Collect SentinelOne EDR logs
Supported in:
This document explains how to export SentinelOne logs to Google Cloud Storage using SentinelOne Cloud Funnel. Since SentinelOne doesn't offer a built-in integration to directly export logs to Google Cloud Storage, Cloud Funnel acts as an intermediary service to push logs to the Cloud Storage.
Before You Begin
- Ensure that you have a Google SecOps instance.
- Ensure that you have privileged access to the Google Cloud platform.
- Ensure that you have privileged access to SentinelOne.
Configure Permissions for Cloud Funnel to Access Cloud Storage
- Sign in to the Google Cloud console.
- Go to IAM & Admin.
- In the IAM page, add a new IAM role for the Cloud Funnel service account:
- Assign Storage Object Creator permissions.
- Optional: assign Storage Object Viewer if you need Cloud Funnel to read objects from the bucket.
- Grant these permissions to the Cloud Funnel service account.
Create a Cloud Storage Bucket
- Sign in to the Google Cloud console.
- Go to Storage > Browser.
- Click Create bucket.
- Provide the following configurations:
- Bucket Name: choose a unique name for your bucket (for example, sentinelone-logs).
- Storage Location: select the region where the bucket will reside (for example, US-West1).
- Storage Class: choose a Standard storage class.
- Click Create.
Configure Cloud Funnel in SentinelOne
- In the SentinelOne Console, go to Settings.
- Locate the Cloud Funnel option (under Integrations).
- If it's not already enabled, click Enable Cloud Funnel.
- Once enabled, you're prompted to configure the Destination settings.
- Destination Selection: choose Google Cloud Storage as the destination for exporting logs.
- Google Cloud Storage: provide the Google Cloud Storage credentials.
- Log Export Frequency: set the frequency for exporting logs (for example, hourly or daily).
Configure Cloud Funnel Log Export
- In the Cloud Funnel Configuration section of the SentinelOne Console, set the following:
- Log Export Frequency: choose how often logs should be exported (for example. every hour or every day).
- Log Format: choose the JSON format.
- Bucket Name: enter the name of the Google Cloud Storage bucket you created earlier (for example, sentinelone-logs).
- Optional: Log Path Prefix: specify a prefix to organize logs within the bucket (for example,
sentinelone-logs/).
- Once the settings are configured, click Save to apply the changes.
Configure a feed in Google SecOps to ingest the Sentinel EDR logs
- Go to SIEM Settings > Feeds.
- Click Add new.
- In the Feed name field, enter a name for the feed (for example, Sentinel EDR Logs).
- Select Google Cloud Storage as the Source type.
- Select Sentinel EDR as the Log type.
- Click Get Service Account as the Chronicle Service Account.
- Click Next.
Specify values for the following input parameters:
- Storage Bucket URI: Cloud Storage bucket URL in
gs://my-bucket/<value>format. - URI Is A: select Directory which includes subdirectories.
Source deletion options: select the deletion option according to your preference.
Asset namespace: the asset namespace.
Ingestion labels: the label applied to the events from this feed.
- Storage Bucket URI: Cloud Storage bucket URL in
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
event.contentHash.sha256 |
target.process.file.sha256 |
The SHA-256 hash of the target process's file, extracted from the event.contentHash.sha256 field in the raw log. |
event.decodedContent |
target.labels |
The decoded content of a script, extracted from the event.decodedContent field in the raw log. It is added as a label with the key Decoded Content to the target object. |
event.destinationAddress.address |
target.ip |
The IP address of the destination, extracted from the event.destinationAddress.address field in the raw log. |
event.destinationAddress.port |
target.port |
The port of the destination, extracted from the event.destinationAddress.port field in the raw log. |
event.method |
network.http.method |
The HTTP method of the event, extracted from the event.method field in the raw log. |
event.newValueData |
target.registry.registry_value_data |
The new value data of the registry value, extracted from the event.newValueData field in the raw log. |
event.process.commandLine |
target.process.command_line |
The command line of the process, extracted from the event.process.commandLine field in the raw log. |
event.process.executable.hashes.md5 |
target.process.file.md5 |
The MD5 hash of the process's executable, extracted from the event.process.executable.hashes.md5 field in the raw log. |
event.process.executable.hashes.sha1 |
target.process.file.sha1 |
The SHA-1 hash of the process's executable, extracted from the event.process.executable.hashes.sha1 field in the raw log. |
event.process.executable.hashes.sha256 |
target.process.file.sha256 |
The SHA-256 hash of the process's executable, extracted from the event.process.executable.hashes.sha256 field in the raw log. |
event.process.executable.path |
target.process.file.full_path |
The full path of the process's executable, extracted from the event.process.executable.path field in the raw log. |
event.process.executable.sizeBytes |
target.process.file.size |
The size of the process's executable, extracted from the event.process.executable.sizeBytes field in the raw log. |
event.process.fullPid.pid |
target.process.pid |
The PID of the process, extracted from the event.process.fullPid.pid field in the raw log. |
event.query |
network.dns.questions.name |
The DNS query, extracted from the event.query field in the raw log. |
event.regKey.path |
target.registry.registry_key |
The path of the registry key, extracted from the event.regKey.path field in the raw log. |
event.regValue.key.value |
target.registry.registry_name, target.registry.registry_value_name |
The name of the registry value, extracted from the event.regValue.key.value field in the raw log. |
event.regValue.path |
target.registry.registry_key |
The path of the registry value, extracted from the event.regValue.path field in the raw log. |
event.results |
network.dns.answers.data |
The DNS answers, extracted from the event.results field in the raw log. The data is split into individual answers using the ";" separator. |
event.source.commandLine |
principal.process.command_line |
The command line of the source process, extracted from the event.source.commandLine field in the raw log. |
event.source.executable.hashes.md5 |
principal.process.file.md5 |
The MD5 hash of the source process's executable, extracted from the event.source.executable.hashes.md5 field in the raw log. |
event.source.executable.hashes.sha1 |
principal.process.file.sha1 |
The SHA-1 hash of the source process's executable, extracted from the event.source.executable.hashes.sha1 field in the raw log. |
event.source.executable.hashes.sha256 |
principal.process.file.sha256 |
The SHA-256 hash of the source process's executable, extracted from the event.source.executable.hashes.sha256 field in the raw log. |
event.source.executable.path |
principal.process.file.full_path |
The full path of the source process's executable, extracted from the event.source.executable.path field in the raw log. |
event.source.executable.signature.signed.identity |
principal.resource.attribute.labels |
The signed identity of the source process's executable, extracted from the event.source.executable.signature.signed.identity field in the raw log. It is added as a label with the key Source Signature Signed Identity to the principal resource attribute labels. |
event.source.executable.sizeBytes |
principal.process.file.size |
The size of the source process's executable, extracted from the event.source.executable.sizeBytes field in the raw log. |
event.source.fullPid.pid |
principal.process.pid |
The PID of the source process, extracted from the event.source.fullPid.pid field in the raw log. |
event.source.parent.commandLine |
principal.process.parent_process.command_line |
The command line of the source parent process, extracted from the event.source.parent.commandLine field in the raw log. |
event.source.parent.executable.hashes.md5 |
principal.process.parent_process.file.md5 |
The MD5 hash of the source parent process's executable, extracted from the event.source.parent.executable.hashes.md5 field in the raw log. |
event.source.parent.executable.hashes.sha1 |
principal.process.parent_process.file.sha1 |
The SHA-1 hash of the source parent process's executable, extracted from the event.source.parent.executable.hashes.sha1 field in the raw log. |
event.source.parent.executable.hashes.sha256 |
principal.process.parent_process.file.sha256 |
The SHA-256 hash of the source parent process's executable, extracted from the event.source.parent.executable.hashes.sha256 field in the raw log. |
event.source.parent.executable.signature.signed.identity |
principal.resource.attribute.labels |
The signed identity of the source parent process's executable, extracted from the event.source.parent.executable.signature.signed.identity field in the raw log. It is added as a label with the key Source Parent Signature Signed Identity to the principal resource attribute labels. |
event.source.parent.fullPid.pid |
principal.process.parent_process.pid |
The PID of the source parent process, extracted from the event.source.parent.fullPid.pid field in the raw log. |
event.source.user.name |
principal.user.userid |
The username of the source process's user, extracted from the event.source.user.name field in the raw log. |
event.source.user.sid |
principal.user.windows_sid |
The Windows SID of the source process's user, extracted from the event.source.user.sid field in the raw log. |
event.sourceAddress.address |
principal.ip |
The IP address of the source, extracted from the event.sourceAddress.address field in the raw log. |
event.sourceAddress.port |
principal.port |
The port of the source, extracted from the event.sourceAddress.port field in the raw log. |
event.target.executable.hashes.md5 |
target.process.file.md5 |
The MD5 hash of the target process's executable, extracted from the event.target.executable.hashes.md5 field in the raw log. |
event.target.executable.hashes.sha1 |
target.process.file.sha1 |
The SHA-1 hash of the target process's executable, extracted from the event.target.executable.hashes.sha1 field in the raw log. |
event.target.executable.hashes.sha256 |
target.process.file.sha256 |
The SHA-256 hash of the target process's executable, extracted from the event.target.executable.hashes.sha256 field in the raw log. |
event.target.executable.path |
target.process.file.full_path |
The full path of the target process's executable, extracted from the event.target.executable.path field in the raw log. |
event.target.executable.signature.signed.identity |
target.resource.attribute.labels |
The signed identity of the target process's executable, extracted from the event.target.executable.signature.signed.identity field in the raw log. It is added as a label with the key Target Signature Signed Identity to the target resource attribute labels. |
event.target.executable.sizeBytes |
target.process.file.size |
The size of the target process's executable, extracted from the event.target.executable.sizeBytes field in the raw log. |
event.target.fullPid.pid |
target.process.pid |
The PID of the target process, extracted from the event.target.fullPid.pid field in the raw log. |
event.targetFile.path |
target.file.full_path |
The full path of the target file, extracted from the event.targetFile.path field in the raw log. |
event.targetFile.signature.signed.identity |
target.resource.attribute.labels |
The signed identity of the target file, extracted from the event.targetFile.signature.signed.identity field in the raw log. It is added as a label with the key Target File Signature Signed Identity to the target resource attribute labels. |
event.trueContext.key.value |
Not mapped to the UDM. | |
event.type |
metadata.description |
The type of the event, extracted from the event.type field in the raw log. |
event.url |
target.url |
The URL of the event, extracted from the event.url field in the raw log. |
meta.agentVersion |
metadata.product_version, metadata.product_version |
The version of the agent, extracted from the meta.agentVersion field in the raw log. |
meta.computerName |
principal.hostname, target.hostname |
The hostname of the computer, extracted from the meta.computerName field in the raw log. |
meta.osFamily |
principal.asset.platform_software.platform, target.asset.platform_software.platform |
The operating system family of the computer, extracted from the meta.osFamily field in the raw log. It is mapped to LINUX for linux and WINDOWS for windows. |
meta.osRevision |
principal.asset.platform_software.platform_version, target.asset.platform_software.platform_version |
The operating system revision of the computer, extracted from the meta.osRevision field in the raw log. |
meta.traceId |
metadata.product_log_id |
The trace ID of the event, extracted from the meta.traceId field in the raw log. |
meta.uuid |
principal.asset.product_object_id, target.asset.product_object_id |
The UUID of the computer, extracted from the meta.uuid field in the raw log. |
metadata_event_type |
metadata.event_type |
The type of the event, set by the parser logic based on the event.type field. |
metadata_product_name |
metadata.product_name |
The name of the product, set to Singularity XDR by the parser logic. |
metadata_vendor_name |
metadata.vendor_name |
The name of the vendor, set to SentinelOne by the parser logic. |
network_application_protocol |
network.application_protocol |
The application protocol of the network connection, set to DNS for DNS events by the parser logic. |
network_dns_questions.name |
network.dns.questions.name |
The name of the DNS question, extracted from the event.query field in the raw log. |
network_direction |
network.direction |
The direction of the network connection, set to OUTBOUND for outgoing connections and INBOUND for incoming connections by the parser logic. |
network_http_method |
network.http.method |
The HTTP method of the event, extracted from the event.method field in the raw log. |
principal.process.command_line |
target.process.command_line |
The command line of the principal process, extracted from the principal.process.command_line field and mapped to the target process command line. |
principal.process.file.full_path |
target.process.file.full_path |
The full path of the principal process's file, extracted from the principal.process.file.full_path field and mapped to the target process file full path. |
principal.process.file.md5 |
target.process.file.md5 |
The MD5 hash of the principal process's file, extracted from the principal.process.file.md5 field and mapped to the target process file MD5. |
principal.process.file.sha1 |
target.process.file.sha1 |
The SHA-1 hash of the principal process's file, extracted from the principal.process.file.sha1 field and mapped to the target process file SHA-1. |
principal.process.file.sha256 |
target.process.file.sha256 |
The SHA-256 hash of the principal process's file, extracted from the principal.process.file.sha256 field and mapped to the target process file SHA-256. |
principal.process.file.size |
target.process.file.size |
The size of the principal process's file, extracted from the principal.process.file.size field and mapped to the target process file size. |
principal.process.pid |
target.process.pid |
The PID of the principal process, extracted from the principal.process.pid field and mapped to the target process PID. |
principal.user.userid |
target.user.userid |
The user ID of the principal, extracted from the principal.user.userid field and mapped to the target user ID. |
principal.user.windows_sid |
target.user.windows_sid |
The Windows SID of the principal, extracted from the principal.user.windows_sid field and mapped to the target user Windows SID. |
Changes
2024-07-29
Enhancement:
- If
registry.keyPathorregistry.valueis not null, then only mappedmetadata.event_typetoREGISTRY_CREATION.
2024-07-23
Enhancement:
- Mapped
agentDetectionInfo.agentOsNametotarget.platform_version. - Mapped
agentDetectionInfo.agentLastLoggedInUserNametotarget.user.userid.
2024-07-09
Bug-Fix:
- Changed mapping for
suserfromprincipal.user.useridtotarget.user.userid. - Changed mapping for
suserfromprincipal.user.user_display_nametotarget.user.user_display_name. - Removed mapping for
accountIdfromtarget.user.userid. - Mapped
prin_usertoprincipal.user.userid.
2024-06-03
Enhancement:
- Mapped
susertoprincipal.user.userid. - Mapped
accountIdtotarget.user.userid. - Mapped
MessageSourceAddresstoprincipal.ip. - Mapped
machine_hosttoprincipal.hostname.
2024-05-20
Enhancement:
- Mapped
event.dns.responsetonetwork.dns.answers.data.
2024-05-06
Enhancement:
- Added support for a new pattern of JSON logs.
2024-03-22
Enhancement:
- Added new Grok pattern to parse new format of tab-separated KV logs.
- Mapped
osNametosrc.platform.
2024-03-15
Enhancement:
- Mapped
site.id:account.id:agent.uuid:tgt.process.uidtotarget.process.product_specific_process_id. - Mapped
site.id:account.id:agent.uuid:src.process.uidtoprincipal.process.product_specific_process_id. - Mapped
site.id:account.id:agent.uuid:src.process.parent.uidtoprincipal.process.parent_process.product_specific_process_id. - Removed
src.process.cmdlinefrom being mapped totarget.process.command_line.
2023-11-09
- Fix:
- Mapped
tgt.process.usertotarget.user.userid.
2023-10-30
- Fix:
- Added not null check to
principal_portprior mapping to UDM. - When
event.categoryisurlandmeta.event.nameisHTTP, mappedmetadata.event_typetoNETWORK_HTTP.
2023-09-06
- Added mapping of
tgt.process.storyline.idtosecurity_result.about.resource.attribute.labels. - Modified mapping of
src.process.storyline.idfromprincipal.process.product_specific_process_idtosecurity_result.about.resource.attribute.labels. - Modified mapping of
src.process.parent.storyline.idfromprincipal.parent.process.product_specific_process_idtosecurity_result.about.resource.attribute.labels.
2023-08-31
- Mapped
indicator.categorytosecurity_result.category_details.
2023-08-03
- Initialized
event_data.login.loginIsSuccessfulto null. - Mapped
module.pathtotarget.process.file.full_pathandtarget.file.full_pathwhereevent.typeisModule Load. - Mapped
module.sha1totarget.process.file.sha1andtarget.file.sha1whereevent.typeisModule Load. - Mapped
metadata.event_typetoPROCESS_MODULE_LOADwhereevent.typeisModule Load. - Mapped
registry.keyPathtotarget.registry.registry_keyforREGISTRY_*events. - Mapped
registry.valuetotarget.registry.registry_value_dataforREGISTRY_*events. - Mapped
event.network.protocolNametonetwork.application_protocol. - Mapped
principal.platform,principal.asset.platform_software.platformtoLINUXifendpoint.osislinux. - Mapped
event.login.userNametotarget.user.useridwhenevent.typeisLoginorLogout. - Mapped
target.hostnameby obtaining the hostname fromurl.addresswhenevent.typeisGET,OPTIONS,POST,PUT,DELETE,CONNECT,HEAD.
2023-06-09
- Mapped
osSrc.process.parent.publishertoprincipal.resource.attribute.labels. - Mapped
src.process.rUserName/src.process.eUserName/src.process.lUserNametoprincipal.user.user_display_name. - Added check to fields:
src.process.eUserId,src.process.lUserId,tgt.process.rUserUidprior mapping to UDM. - Mapped
tgt.file.location,registry.valueFullSize,registry.valueTypetotarget.resource.attribute.labels. - Mapped
indicator.descriptiontosecurity_result.summary. - Mapped
metadata.event_typetoSCAN_NETWORKwhereevent.typeisBehavioral Indicators. - Mapped
metadata.event_typetoSCAN_UNCATEGORIZEDwhereevent.typeisCommand Script. - Initialized fields
meta.osFamily,meta.osRevision,event.type. - Added ISO8601 to date filter to parser ISO8601 timestamp.
- Added on_error to
@timestampstring conversion. - Added on_error to
meta.uuidprior mapping.
2023-05-25
- Mapped
event.source.commandLinetoprincipal.process.command_line. - Mapped
event.source.executable.pathtoprincipal.process.file.full_path. - Set
metadata.event_typetoPROCESS_OPENwhereevent.typeisopenProcess. - Mapped
site.name:site.idtoprincipal.namespaceif bothsite.nameandsite.idare not null. - Mapped
event.network.directiontonetwork.direction. - Mapped
meta.event.nametometadata.description. - Mapped
task.nametotarget.resource.name. - Mapped
agent.uuidtoprincipal.asset.product_object_id. - Mapped
src.process.publishertoprincipal.resource.attribute.labels. - Mapped
src.process.cmdlinetotarget.process.command_line. - Mapped
mgmt.osRevisiontoprincipal.asset.platform_software.platform_version. - Mapped
security_result.categoryaccording toindicator.categoryvalue. - Mapped
event.dns.responsetonetwork.dns.answers. - Mapped
registry.keyPathtotarget.registry.registry_key. - Mapped
event.idtotarget.registry.registry_value_name.
2023-04-27
- Mapped
event.typetometadata.product_event_typefor Cloud Funnel v2 logs.
2023-04-20
Enhancement:
- Added null and '-' conditinal check for the field
data.ipAddress. - Added grok conditional check for the field
sourceMacAddresses.
2023-03-02
Enhancement:
- When (
event.type==tcpv4andevent.direction==INCOMING) orevent.typecontains(processExit|processTermination|processModification|duplicate), then mappedevent.source.executable.signature.signed.identitytotarget.resource.attribute.labelselse mapped it toprincipal.resource.attribute.labels. - Mapped
event.parent.executable.signature.signed.identity,event.process.executable.signature.signed.identity toprincipal.resource.attribute.labels,`. - Mapped
event.targetFile.signature.signed.identity,event.target.executable.signature.signed.identity,event.target.parent.executable.signature.signed.identitytotarget.resource.attribute.labels.
2023-02-24
BugFix:
- Refactored the code to clearly differentiate between the log versions.
- For USER_LOGIN cloud funnel v2 logs, mapped
event.login.lognIsSuccessfuldetails tosecurity_result.actionandsecurity_result.summary
2023-02-13
BugFix:
- Parsed cloud funnel v1 logs as required.
- Mapping all http logs to
NETWORK_HTTP. NETWORK_HTTPshould have URL field mapped totarget.urlinstead ofmetadata.url_back_to_product.
2023-01-20
Enhancement:
- Mapped the field 'event.url' to 'target.hostname' and 'target.url'.
- Mapped 'metadata.event_type' to 'NETWORK_HTTP' where 'event.type' == 'http'.
2023-01-16
BugFix:
- Mapped
mgmt.urltometadata.url_back_to_productinstead oftarget.url. - Mapped
site.nametoprincipal.location.name. - Mapped
src.process.rUserUidtoprincipal.user.userid. - Mapped
src.process.eUserIdtoprincipal.user.userid. - Mapped
src.process.lUserIdtoprincipal.user.userid. - Mapped
src.process.parent.rUserUidtometadata.ingestion_labels. - Mapped
src.process.parent.eUserIdtometadata.ingestion_labels. - Mapped
src.process.parent.lUserIdtometadata.ingestion_labels. - Mapped
tgt.process.rUserUidtotarget.user.userid. - Mapped
tgt.process.eUserIdtotarget.user.userid. - Mapped
tgt.process.lUserIdtotarget.user.userid. - If
event.typeisProcess Creationmappedmetadata.event_typetoPROCESS_LAUNCH. - If
event.typeisDuplicate Process Handlemappedmetadata.event_typetoPROCESS_OPEN. - If
event.typeisDuplicate Thread Handlemappedmetadata.event_typetoPROCESS_OPEN. - If
event.typeisOpen Remote Process Handlemappedmetadata.event_typetoPROCESS_OPEN. - If
event.typeisRemote Thread Creationmappedmetadata.event_typetoPROCESS_LAUNCH. - If
event.typeisCommand Scriptmappedmetadata.event_typetoFILE_UNCATEGORIZED. - If
event.typeisIP Connectmappedmetadata.event_typetoNETWORK_CONNECTION. - If
event.typeisIP Listenmappedmetadata.event_typetoNETWORK_UNCATEGORIZED. - If
event.typeisFile ModIficationmappedmetadata.event_typetoFILE_MODIfICATION. - If
event.typeisFile Creationmappedmetadata.event_typetoFILE_CREATION. - If
event.typeisFile Scanmappedmetadata.event_typetoFILE_UNCATEGORIZED. - If
event.typeisFile Deletionmappedmetadata.event_typetoFILE_DELETION. - If
event.typeisFile Renamemappedmetadata.event_typetoFILE_MODIfICATION. - If
event.typeisPre Execution Detectionmappedmetadata.event_typetoFILE_UNCATEGORIZED. - If
event.typeisLoginmappedmetadata.event_typetoUSER_LOGIN. - If
event.typeisLogoutmappedmetadata.event_typetoUSER_LOGOUT. - If
event.typeisGETmappedmetadata.event_typetoNETWORK_HTTP. - If
event.typeisOPTIONSmappedmetadata.event_typetoNETWORK_HTTP. - If
event.typeisPOSTmappedmetadata.event_typetoNETWORK_HTTP. - If
event.typeisPUTmappedmetadata.event_typetoNETWORK_HTTP. - If
event.typeisDELETEmappedmetadata.event_typetoNETWORK_HTTP. - If
event.typeisCONNECTmappedmetadata.event_typetoNETWORK_HTTP. - If
event.typeisHEADmappedmetadata.event_typetoNETWORK_HTTP. - If
event.typeisNot Reportedmappedmetadata.event_typetoSTATUS_UNCATEGORIZED. - If
event.typeisDNS Resolvedmappedmetadata.event_typetoNETWORK_DNS. - If
event.typeisDNS Unresolvedmappedmetadata.event_typetoNETWORK_DNS. - If
event.typeisTask Registermappedmetadata.event_typetoSCHEDULED_TASK_CREATION. - If
event.typeisTask Updatemappedmetadata.event_typetoSCHEDULED_TASK_MODIfICATION. - If
event.typeisTask Startmappedmetadata.event_typetoSCHEDULED_TASK_UNCATEGORIZED. - If
event.typeisTask Triggermappedmetadata.event_typetoSCHEDULED_TASK_UNCATEGORIZED. - If
event.typeisTask Deletemappedmetadata.event_typetoSCHEDULED_TASK_DELETION. - If
event.typeisRegistry Key Createmappedmetadata.event_typetoREGISTRY_CREATION. - If
event.typeisRegistry Key Renamemappedmetadata.event_typetoREGISTRY_MODIfICATION. - If
event.typeisRegistry Key Deletemappedmetadata.event_typetoREGISTRY_DELETION. - If
event.typeisRegistry Key Exportmappedmetadata.event_typetoREGISTRY_UNCATEGORIZED. - If
event.typeisRegistry Key Security Changedmappedmetadata.event_typetoREGISTRY_MODIfICATION. - If
event.typeisRegistry Key Importmappedmetadata.event_typetoREGISTRY_CREATION. - If
event.typeisRegistry Value ModIfiedmappedmetadata.event_typetoREGISTRY_MODIfICATION. - If
event.typeisRegistry Value Createmappedmetadata.event_typetoREGISTRY_CREATION. - If
event.typeisRegistry Value Deletemappedmetadata.event_typetoREGISTRY_DELETION. - If
event.typeisBehavioral Indicatorsmappedmetadata.event_typetoSCAN_UNCATEGORIZED. - If
event.typeisModule Loadmappedmetadata.event_typetoPROCESS_MODULE_LOAD. - If
event.typeisThreat Intelligence Indicatorsmappedmetadata.event_typetoSCAN_UNCATEGORIZED. - If
event.typeisNamed Pipe Creationmappedmetadata.event_typetoPROCESS_UNCATEGORIZED. - If
event.typeisNamed Pipe Connectionmappedmetadata.event_typetoPROCESS_UNCATEGORIZED. - If
event.typeisDriver Loadmappedmetadata.event_typetoPROCESS_MODULE_LOAD.
2022-11-30
Enhancement:
- Enhanced the parser to support the logs ingested in version V2 by mapping following fields.
- Mapped
account.idtometadata.product_deployment_id. - Mapped
agent.uuidtoprincipal.asset.asset_id. - Mapped
dst.ip.addresstotarget.ip. - Mapped
src.ip.addresstoprincipal.ip. - Mapped
src.process.parent.image.sha1toprincipal.process.parent_process.file.sha1. - Mapped
src.process.parent.image.sha256toprincipal.process.parent_process.file.sha256. - Mapped
src.process.parent.image.pathtoprincipal.process.parent_process.file.full_path. - Mapped
src.process.parent.cmdlinetoprincipal.process.parent_process.command_line. - Mapped
src.process.parent.image.md5toprincipal.process.parent_process.file.md5. - Mapped
src.process.parent.pidtoprincipal.process.parent_process.pid. - Mapped
src.process.image.sha1toprincipal.process.file.sha1. - Mapped
src.process.image.md5toprincipal.process.file.md5. - Mapped
src.process.pidtoprincipal.process.pid. - Mapped
src.process.cmdlinetoprincipal.process.command_line. - Mapped
src.process.image.pathtoprincipal.process.file.full_path. - Mapped
src.process.image.sha256toprincipal.process.file.sha256. - Mapped
src.process.usertoprincipal.user.user_display_name. - Mapped
src.process.uidtoprincipal.user.userid. - Mapped
src.process.storyline.idtoprincipal.process.product_specific_process_id. - Mapped
src.process.parent.storyline.idtoprincipal.process.parent_process.product_specific_process_id. - Mapped
mgmt.urltotarget.url. - Mapped
site.idtoprincipal.namespace. - Mapped
src.port.numbertoprincipal.port. - Mapped
dst.port.numbertotarget.port. - Mapped
event_data.idtometadata.product_log_id.
2022-10-11
Enhancement:
- Mapped
threatClassificationtosecurity_result.category_details. - Mapped
threatConfidenceLevelandthreatMitigationStatustosecurity_result.detection_fields. - Mapped
Locationtoprincipal.location.name. - Mapped
data.filePathtoprincipal.process.parent_process.file.full_path. - Updated the mapping (CAT Value)security_result.category_details to metadata.product_event_type
2022-09-01
Enhancement:
- Changed metadata.product_name from SentinelOne to Singularity.
- Mapped
event.regValue.key.valuetotarget.registry.registry_value_name. - Mapped
principal_useridtoprincipal.user.userid. - Mapped
principal_domaintoprincipal.administrative_domain. - Mapped
threatInfo.threatIdtosecurity_result.threat_id - Mapped
threatInfo.identifiedAttometadata.event_timestamp. - Mapped
threatInfo.threatIdtometadata.product_log_id. - Mapped
security_result.alert_statetoALERTING. - Mapped
threatInfo.maliciousProcessArgumentstosecurity_result.description. - Mapped
threatInfo.threatNametosecurity_result.threat_name. - Mapped
threatInfo.classificationtosecurity_result.category_details. - Mapped
security_result.categorytoSOFTWARE_MALICIOUSwhere threatInfo.classification is malicious else toNETWORK_SUSPICIOUS. - Mapped
security_result.actiontoALLOWwhere threatInfo.mitigationStatus is mitigated else toBLOCK. - Mapped
threatInfo.mitigationStatustosecurity_result.action_details. - Mapped
threatInfo.classification threatInfo.classificationSource threatInfo.analystVerdictDescription threatInfo.threatNametosecurity_result.summary. - Mapped
threatInfo.createdAttometadata.collected_timestamp. - Mapped
agentRealtimeInfo.accountIdtometadata.product_deployment_id. - Mapped
agentRealtimeInfo.agentVersiontometadata.product_version. - Mapped
indicator.categorytodetection_fields.keyandindicator.descriptiontodetection_fields.value. - Mapped
detectionEngines.keytodetection_fields.keyanddetectionEngines.titletodetection_fields.value. - Mapped
metadata.event_typetoSCAN_UNCATEGORIZEDwheremeta.computerNameis not null.
2022-07-21
Enhancement:
- Mapped event.source.executable.hashes.md5 to principal.process.file.md5.
- Mapped event.source.executable.hashes.sha256 to principal.process.file.sha256.
- Mapped event.source.executable.hashes.sha1 to principal.process.file.sha1.
- Mapped event.source.fullPid.pid to principal.process.pid.
- Mapped event.source.user.name to principal.user.userid.
- Mapped meta.agentVersion to metadata.product_version.
- Mapped event.appName to target.application.
- Mapped event.contentHash.sha256 to target.process.file.sha256.
- Mapped event.source.commandLine to target.process.command_line.
- Mapped event.decodedContent to target.labels.
- Changed metadata.description from scripts to Command Scripts where event.type is scripts.
- Mapped vendor to metadata.vendor_name.
- Mapped data.fileContentHash to target.process.file.md5.
- Mapped data.ipAddress to principal.ip.
- Mapped activityUuid to target.asset.product_object_id.
- Mapped agentId to metadata.product_deployment_id.
- Added email verification for user_email prior to mapping it to principal.user.email_addresses, if failed mapped it to principal.user.userid.
- Mapped sourceIpAddresses to principal.ip.
- Mapped accountName to principal.administrative_domain.
- Mapped activityId to additional.fields.
2022-07-15
Enhancement:
- Parsed the new logs with JSON format and mapped the following new fields:-
metadata.product_nametoSENTINEL_ONE.sourceParentProcessMd5toprincipal.process.parent_process.file.md5.sourceParentProcessPathtoprincipal.process.parent_process.file.full_path.sourceParentProcessPidtoprincipal.process.parent_process.pid.sourceParentProcessSha1toprincipal.process.parent_process.file.sha1.sourceParentProcessSha256toprincipal.process.parent_process.file.sha256.sourceParentProcessCmdArgstoprincipal.process.parent_process.command_line.sourceProcessCmdArgstoprincipal.process.command_line.sourceProcessMd5toprincipal.process.file.md5.sourceProcessPidtoprincipal.process.pid.sourceProcessSha1toprincipal.process.file.sha1.sourceProcessSha256toprincipal.process.file.sha256.sourceProcessPathtoprincipal.process.file.full_path.tgtFilePathtotarget.file.full_path.tgtFileHashSha256totarget.file.sha256.tgtFileHashSha1totarget.file.sha1.tgtProcUidtotarget.process.product_specific_process_id.tgtProcCmdLinetotarget.process.command_line.tgtProcPidtotarget.process.pid.tgtProcNametotarget.application.dstIptotarget.ip.srcIptoprincipal.ip.dstPorttotarget.port.srcPorttoprincipal.port.origAgentNametoprincipal.hostname.agentIpV4toprincipal.ip.groupIdtoprincipal.user.group_identifiers.groupNametoprincipal.user.group_display_name.origAgentVersiontoprincipal.asset.software.version.origAgentOsFamilytoprincipal.platform.origAgentOsNameto principal.asset.software.name`.event_typetoFILE_MODIFICATIONwhen sourceEventType = FILEMODIFICATION.event_typetoFILE_DELETIONwhen sourceEventType = FILEDELETION.event_typetoPROCESS_LAUNCHwhen sourceEventType = PROCESSCREATION.event_typetoNETWORK_CONNECTIONwhen sourceEventType = TCPV4.
2022-06-13
Enhancement:
- for [event][type] ==
fileCreationand [event][type] ==fileDeletion - Mapped
event.targetFile.pathtotarget.file.full_path. - Mapped
event.targetFile.hashes.md5totarget.process.file.md5. - Mapped
event.targetFile.hashes.sha1totarget.process.file.sha1. - Mapped
event.targetFile.hashes.sha256totarget.process.file.sha256. - for [event][type] ==
fileModification - Mapped
event.file.pathtotarget.file.full_path. - Mapped
event.file.hashes.md5totarget.process.file.md5. - Mapped
event.file.hashes.sha1totarget.process.file.sha1. - Mapped
event.file.hashes.sha256totarget.process.file.sha256.
2022-04-18
- Enhanced the parser to handle all the unparsed raw logs.
Need more help? Get answers from Community members and Google SecOps professionals.