates if the file is unsigned. Not mapped to UDM. |
event.file.sizeBytes |
N/A | The size of the file in bytes. Not mapped to UDM. |
event.fullPid.pid |
principal.process.pid , target.process.pid |
The process ID. |
event.fullPid.startTime.millisecondsSinceEpoch |
N/A | The start time of the process. Not mapped to UDM. |
event.hashes.md5 |
target.file.md5 |
The MD5 hash. |
event.hashes.sha1 |
target.file.sha1 |
The SHA1 hash. |
event.hashes.sha256 |
target.file.sha256 |
The SHA256 hash. |
event.id |
metadata.product_log_id |
The event ID. |
event.interactive |
N/A | Indicates if the event is interactive. Not mapped to UDM. |
event.isRedirectedCommandProcessor |
N/A | Indicates if the event is a redirected command processor. Not mapped to UDM. |
event.isWow64 |
N/A | Indicates if the event is WoW64. Not mapped to UDM. |
event.method |
network.http.method |
The HTTP method. |
event.name |
N/A | The name of the event. Not mapped to UDM. |
event.node.key.value |
N/A | The node key value of the event. Not mapped to UDM. |
event.oldHashes.md5 |
N/A | The old MD5 hash. Not mapped to UDM. |
event.oldHashes.sha1 |
N/A | The old SHA1 hash. Not mapped to UDM. |
event.oldHashes.sha256 |
N/A | The old SHA256 hash. Not mapped to UDM. |
event.parent.commandLine |
principal.process.parent_process.command_line , target.process.parent_process.command_line |
The command line of the parent process. |
event.parent.excluded |
N/A | Indicates if the parent event is excluded. Not mapped to UDM. |
event.parent.executable.creationTime.millisecondsSinceEpoch |
N/A | The creation time of the parent executable. Not mapped to UDM. |
event.parent.executable.full_path |
principal.process.parent_process.file.full_path , target.process.parent_process.file.full_path |
The full path of the parent executable. |
event.parent.executable.hashes.md5 |
principal.process.parent_process.file.md5 , target.process.parent_process.file.md5 |
The MD5 hash of the parent executable. |
event.parent.executable.hashes.sha1 |
principal.process.parent_process.file.sha1 , target.process.parent_process.file.sha1 |
The SHA1 hash of the parent executable. |
event.parent.executable.hashes.sha256 |
principal.process.parent_process.file.sha256 , target.process.parent_process.file.sha256 |
The SHA256 hash of the parent executable. |
event.parent.executable.isDir |
N/A | Indicates if the parent executable is a directory. Not mapped to UDM. |
event.parent.executable.isKernelModule |
N/A | Indicates if the parent executable is a kernel module. Not mapped to UDM. |
event.parent.executable.node.key.value |
N/A | The node key value of the parent executable. Not mapped to UDM. |
event.parent.executable.owner.name |
N/A | The owner name of the parent executable. Not mapped to UDM. |
event.parent.executable.owner.sid |
N/A | The owner SID of the parent executable. Not mapped to UDM. |
event.parent.executable.pUnix |
N/A | The pUnix value of the parent executable. Not mapped to UDM. |
event.parent.executable.signature.signed.identity |
principal.resource.attribute.labels , target.resource.attribute.labels |
The identity of the signed parent executable. Formatted as "Source Parent Signature Signed Identity: {identity}". |
event.parent.executable.signature.signed.valid |
N/A | Indicates if the parent signature is valid. Not mapped to UDM. |
event.parent.executable.signature.unsigned |
N/A | Indicates if the parent executable is unsigned. Not mapped to UDM. |
event.parent.executable.sizeBytes |
principal.process.parent_process.file.size , target.process.parent_process.file.size |
The size of the parent executable in bytes. |
event.parent.fullPid.pid |
principal.process.parent_process.pid , target.process.parent_process.pid |
The parent process ID. |
event.parent.fullPid.startTime.millisecondsSinceEpoch |
N/A | The start time of the parent process. Not mapped to UDM. |
event.parent.interactive |
N/A | Indicates if the parent event is interactive. Not mapped to UDM. |
event.parent.isRedirectedCommandProcessor |
N/A | Indicates if the parent event is a redirected command processor. Not mapped to UDM. |
event.parent.isWow64 |
N/A | Indicates if the parent event is WoW64. Not mapped to UDM. |
event.parent.name |
N/A | The name of the parent event. Not mapped to UDM. |
event.parent.node.key.value |
N/A | The node key value of the parent event. Not mapped to UDM. |
event.parent.root |
N/A | Indicates if the parent event is root. Not mapped to UDM. |
event.parent.sessionId |
N/A | The session ID of the parent event. Not mapped to UDM. |
event.parent.subsystem |
N/A | The subsystem of the parent event. Not mapped to UDM. |
event.parent.trueContext.key.value |
N/A | The true context key value of the parent event. Not mapped to UDM. |
event.parent.user.integrityLevel |
N/A | The integrity level of the parent user. Not mapped to UDM. |
event.parent.user.name |
principal.user.userid |
The username of the parent process. |
event.parent.user.sid |
principal.user.windows_sid |
The Windows SID of the parent user. |
event.process.commandLine |
target.process.command_line |
The command line of the process. |
event.process.executable.creationTime.millisecondsSinceEpoch |
N/A | The creation time of the process executable. Not mapped to UDM. |
event.process.executable.full_path |
target.process.file.full_path |
The full path of the process executable. |
event.process.executable.hashes.md5 |
target.process.file.md5 |
The MD5 hash of the process executable. |
event.process.executable.hashes.sha1 |
target.process.file.sha1 |
The SHA1 hash of the process executable. |
event.process.executable.hashes.sha256 |
target.process.file.sha256 |
The SHA256 hash of the process executable. |
event.process.executable.isDir |
N/A | Indicates if the process executable is a directory. Not mapped to UDM. |
event.process.executable.isKernelModule |
N/A | Indicates if the process executable is a kernel module. Not mapped to UDM. |
event.process.executable.node.key.value |
N/A | The node key value of the process executable. Not mapped to UDM. |
event.process.executable.owner.name |
N/A | The owner name of the process executable. Not mapped to UDM. |
event.process.executable.owner.sid |
N/A | The owner SID of the process executable. Not mapped to UDM. |
event.process.executable.pUnix |
N/A | The pUnix value of the process executable. Not mapped to UDM. |
event.process.executable.signature.unsigned |
N/A | Indicates if the process executable is unsigned. Not mapped to UDM. |
event.process.executable.sizeBytes |
target.process.file.size |
The size of the process executable in bytes. |
event.process.excluded |
N/A | Indicates if the process is excluded. Not mapped to UDM. |
event.process.fullPid.pid |
target.process.pid |
The process ID. |
event.process.fullPid.startTime.millisecondsSinceEpoch |
N/A | The start time of the process. Not mapped to UDM. |
event.process.interactive |
N/A | Indicates if the process is interactive. Not mapped to UDM. |
event.process.isRedirectedCommandProcessor |
N/A | Indicates if the process is a redirected command processor. Not mapped to UDM. |
event.process.isWow64 |
N/A | Indicates if the process is WoW64. Not mapped to UDM. |
event.process.name |
N/A | The name of the process. Not mapped to UDM. |
event.process.node.key.value |
N/A | The node key value of the process. Not mapped to UDM. |
event.process.root |
N/A | Indicates if the process is root. Not mapped to UDM. |
event.process.sessionId |
N/A | The session ID of the process. Not mapped to UDM. |
event.process.subsystem |
N/A | The subsystem of the process. Not mapped to UDM. |
event.process.trueContext.key.value |
N/A | The true context key value of the process. Not mapped to UDM. |
event.process.user.integrityLevel |
N/A | The integrity level of the process user. Not mapped to UDM. |
event.process.user.name |
target.user.userid |
The username of the process. |
event.process.user.sid |
target.user.windows_sid |
The Windows SID of the process user. |
event.query |
network.dns.questions.name |
The DNS query. |
event.regKey.key.value |
N/A | The registry key value. Not mapped to UDM. |
event.regKey.full_path |
target.registry.registry_key |
The registry key path. |
event.regValue.key.value |
target.registry.registry_value_name |
The registry value name. |
event.regValue.full_path |
target.registry.registry_key |
The registry value path. |
event.results |
network.dns.answers.data |
The DNS results. |
event.root |
N/A | Indicates if the event is root. Not mapped to UDM. |
event.sessionId |
N/A | The session ID of the event. Not mapped to UDM. |
event.signature.signed.identity |
principal.resource.attribute.labels , target.resource.attribute.labels |
The identity of the signed event. Formatted as "Source Signature Signed Identity: {identity}". |
event.signature.signed.valid |
N/A | Indicates if the signature is valid. Not mapped to UDM. |
event.signature.unsigned |
N/A | Indicates if the event is unsigned. Not mapped to UDM. |
event.source.commandLine |
principal.process.command_line , target.process.command_line |
The command line of the source. |
event.source.executable.creationTime.millisecondsSinceEpoch |
N/A | The creation time of the source executable. Not mapped to UDM. |
event.source.executable.full_path |
principal.process.file.full_path , target.process.file.full_path |
The full path of the source executable. |
event.source.executable.hashes.md5 |
principal.process.file.md5 , target.process.file.md5 |
The MD5 hash of the source executable. |
event.source.executable.hashes.sha1 |
principal.process.file.sha1 , target.process.file.sha1 |
The SHA1 hash of the source executable. |
event.source.executable.hashes.sha256 |
principal.process.file.sha256 , target.process.file.sha256 |
The SHA256 hash of the source executable. |
event.source.executable.isDir |
N/A | Indicates if the source executable is a directory. Not mapped to UDM. |
event.source.executable.isKernelModule |
N/A | Indicates if the source executable is a kernel module. Not mapped to UDM. |
event.source.executable.node.key.value |
N/A | The node key value of the source executable. Not mapped to UDM. |
event.source.executable.owner.name |
N/A | The owner name of the source executable. Not mapped to UDM. |
event.source.executable.owner.sid |
N/A | The owner SID of the source executable. Not mapped to UDM. |
event.source.executable.pUnix |
N/A | The pUnix value of the source executable. Not mapped to UDM. |
event.source.executable.signature.signed.identity |
principal.resource.attribute.labels , target.resource.attribute.labels |
The identity of the signed source executable. Formatted as "Source Signature Signed Identity: {identity}". |
event.source.executable.signature.signed.valid |
N/A | Indicates if the source signature is valid. Not mapped to UDM. |
event.source.executable.signature.unsigned |
N/A | Indicates if the source executable is unsigned. Not mapped to UDM. |
event.source.executable.sizeBytes |
principal.process.file.size , target.process.file.size |
The size of the source executable in bytes. |
event.source.excluded |
N/A | Indicates if the source is excluded. Not mapped to UDM. |
event.source.fullPid.pid |
principal.process.pid , target.process.pid |
The process ID of the source. |
event.source.fullPid.startTime.millisecondsSinceEpoch |
N/A | The start time of the source process. Not mapped to UDM. |
event.source.interactive |
N/A | Indicates if the source is interactive. Not mapped to UDM. |
event.source.isRedirectedCommandProcessor |
N/A | Indicates if the source is a redirected command processor. Not mapped to UDM. |
event.source.isWow64 |
N/A | Indicates if the source is WoW64. Not mapped to UDM. |
event.source.name |
N/A | The name of the source. Not mapped to UDM. |
event.source.node.key.value |
N/A | The node key value of the source. Not mapped to UDM. |
event.source.parent.commandLine |
principal.process.parent_process.command_line |
The command line of the source's parent. |
event.source.parent.excluded |
N/A | Indicates if the source's parent is excluded. Not mapped to UDM. |
event.source.parent.executable.full_path |
principal.process.parent_process.file.full_path |
The full path of the source's parent executable. |
event.source.parent.executable.hashes.md5 |
principal.process.parent_process.file.md5 |
The MD5 hash of the source's parent executable. |
event.source.parent.executable.hashes.sha1 |
principal.process.parent_process.file.sha1 |
The SHA1 hash of the source's parent executable. |
event.source.parent.executable.hashes.sha256 |
principal.process.parent_process.file.sha256 |
The SHA256 hash of the source's parent executable. |
event.source.parent.fullPid.pid |
principal.process.parent_process.pid |
The process ID of the source's parent. |
event.source.parent.fullPid.startTime.millisecondsSinceEpoch |
N/A | The start time of the source's parent process. Not mapped to UDM. |
event.source.parent.interactive |
N/A | Indicates if the source's parent is interactive. Not mapped to UDM. |
event.source.parent.isRedirectedCommandProcessor |
N/A | Indicates if the source's parent is a redirected command processor. Not mapped to UDM. |
event.source.parent.isWow64 |
N/A | Indicates if the source's parent is WoW64. Not mapped to UDM. |
event.source.parent.name |
N/A | The name of the source's parent. Not mapped to UDM. |
event.source.parent.node.key.value |
N/A | The node key value of the source's parent. Not mapped to UDM. |
event.source.parent.root |
N/A | Indicates if the source's parent is root. Not mapped to UDM. |
event.source.parent.sessionId |
N/A | The session ID of the source's parent. Not mapped to UDM. |
event.source.parent.subsystem |
N/A | The subsystem of the source's parent. Not mapped to UDM. |
event.source.parent.trueContext.key.value |
N/A | The true context key value of the source's parent. Not mapped to UDM. |
event.source.parent.user.integrityLevel |
N/A | The integrity level of the source's parent user. Not mapped to UDM. |
event.source.parent.user.name |
N/A | The username of the source's parent. Not mapped to UDM. |
event.source.parent.user.sid |
N/A | The Windows SID of the source's parent user. Not mapped to UDM. |
event.source.root |
N/A | Indicates if the source is root. Not mapped to UDM. |
event.source.sessionId |
N/A | The session ID of the source. Not mapped to UDM. |
event.source.subsystem |
N/A | The subsystem of the source. Not mapped to UDM. |
event.source.trueContext.key.value |
N/A | The true context key value of the source. Not mapped to UDM. |
event.source.user.integrityLevel |
N/A | The integrity level of the source user. Not mapped to UDM. |
event.source.user.name |
principal.user.userid |
The username of the source. |
event.source.user.sid |
principal.user.windows_sid |
The Windows SID of the source user. |
event.sourceAddress.address |
principal.ip |
The IP address of the source. |
event.sourceAddress.port |
principal.port |
The port of the source. |
event.status |
N/A | The status of the event. Not mapped to UDM. |
event.subsystem |
N/A | The subsystem of the event. Not mapped to UDM. |
event.targetFile.creationTime.millisecondsSinceEpoch |
N/A | The creation time of the target file. Not mapped to UDM. |
event.targetFile.full_path |
target.file.full_path |
The full path of the target file. |
event.targetFile.hashes.md5 |
target.process.file.md5 |
The MD5 hash of the target file. |
event.targetFile.hashes.sha1 |
target.process.file.sha1 |
The SHA1 hash of the target file. |
event.targetFile.hashes.sha256 |
target.process.file.sha256 |
The SHA256 hash of the target file. |
event.targetFile.isDir |
N/A | Indicates if the target file is a directory. Not mapped to UDM. |
event.targetFile.isKernelModule |
Changes
2024-06-03
- Mapped "suser" to "principal.user.userid".
- Mapped "accountId" to "target.user.userid".
- Mapped "MessageSourceAddress" to "principal.ip".
- Mapped "machine_host" to "principal.hostname".
2024-05-20
- Mapped "event.dns.response" to "network.dns.answers.data".
2024-05-06
- Added support for a new pattern of JSON logs.
2024-03-22
- Added new Grok pattern to parse new format of tab-separated KV logs.
- Mapped "osName" to "src.platform".
2024-03-15
- Mapped "site.id:account.id:agent.uuid:tgt.process.uid" to "target.process.product_specific_process_id".
- Mapped "site.id:account.id:agent.uuid:src.process.uid" to "principal.process.product_specific_process_id".
- Mapped "site.id:account.id:agent.uuid:src.process.parent.uid" to "principal.process.parent_process.product_specific_process_id".
- Removed "src.process.cmdline" from being mapped to "target.process.command_line".
2023-11-09
- Fix:
- Mapped "tgt.process.user" to "target.user.userid".
2023-10-30
- Fix:
- Added not null check to "principal_port" prior mapping to UDM.
- When "event.category" is "url" and "meta.event.name" is "HTTP", mapped "metadata.event_type" to "NETWORK_HTTP".
2023-09-06
- Added mapping of "tgt.process.storyline.id" to "security_result.about.resource.attribute.labels".
- Modified mapping of "src.process.storyline.id" from "principal.process.product_specific_process_id" to "security_result.about.resource.attribute.labels".
- Modified mapping of "src.process.parent.storyline.id" from "principal.parent.process.product_specific_process_id" to "security_result.about.resource.attribute.labels".
2023-08-31
- Mapped "indicator.category" to "security_result.category_details".
2023-08-03
- Initialized "event_data.login.loginIsSuccessful" to null.
- Mapped "module.path" to "target.process.file.full_path" and "target.file.full_path" where "event.type" is "Module Load".
- Mapped "module.sha1" to "target.process.file.sha1" and "target.file.sha1" where "event.type" is "Module Load".
- Mapped "metadata.event_type" to "PROCESS_MODULE_LOAD" where "event.type" is "Module Load".
- Mapped "registry.keyPath" to "target.registry.registrykey" for "REGISTRY*" events.
- Mapped "registry.value" to "target.registry.registry_valuedata" for "REGISTRY*" events.
- Mapped "event.network.protocolName" to "network.application_protocol".
- Mapped "principal.platform", "principal.asset.platform_software.platform" to "LINUX" if "endpoint.os" is "linux".
- Mapped "event.login.userName" to "target.user.userid" when "event.type" is "Login" or "Logout."
- Mapped "target.hostname" by obtaining the hostname from "url.address" when "event.type" is "GET", "OPTIONS", "POST", "PUT", "DELETE", "CONNECT", "HEAD".
2023-06-09
- Mapped "osSrc.process.parent.publisher" to "principal.resource.attribute.labels".
- Mapped "src.process.rUserName/src.process.eUserName/src.process.lUserName" to "principal.user.user_display_name".
- Added check to fields: "src.process.eUserId", "src.process.lUserId", "tgt.process.rUserUid" prior mapping to UDM.
- Mapped "tgt.file.location", "registry.valueFullSize", "registry.valueType" to "target.resource.attribute.labels".
- Mapped "indicator.description" to "security_result.summary".
- Mapped "metadata.event_type" to "SCAN_NETWORK" where "event.type" is "Behavioral Indicators".
- Mapped "metadata.event_type" to "SCAN_UNCATEGORIZED" where "event.type" is "Command Script".
- Initialized fields "meta.osFamily", "meta.osRevision", "event.type".
- Added ISO8601 to date filter to parser ISO8601 timestamp.
- Added on_error to "@timestamp" string conversion.
- Added on_error to "meta.uuid" prior mapping.
2023-05-25
- Mapped "event.source.commandLine" to "principal.process.command_line".
- Mapped "event.source.executable.path" to "principal.process.file.full_path".
- Set "metadata.event_type" to "PROCESS_OPEN" where "event.type" is "openProcess".
- Mapped "site.name:site.id" to "principal.namespace" if both "site.name" and "site.id" are not null.
- Mapped "event.network.direction" to "network.direction".
- Mapped "meta.event.name" to "metadata.description".
- Mapped "task.name" to "target.resource.name".
- Mapped "agent.uuid" to "principal.asset.product_object_id".
- Mapped "src.process.publisher" to "principal.resource.attribute.labels".
- Mapped "src.process.cmdline" to "target.process.command_line".
- Mapped "mgmt.osRevision" to "principal.asset.platform_software.platform_version".
- Mapped "security_result.category" according to "indicator.category" value.
- Mapped "event.dns.response" to "network.dns.answers".
- Mapped "registry.keyPath" to "target.registry.registry_key".
- Mapped "event.id" to "target.registry.registry_value_name".
2023-04-27
- Mapped "event.type" to "metadata.product_event_type" for Cloud Funnel v2 logs.
2023-04-20
- Added null and '-' conditinal check for the field "data.ipAddress".
- Added grok conditional check for the field "sourceMacAddresses".
2023-03-02
- When ("event.type" == "tcpv4" and "event.direction" == "INCOMING") or "event.type" contains "(processExit|processTermination|processModification|duplicate)" , then mapped "event.source.executable.signature.signed.identity" to "target.resource.attribute.labels" else mapped it to "principal.resource.attribute.labels".
- Mapped "event.parent.executable.signature.signed.identity", "event.process.executable.signature.signed.identity to "principal.resource.attribute.labels", "".
- Mapped "event.targetFile.signature.signed.identity", "event.target.executable.signature.signed.identity", "event.target.parent.executable.signature.signed.identity" to "target.resource.attribute.labels".
2023-02-24
- BugFix:
- Refactored the code to clearly differentiate between the log versions.
- For USER_LOGIN cloud funnel v2 logs, mapped "event.login.lognIsSuccessful" details to "security_result.action" and "security_result.summary"
2023-02-13
- BugFix:
- Parsed cloud funnel v1 logs as required.
- Mapping all http logs to "NETWORK_HTTP".
- "NETWORK_HTTP" should have url field mapped to "target.url" instead of "metadata.url_back_to_product".
2023-01-20
- Mapped the field 'event.url' to 'target.hostname' and 'target.url'.
- Mapped 'metadata.event_type' to 'NETWORK_HTTP' where 'event.type' == 'http'.
2023-01-16
- Fix
- Mapped "mgmt.url" to "metadata.url_back_to_product" instead of "target.url".
- Mapped "site.name" to "principal.location.name".
- Mapped "src.process.rUserUid" to "principal.user.userid".
- Mapped "src.process.eUserId" to "principal.user.userid".
- Mapped "src.process.lUserId" to "principal.user.userid".
- Mapped "src.process.parent.rUserUid" to "metadata.ingestion_labels".
- Mapped "src.process.parent.eUserId" to "metadata.ingestion_labels".
- Mapped "src.process.parent.lUserId" to "metadata.ingestion_labels".
- Mapped "tgt.process.rUserUid" to "target.user.userid".
- Mapped "tgt.process.eUserId" to "target.user.userid".
- Mapped "tgt.process.lUserId" to "target.user.userid".
- If "event.type" is "Process Creation" mapped "metadata.event_type" to "PROCESS_LAUNCH".
- If "event.type" is "Duplicate Process Handle" mapped "metadata.event_type" to "PROCESS_OPEN".
- If "event.type" is "Duplicate Thread Handle" mapped "metadata.event_type" to "PROCESS_OPEN".
- If "event.type" is "Open Remote Process Handle" mapped "metadata.event_type" to "PROCESS_OPEN".
- If "event.type" is "Remote Thread Creation" mapped "metadata.event_type" to "PROCESS_LAUNCH".
- If "event.type" is "Command Script" mapped "metadata.event_type" to "FILE_UNCATEGORIZED".
- If "event.type" is "IP Connect" mapped "metadata.event_type" to "NETWORK_CONNECTION".
- If "event.type" is "IP Listen" mapped "metadata.event_type" to "NETWORK_UNCATEGORIZED".
- If "event.type" is "File ModIfication" mapped "metadata.event_type" to "FILE_MODIfICATION".
- If "event.type" is "File Creation" mapped "metadata.event_type" to "FILE_CREATION".
- If "event.type" is "File Scan" mapped "metadata.event_type" to "FILE_UNCATEGORIZED".
- If "event.type" is "File Deletion" mapped "metadata.event_type" to "FILE_DELETION".
- If "event.type" is "File Rename" mapped "metadata.event_type" to "FILE_MODIfICATION".
- If "event.type" is "Pre Execution Detection" mapped "metadata.event_type" to "FILE_UNCATEGORIZED".
- If "event.type" is "Login" mapped "metadata.event_type" to "USER_LOGIN".
- If "event.type" is "Logout" mapped "metadata.event_type" to "USER_LOGOUT".
- If "event.type" is "GET" mapped "metadata.event_type" to "NETWORK_HTTP".
- If "event.type" is "OPTIONS" mapped "metadata.event_type" to "NETWORK_HTTP".
- If "event.type" is "POST" mapped "metadata.event_type" to "NETWORK_HTTP".
- If "event.type" is "PUT" mapped "metadata.event_type" to "NETWORK_HTTP".
- If "event.type" is "DELETE" mapped "metadata.event_type" to "NETWORK_HTTP".
- If "event.type" is "CONNECT" mapped "metadata.event_type" to "NETWORK_HTTP".
- If "event.type" is "HEAD" mapped "metadata.event_type" to "NETWORK_HTTP".
- If "event.type" is "Not Reported" mapped "metadata.event_type" to "STATUS_UNCATEGORIZED".
- If "event.type" is "DNS Resolved" mapped "metadata.event_type" to "NETWORK_DNS".
- If "event.type" is "DNS Unresolved" mapped "metadata.event_type" to "NETWORK_DNS".
- If "event.type" is "Task Register" mapped "metadata.event_type" to "SCHEDULED_TASK_CREATION".
- If "event.type" is "Task Update" mapped "metadata.event_type" to "SCHEDULED_TASK_MODIfICATION".
- If "event.type" is "Task Start" mapped "metadata.event_type" to "SCHEDULED_TASK_UNCATEGORIZED".
- If "event.type" is "Task Trigger" mapped "metadata.event_type" to "SCHEDULED_TASK_UNCATEGORIZED".
- If "event.type" is "Task Delete" mapped "metadata.event_type" to "SCHEDULED_TASK_DELETION".
- If "event.type" is "Registry Key Create" mapped "metadata.event_type" to "REGISTRY_CREATION".
- If "event.type" is "Registry Key Rename" mapped "metadata.event_type" to "REGISTRY_MODIfICATION".
- If "event.type" is "Registry Key Delete" mapped "metadata.event_type" to "REGISTRY_DELETION".
- If "event.type" is "Registry Key Export" mapped "metadata.event_type" to "REGISTRY_UNCATEGORIZED".
- If "event.type" is "Registry Key Security Changed" mapped "metadata.event_type" to "REGISTRY_MODIfICATION".
- If "event.type" is "Registry Key Import" mapped "metadata.event_type" to "REGISTRY_CREATION".
- If "event.type" is "Registry Value ModIfied" mapped "metadata.event_type" to "REGISTRY_MODIfICATION".
- If "event.type" is "Registry Value Create" mapped "metadata.event_type" to "REGISTRY_CREATION".
- If "event.type" is "Registry Value Delete" mapped "metadata.event_type" to "REGISTRY_DELETION".
- If "event.type" is "Behavioral Indicators" mapped "metadata.event_type" to "SCAN_UNCATEGORIZED".
- If "event.type" is "Module Load" mapped "metadata.event_type" to "PROCESS_MODULE_LOAD".
- If "event.type" is "Threat Intelligence Indicators" mapped "metadata.event_type" to "SCAN_UNCATEGORIZED".
- If "event.type" is "Named Pipe Creation" mapped "metadata.event_type" to "PROCESS_UNCATEGORIZED".
- If "event.type" is "Named Pipe Connection" mapped "metadata.event_type" to "PROCESS_UNCATEGORIZED".
- If "event.type" is "Driver Load" mapped "metadata.event_type" to "PROCESS_MODULE_LOAD".
2022-11-30
- Enhancement
- Enhanced the parser to support the logs ingested in version V2 by mapping following fields.
- Mapped "account.id" to "metadata.product_deployment_id".
- Mapped "agent.uuid" to "principal.asset.asset_id".
- Mapped "dst.ip.address" to "target.ip".
- Mapped "src.ip.address" to "principal.ip".
- Mapped "src.process.parent.image.sha1" to "principal.process.parent_process.file.sha1".
- Mapped "src.process.parent.image.sha256" to "principal.process.parent_process.file.sha256".
- Mapped "src.process.parent.image.path" to "principal.process.parent_process.file.full_path".
- Mapped "src.process.parent.cmdline" to "principal.process.parent_process.command_line".
- Mapped "src.process.parent.image.md5" to "principal.process.parent_process.file.md5".
- Mapped "src.process.parent.pid" to "principal.process.parent_process.pid".
- Mapped "src.process.image.sha1" to "principal.process.file.sha1".
- Mapped "src.process.image.md5" to "principal.process.file.md5".
- Mapped "src.process.pid" to "principal.process.pid".
- Mapped "src.process.cmdline" to "principal.process.command_line".
- Mapped "src.process.image.path" to "principal.process.file.full_path".
- Mapped "src.process.image.sha256" to "principal.process.file.sha256".
- Mapped "src.process.user" to "principal.user.user_display_name".
- Mapped "src.process.uid" to "principal.user.userid".
- Mapped "src.process.storyline.id" to "principal.process.product_specific_process_id".
- Mapped "src.process.parent.storyline.id" to "principal.process.parent_process.product_specific_process_id".
- Mapped "mgmt.url" to "target.url".
- Mapped "site.id" to "principal.namespace".
- Mapped "src.port.number" to "principal.port".
- Mapped "dst.port.number" to "target.port".
- Mapped "event_data.id" to "metadata.product_log_id".
2022-10-11
- Enhancement
- Mapped "threatClassification" to "security_result.category_details".
- Mapped "threatConfidenceLevel" and "threatMitigationStatus" to "security_result.detection_fields".
- Mapped "Location" to "principal.location.name".
- Mapped "data.filePath" to "principal.process.parent_process.file.full_path".
- Updated the mapping (CAT Value)security_result.category_details to metadata.product_event_type
2022-09-01
- Enhancement
- Changed metadata.product_name from SentinelOne to Singularity.
- Mapped "event.regValue.key.value" to "target.registry.registry_value_name".
- Mapped "principal_userid" to "principal.user.userid".
- Mapped "principal_domain" to "principal.administrative_domain".
- Mapped "threatInfo.threatId" to "security_result.threat_id"
- Mapped "threatInfo.identifiedAt" to "metadata.event_timestamp".
- Mapped "threatInfo.threatId" to "metadata.product_log_id".
- Mapped "security_result.alert_state" to "ALERTING".
- Mapped "threatInfo.maliciousProcessArguments" to "security_result.description".
- Mapped "threatInfo.threatName" to "security_result.threat_name".
- Mapped "threatInfo.classification" to "security_result.category_details".
- Mapped "security_result.category" to "SOFTWARE_MALICIOUS" where threatInfo.classification is malicious else to "NETWORK_SUSPICIOUS".
- Mapped "security_result.action" to "ALLOW" where threatInfo.mitigationStatus is mitigated else to "BLOCK".
- Mapped "threatInfo.mitigationStatus" to "security_result.action_details".
- Mapped "threatInfo.classification threatInfo.classificationSource threatInfo.analystVerdictDescription threatInfo.threatName" to "security_result.summary".
- Mapped "threatInfo.createdAt" to "metadata.collected_timestamp".
- Mapped "agentRealtimeInfo.accountId" to "metadata.product_deployment_id".
- Mapped "agentRealtimeInfo.agentVersion" to "metadata.product_version".
- Mapped "indicator.category" to "detection_fields.key" and "indicator.description" to "detection_fields.value".
- Mapped "detectionEngines.key" to "detection_fields.key" and "detectionEngines.title" to "detection_fields.value".
- Mapped "metadata.event_type" to "SCAN_UNCATEGORIZED" where "meta.computerName" is not null.
2022-07-21
- Enhancement
- Mapped event.source.executable.hashes.md5 to principal.process.file.md5.
- Mapped event.source.executable.hashes.sha256 to principal.process.file.sha256.
- Mapped event.source.executable.hashes.sha1 to principal.process.file.sha1.
- Mapped event.source.fullPid.pid to principal.process.pid.
- Mapped event.source.user.name to principal.user.userid.
- Mapped meta.agentVersion to metadata.product_version.
- Mapped event.appName to target.application.
- Mapped event.contentHash.sha256 to target.process.file.sha256.
- Mapped event.source.commandLine to target.process.command_line.
- Mapped event.decodedContent to target.labels.
- Changed metadata.description from scripts to Command Scripts where event.type is scripts.
- Mapped vendor to metadata.vendor_name.
- Mapped data.fileContentHash to target.process.file.md5.
- Mapped data.ipAddress to principal.ip.
- Mapped activityUuid to target.asset.product_object_id.
- Mapped agentId to metadata.product_deployment_id.
- Added email verification for user_email prior to mapping it to principal.user.email_addresses, if failed mapped it to principal.user.userid.
- Mapped sourceIpAddresses to principal.ip.
- Mapped accountName to principal.administrative_domain.
- Mapped activityId to additional.fields.
2022-07-15
- Enhancement - Parsed the new logs with JSON format and mapped the following new fields:-
- "metadata.product_name" to "SENTINEL_ONE".
- "sourceParentProcessMd5" to "principal.process.parent_process.file.md5".
- "sourceParentProcessPath" to "principal.process.parent_process.file.full_path".
- "sourceParentProcessPid" to "principal.process.parent_process.pid".
- "sourceParentProcessSha1" to "principal.process.parent_process.file.sha1".
- "sourceParentProcessSha256" to "principal.process.parent_process.file.sha256".
- "sourceParentProcessCmdArgs" to "principal.process.parent_process.command_line".
- "sourceProcessCmdArgs" to "principal.process.command_line".
- "sourceProcessMd5" to "principal.process.file.md5".
- "sourceProcessPid" to "principal.process.pid".
- "sourceProcessSha1" to "principal.process.file.sha1".
- "sourceProcessSha256" to "principal.process.file.sha256".
- "sourceProcessPath" to "principal.process.file.full_path".
- "tgtFilePath" to "target.file.full_path".
- "tgtFileHashSha256" to "target.file.sha256".
- "tgtFileHashSha1" to "target.file.sha1".
- "tgtProcUid" to "target.process.product_specific_process_id".
- "tgtProcCmdLine" to "target.process.command_line".
- "tgtProcPid" to "target.process.pid".
- "tgtProcName" to "target.application".
- "dstIp" to "target.ip".
- "srcIp" to "principal.ip".
- "dstPort" to "target.port".
- "srcPort" to "principal.port".
- "origAgentName" to "principal.hostname".
- "agentIpV4" to "principal.ip".
- "groupId" to "principal.user.group_identifiers".
- "groupName" to "principal.user.group_display_name".
- "origAgentVersion" to "principal.asset.software.version".
- "origAgentOsFamily" to "principal.platform".
- "origAgentOsName" to principal.asset.software.name".
- "event_type" to "FILE_MODIFICATION" when sourceEventType = FILEMODIFICATION.
- "event_type" to "FILE_DELETION" when sourceEventType = FILEDELETION.
- "event_type" to "PROCESS_LAUNCH" when sourceEventType = PROCESSCREATION.
- "event_type" to "NETWORK_CONNECTION" when sourceEventType = TCPV4.
2022-06-13
- Enhancement
- for [event][type] == "fileCreation" and [event][type] == "fileDeletion"
- Mapped "event.targetFile.path" to "target.file.full_path".
- Mapped "event.targetFile.hashes.md5" to "target.process.file.md5".
- Mapped "event.targetFile.hashes.sha1" to "target.process.file.sha1".
- Mapped "event.targetFile.hashes.sha256" to "target.process.file.sha256".
- for [event][type] == "fileModification"
- Mapped "event.file.path" to "target.file.full_path".
- Mapped "event.file.hashes.md5" to "target.process.file.md5".
- Mapped "event.file.hashes.sha1" to "target.process.file.sha1".
- Mapped "event.file.hashes.sha256" to "target.process.file.sha256".
2022-04-18
- Enhanced the parser to handle all the unparsed raw logs.