Collect SentinelOne EDR logs

Supported in:

This document explains how to export SentinelOne logs to Google Cloud Storage using SentinelOne Cloud Funnel. Since SentinelOne doesn't offer a built-in integration to directly export logs to Google Cloud Storage, Cloud Funnel acts as an intermediary service to push logs to the Cloud Storage.

Before You Begin

  • Ensure that you have a Google SecOps instance.
  • Ensure that you have privileged access to the Google Cloud platform.
  • Ensure that you have privileged access to SentinelOne.

Configure Permissions for Cloud Funnel to Access Cloud Storage

  1. Sign in to the Google Cloud console.
  2. Go to IAM & Admin.
  3. In the IAM page, add a new IAM role for the Cloud Funnel service account:
    • Assign Storage Object Creator permissions.
    • Optional: assign Storage Object Viewer if you need Cloud Funnel to read objects from the bucket.
  4. Grant these permissions to the Cloud Funnel service account.

Create a Cloud Storage Bucket

  1. Sign in to the Google Cloud console.
  2. Go to Storage > Browser.
  3. Click Create bucket.
  4. Provide the following configurations:
    • Bucket Name: choose a unique name for your bucket (for example, sentinelone-logs).
    • Storage Location: select the region where the bucket will reside (for example, US-West1).
    • Storage Class: choose a Standard storage class.
  5. Click Create.

Configure Cloud Funnel in SentinelOne

  1. In the SentinelOne Console, go to Settings.
  2. Locate the Cloud Funnel option (under Integrations).
  3. If it's not already enabled, click Enable Cloud Funnel.
  4. Once enabled, you're prompted to configure the Destination settings.
    • Destination Selection: choose Google Cloud Storage as the destination for exporting logs.
    • Google Cloud Storage: provide the Google Cloud Storage credentials.
    • Log Export Frequency: set the frequency for exporting logs (for example, hourly or daily).

Configure Cloud Funnel Log Export

  1. In the Cloud Funnel Configuration section of the SentinelOne Console, set the following:
    • Log Export Frequency: choose how often logs should be exported (for example. every hour or every day).
    • Log Format: choose the JSON format.
    • Bucket Name: enter the name of the Google Cloud Storage bucket you created earlier (for example, sentinelone-logs).
    • Optional: Log Path Prefix: specify a prefix to organize logs within the bucket (for example, sentinelone-logs/).
  2. Once the settings are configured, click Save to apply the changes.

Configure a feed in Google SecOps to ingest the Sentinel EDR logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed (for example, Sentinel EDR Logs).
  4. Select Google Cloud Storage as the Source type.
  5. Select Sentinel EDR as the Log type.
  6. Click Get Service Account as the Chronicle Service Account.
  7. Click Next.

  8. Specify values for the following input parameters:

    • Storage Bucket URI: Cloud Storage bucket URL in gs://my-bucket/<value> format.
    • URI Is A: select Directory which includes subdirectories.

    • Source deletion options: select the deletion option according to your preference.

    • Asset namespace: the asset namespace.

    • Ingestion labels: the label applied to the events from this feed.

  9. Click Next.

  10. Review your new feed configuration in the Finalize screen, and then click Submit.

UDM mapping table

Log Field UDM Mapping Logic
event.contentHash.sha256 target.process.file.sha256 The SHA-256 hash of the target process's file, extracted from the event.contentHash.sha256 field in the raw log.
event.decodedContent target.labels The decoded content of a script, extracted from the event.decodedContent field in the raw log. It is added as a label with the key Decoded Content to the target object.
event.destinationAddress.address target.ip The IP address of the destination, extracted from the event.destinationAddress.address field in the raw log.
event.destinationAddress.port target.port The port of the destination, extracted from the event.destinationAddress.port field in the raw log.
event.method network.http.method The HTTP method of the event, extracted from the event.method field in the raw log.
event.newValueData target.registry.registry_value_data The new value data of the registry value, extracted from the event.newValueData field in the raw log.
event.process.commandLine target.process.command_line The command line of the process, extracted from the event.process.commandLine field in the raw log.
event.process.executable.hashes.md5 target.process.file.md5 The MD5 hash of the process's executable, extracted from the event.process.executable.hashes.md5 field in the raw log.
event.process.executable.hashes.sha1 target.process.file.sha1 The SHA-1 hash of the process's executable, extracted from the event.process.executable.hashes.sha1 field in the raw log.
event.process.executable.hashes.sha256 target.process.file.sha256 The SHA-256 hash of the process's executable, extracted from the event.process.executable.hashes.sha256 field in the raw log.
event.process.executable.path target.process.file.full_path The full path of the process's executable, extracted from the event.process.executable.path field in the raw log.
event.process.executable.sizeBytes target.process.file.size The size of the process's executable, extracted from the event.process.executable.sizeBytes field in the raw log.
event.process.fullPid.pid target.process.pid The PID of the process, extracted from the event.process.fullPid.pid field in the raw log.
event.query network.dns.questions.name The DNS query, extracted from the event.query field in the raw log.
event.regKey.path target.registry.registry_key The path of the registry key, extracted from the event.regKey.path field in the raw log.
event.regValue.key.value target.registry.registry_name, target.registry.registry_value_name The name of the registry value, extracted from the event.regValue.key.value field in the raw log.
event.regValue.path target.registry.registry_key The path of the registry value, extracted from the event.regValue.path field in the raw log.
event.results network.dns.answers.data The DNS answers, extracted from the event.results field in the raw log. The data is split into individual answers using the ";" separator.
event.source.commandLine principal.process.command_line The command line of the source process, extracted from the event.source.commandLine field in the raw log.
event.source.executable.hashes.md5 principal.process.file.md5 The MD5 hash of the source process's executable, extracted from the event.source.executable.hashes.md5 field in the raw log.
event.source.executable.hashes.sha1 principal.process.file.sha1 The SHA-1 hash of the source process's executable, extracted from the event.source.executable.hashes.sha1 field in the raw log.
event.source.executable.hashes.sha256 principal.process.file.sha256 The SHA-256 hash of the source process's executable, extracted from the event.source.executable.hashes.sha256 field in the raw log.
event.source.executable.path principal.process.file.full_path The full path of the source process's executable, extracted from the event.source.executable.path field in the raw log.
event.source.executable.signature.signed.identity principal.resource.attribute.labels The signed identity of the source process's executable, extracted from the event.source.executable.signature.signed.identity field in the raw log. It is added as a label with the key Source Signature Signed Identity to the principal resource attribute labels.
event.source.executable.sizeBytes principal.process.file.size The size of the source process's executable, extracted from the event.source.executable.sizeBytes field in the raw log.
event.source.fullPid.pid principal.process.pid The PID of the source process, extracted from the event.source.fullPid.pid field in the raw log.
event.source.parent.commandLine principal.process.parent_process.command_line The command line of the source parent process, extracted from the event.source.parent.commandLine field in the raw log.
event.source.parent.executable.hashes.md5 principal.process.parent_process.file.md5 The MD5 hash of the source parent process's executable, extracted from the event.source.parent.executable.hashes.md5 field in the raw log.
event.source.parent.executable.hashes.sha1 principal.process.parent_process.file.sha1 The SHA-1 hash of the source parent process's executable, extracted from the event.source.parent.executable.hashes.sha1 field in the raw log.
event.source.parent.executable.hashes.sha256 principal.process.parent_process.file.sha256 The SHA-256 hash of the source parent process's executable, extracted from the event.source.parent.executable.hashes.sha256 field in the raw log.
event.source.parent.executable.signature.signed.identity principal.resource.attribute.labels The signed identity of the source parent process's executable, extracted from the event.source.parent.executable.signature.signed.identity field in the raw log. It is added as a label with the key Source Parent Signature Signed Identity to the principal resource attribute labels.
event.source.parent.fullPid.pid principal.process.parent_process.pid The PID of the source parent process, extracted from the event.source.parent.fullPid.pid field in the raw log.
event.source.user.name principal.user.userid The username of the source process's user, extracted from the event.source.user.name field in the raw log.
event.source.user.sid principal.user.windows_sid The Windows SID of the source process's user, extracted from the event.source.user.sid field in the raw log.
event.sourceAddress.address principal.ip The IP address of the source, extracted from the event.sourceAddress.address field in the raw log.
event.sourceAddress.port principal.port The port of the source, extracted from the event.sourceAddress.port field in the raw log.
event.target.executable.hashes.md5 target.process.file.md5 The MD5 hash of the target process's executable, extracted from the event.target.executable.hashes.md5 field in the raw log.
event.target.executable.hashes.sha1 target.process.file.sha1 The SHA-1 hash of the target process's executable, extracted from the event.target.executable.hashes.sha1 field in the raw log.
event.target.executable.hashes.sha256 target.process.file.sha256 The SHA-256 hash of the target process's executable, extracted from the event.target.executable.hashes.sha256 field in the raw log.
event.target.executable.path target.process.file.full_path The full path of the target process's executable, extracted from the event.target.executable.path field in the raw log.
event.target.executable.signature.signed.identity target.resource.attribute.labels The signed identity of the target process's executable, extracted from the event.target.executable.signature.signed.identity field in the raw log. It is added as a label with the key Target Signature Signed Identity to the target resource attribute labels.
event.target.executable.sizeBytes target.process.file.size The size of the target process's executable, extracted from the event.target.executable.sizeBytes field in the raw log.
event.target.fullPid.pid target.process.pid The PID of the target process, extracted from the event.target.fullPid.pid field in the raw log.
event.targetFile.path target.file.full_path The full path of the target file, extracted from the event.targetFile.path field in the raw log.
event.targetFile.signature.signed.identity target.resource.attribute.labels The signed identity of the target file, extracted from the event.targetFile.signature.signed.identity field in the raw log. It is added as a label with the key Target File Signature Signed Identity to the target resource attribute labels.
event.trueContext.key.value Not mapped to the UDM.
event.type metadata.description The type of the event, extracted from the event.type field in the raw log.
event.url target.url The URL of the event, extracted from the event.url field in the raw log.
meta.agentVersion metadata.product_version, metadata.product_version The version of the agent, extracted from the meta.agentVersion field in the raw log.
meta.computerName principal.hostname, target.hostname The hostname of the computer, extracted from the meta.computerName field in the raw log.
meta.osFamily principal.asset.platform_software.platform, target.asset.platform_software.platform The operating system family of the computer, extracted from the meta.osFamily field in the raw log. It is mapped to LINUX for linux and WINDOWS for windows.
meta.osRevision principal.asset.platform_software.platform_version, target.asset.platform_software.platform_version The operating system revision of the computer, extracted from the meta.osRevision field in the raw log.
meta.traceId metadata.product_log_id The trace ID of the event, extracted from the meta.traceId field in the raw log.
meta.uuid principal.asset.product_object_id, target.asset.product_object_id The UUID of the computer, extracted from the meta.uuid field in the raw log.
metadata_event_type metadata.event_type The type of the event, set by the parser logic based on the event.type field.
metadata_product_name metadata.product_name The name of the product, set to Singularity XDR by the parser logic.
metadata_vendor_name metadata.vendor_name The name of the vendor, set to SentinelOne by the parser logic.
network_application_protocol network.application_protocol The application protocol of the network connection, set to DNS for DNS events by the parser logic.
network_dns_questions.name network.dns.questions.name The name of the DNS question, extracted from the event.query field in the raw log.
network_direction network.direction The direction of the network connection, set to OUTBOUND for outgoing connections and INBOUND for incoming connections by the parser logic.
network_http_method network.http.method The HTTP method of the event, extracted from the event.method field in the raw log.
principal.process.command_line target.process.command_line The command line of the principal process, extracted from the principal.process.command_line field and mapped to the target process command line.
principal.process.file.full_path target.process.file.full_path The full path of the principal process's file, extracted from the principal.process.file.full_path field and mapped to the target process file full path.
principal.process.file.md5 target.process.file.md5 The MD5 hash of the principal process's file, extracted from the principal.process.file.md5 field and mapped to the target process file MD5.
principal.process.file.sha1 target.process.file.sha1 The SHA-1 hash of the principal process's file, extracted from the principal.process.file.sha1 field and mapped to the target process file SHA-1.
principal.process.file.sha256 target.process.file.sha256 The SHA-256 hash of the principal process's file, extracted from the principal.process.file.sha256 field and mapped to the target process file SHA-256.
principal.process.file.size target.process.file.size The size of the principal process's file, extracted from the principal.process.file.size field and mapped to the target process file size.
principal.process.pid target.process.pid The PID of the principal process, extracted from the principal.process.pid field and mapped to the target process PID.
principal.user.userid target.user.userid The user ID of the principal, extracted from the principal.user.userid field and mapped to the target user ID.
principal.user.windows_sid target.user.windows_sid The Windows SID of the principal, extracted from the principal.user.windows_sid field and mapped to the target user Windows SID.

Changes

2024-07-29

Enhancement:

  • If registry.keyPath or registry.value is not null, then only mapped metadata.event_type to REGISTRY_CREATION.

2024-07-23

Enhancement:

  • Mapped agentDetectionInfo.agentOsName to target.platform_version.
  • Mapped agentDetectionInfo.agentLastLoggedInUserName to target.user.userid.

2024-07-09

Bug-Fix:

  • Changed mapping for suser from principal.user.userid to target.user.userid.
  • Changed mapping for suser from principal.user.user_display_name to target.user.user_display_name.
  • Removed mapping for accountId from target.user.userid.
  • Mapped prin_user to principal.user.userid.

2024-06-03

Enhancement:

  • Mapped suser to principal.user.userid.
  • Mapped accountId to target.user.userid.
  • Mapped MessageSourceAddress to principal.ip.
  • Mapped machine_host to principal.hostname.

2024-05-20

Enhancement:

  • Mapped event.dns.response to network.dns.answers.data.

2024-05-06

Enhancement:

  • Added support for a new pattern of JSON logs.

2024-03-22

Enhancement:

  • Added new Grok pattern to parse new format of tab-separated KV logs.
  • Mapped osName to src.platform.

2024-03-15

Enhancement:

  • Mapped site.id:account.id:agent.uuid:tgt.process.uid to target.process.product_specific_process_id.
  • Mapped site.id:account.id:agent.uuid:src.process.uid to principal.process.product_specific_process_id.
  • Mapped site.id:account.id:agent.uuid:src.process.parent.uid to principal.process.parent_process.product_specific_process_id.
  • Removed src.process.cmdline from being mapped to target.process.command_line.

2023-11-09

  • Fix:
  • Mapped tgt.process.user to target.user.userid.

2023-10-30

  • Fix:
  • Added not null check to principal_port prior mapping to UDM.
  • When event.category is url and meta.event.name is HTTP, mapped metadata.event_type to NETWORK_HTTP.

2023-09-06

  • Added mapping of tgt.process.storyline.id to security_result.about.resource.attribute.labels.
  • Modified mapping of src.process.storyline.id from principal.process.product_specific_process_id to security_result.about.resource.attribute.labels.
  • Modified mapping of src.process.parent.storyline.id from principal.parent.process.product_specific_process_id to security_result.about.resource.attribute.labels.

2023-08-31

  • Mapped indicator.category to security_result.category_details.

2023-08-03

  • Initialized event_data.login.loginIsSuccessful to null.
  • Mapped module.path to target.process.file.full_path and target.file.full_path where event.type is Module Load.
  • Mapped module.sha1 to target.process.file.sha1 and target.file.sha1 where event.type is Module Load.
  • Mapped metadata.event_type to PROCESS_MODULE_LOAD where event.type is Module Load.
  • Mapped registry.keyPath to target.registry.registry_key for REGISTRY_* events.
  • Mapped registry.value to target.registry.registry_value_data for REGISTRY_* events.
  • Mapped event.network.protocolName to network.application_protocol.
  • Mapped principal.platform, principal.asset.platform_software.platform to LINUX if endpoint.os is linux.
  • Mapped event.login.userName to target.user.userid when event.type is Login or Logout.
  • Mapped target.hostname by obtaining the hostname from url.address when event.type is GET, OPTIONS, POST, PUT, DELETE, CONNECT, HEAD.

2023-06-09

  • Mapped osSrc.process.parent.publisher to principal.resource.attribute.labels.
  • Mapped src.process.rUserName/src.process.eUserName/src.process.lUserName to principal.user.user_display_name.
  • Added check to fields: src.process.eUserId, src.process.lUserId, tgt.process.rUserUid prior mapping to UDM.
  • Mapped tgt.file.location, registry.valueFullSize, registry.valueType to target.resource.attribute.labels.
  • Mapped indicator.description to security_result.summary.
  • Mapped metadata.event_type to SCAN_NETWORK where event.type is Behavioral Indicators.
  • Mapped metadata.event_type to SCAN_UNCATEGORIZED where event.type is Command Script.
  • Initialized fields meta.osFamily, meta.osRevision, event.type.
  • Added ISO8601 to date filter to parser ISO8601 timestamp.
  • Added on_error to @timestamp string conversion.
  • Added on_error to meta.uuid prior mapping.

2023-05-25

  • Mapped event.source.commandLine to principal.process.command_line.
  • Mapped event.source.executable.path to principal.process.file.full_path.
  • Set metadata.event_type to PROCESS_OPEN where event.type is openProcess.
  • Mapped site.name:site.id to principal.namespace if both site.name and site.id are not null.
  • Mapped event.network.direction to network.direction.
  • Mapped meta.event.name to metadata.description.
  • Mapped task.name to target.resource.name.
  • Mapped agent.uuid to principal.asset.product_object_id.
  • Mapped src.process.publisher to principal.resource.attribute.labels.
  • Mapped src.process.cmdline to target.process.command_line.
  • Mapped mgmt.osRevision to principal.asset.platform_software.platform_version.
  • Mapped security_result.category according to indicator.category value.
  • Mapped event.dns.response to network.dns.answers.
  • Mapped registry.keyPath to target.registry.registry_key.
  • Mapped event.id to target.registry.registry_value_name.

2023-04-27

  • Mapped event.type to metadata.product_event_type for Cloud Funnel v2 logs.

2023-04-20

Enhancement:

  • Added null and '-' conditinal check for the field data.ipAddress.
  • Added grok conditional check for the field sourceMacAddresses.

2023-03-02

Enhancement:

  • When (event.type == tcpv4 and event.direction == INCOMING) or event.type contains (processExit|processTermination|processModification|duplicate) , then mapped event.source.executable.signature.signed.identity to target.resource.attribute.labels else mapped it to principal.resource.attribute.labels.
  • Mapped event.parent.executable.signature.signed.identity, event.process.executable.signature.signed.identity toprincipal.resource.attribute.labels,`.
  • Mapped event.targetFile.signature.signed.identity, event.target.executable.signature.signed.identity, event.target.parent.executable.signature.signed.identity to target.resource.attribute.labels.

2023-02-24

BugFix:

  • Refactored the code to clearly differentiate between the log versions.
  • For USER_LOGIN cloud funnel v2 logs, mapped event.login.lognIsSuccessful details to security_result.action and security_result.summary

2023-02-13

BugFix:

  • Parsed cloud funnel v1 logs as required.
  • Mapping all http logs to NETWORK_HTTP.
  • NETWORK_HTTP should have URL field mapped to target.url instead of metadata.url_back_to_product.

2023-01-20

Enhancement:

  • Mapped the field 'event.url' to 'target.hostname' and 'target.url'.
  • Mapped 'metadata.event_type' to 'NETWORK_HTTP' where 'event.type' == 'http'.

2023-01-16

BugFix:

  • Mapped mgmt.url to metadata.url_back_to_product instead of target.url.
  • Mapped site.name to principal.location.name.
  • Mapped src.process.rUserUid to principal.user.userid.
  • Mapped src.process.eUserId to principal.user.userid.
  • Mapped src.process.lUserId to principal.user.userid.
  • Mapped src.process.parent.rUserUid to metadata.ingestion_labels.
  • Mapped src.process.parent.eUserId to metadata.ingestion_labels.
  • Mapped src.process.parent.lUserId to metadata.ingestion_labels.
  • Mapped tgt.process.rUserUid to target.user.userid.
  • Mapped tgt.process.eUserId to target.user.userid.
  • Mapped tgt.process.lUserId to target.user.userid.
  • If event.type is Process Creation mapped metadata.event_type to PROCESS_LAUNCH.
  • If event.type is Duplicate Process Handle mapped metadata.event_type to PROCESS_OPEN.
  • If event.type is Duplicate Thread Handle mapped metadata.event_type to PROCESS_OPEN.
  • If event.type is Open Remote Process Handle mapped metadata.event_type to PROCESS_OPEN.
  • If event.type is Remote Thread Creation mapped metadata.event_type to PROCESS_LAUNCH.
  • If event.type is Command Script mapped metadata.event_type to FILE_UNCATEGORIZED.
  • If event.type is IP Connect mapped metadata.event_type to NETWORK_CONNECTION.
  • If event.type is IP Listen mapped metadata.event_type to NETWORK_UNCATEGORIZED.
  • If event.type is File ModIfication mapped metadata.event_type to FILE_MODIfICATION.
  • If event.type is File Creation mapped metadata.event_type to FILE_CREATION.
  • If event.type is File Scan mapped metadata.event_type to FILE_UNCATEGORIZED.
  • If event.type is File Deletion mapped metadata.event_type to FILE_DELETION.
  • If event.type is File Rename mapped metadata.event_type to FILE_MODIfICATION.
  • If event.type is Pre Execution Detection mapped metadata.event_type to FILE_UNCATEGORIZED.
  • If event.type is Login mapped metadata.event_type to USER_LOGIN.
  • If event.type is Logout mapped metadata.event_type to USER_LOGOUT.
  • If event.type is GET mapped metadata.event_type to NETWORK_HTTP.
  • If event.type is OPTIONS mapped metadata.event_type to NETWORK_HTTP.
  • If event.type is POST mapped metadata.event_type to NETWORK_HTTP.
  • If event.type is PUT mapped metadata.event_type to NETWORK_HTTP.
  • If event.type is DELETE mapped metadata.event_type to NETWORK_HTTP.
  • If event.type is CONNECT mapped metadata.event_type to NETWORK_HTTP.
  • If event.type is HEAD mapped metadata.event_type to NETWORK_HTTP.
  • If event.type is Not Reported mapped metadata.event_type to STATUS_UNCATEGORIZED.
  • If event.type is DNS Resolved mapped metadata.event_type to NETWORK_DNS.
  • If event.type is DNS Unresolved mapped metadata.event_type to NETWORK_DNS.
  • If event.type is Task Register mapped metadata.event_type to SCHEDULED_TASK_CREATION.
  • If event.type is Task Update mapped metadata.event_type to SCHEDULED_TASK_MODIfICATION.
  • If event.type is Task Start mapped metadata.event_type to SCHEDULED_TASK_UNCATEGORIZED.
  • If event.type is Task Trigger mapped metadata.event_type to SCHEDULED_TASK_UNCATEGORIZED.
  • If event.type is Task Delete mapped metadata.event_type to SCHEDULED_TASK_DELETION.
  • If event.type is Registry Key Create mapped metadata.event_type to REGISTRY_CREATION.
  • If event.type is Registry Key Rename mapped metadata.event_type to REGISTRY_MODIfICATION.
  • If event.type is Registry Key Delete mapped metadata.event_type to REGISTRY_DELETION.
  • If event.type is Registry Key Export mapped metadata.event_type to REGISTRY_UNCATEGORIZED.
  • If event.type is Registry Key Security Changed mapped metadata.event_type to REGISTRY_MODIfICATION.
  • If event.type is Registry Key Import mapped metadata.event_type to REGISTRY_CREATION.
  • If event.type is Registry Value ModIfied mapped metadata.event_type to REGISTRY_MODIfICATION.
  • If event.type is Registry Value Create mapped metadata.event_type to REGISTRY_CREATION.
  • If event.type is Registry Value Delete mapped metadata.event_type to REGISTRY_DELETION.
  • If event.type is Behavioral Indicators mapped metadata.event_type to SCAN_UNCATEGORIZED.
  • If event.type is Module Load mapped metadata.event_type to PROCESS_MODULE_LOAD.
  • If event.type is Threat Intelligence Indicators mapped metadata.event_type to SCAN_UNCATEGORIZED.
  • If event.type is Named Pipe Creation mapped metadata.event_type to PROCESS_UNCATEGORIZED.
  • If event.type is Named Pipe Connection mapped metadata.event_type to PROCESS_UNCATEGORIZED.
  • If event.type is Driver Load mapped metadata.event_type to PROCESS_MODULE_LOAD.

2022-11-30

Enhancement:

  • Enhanced the parser to support the logs ingested in version V2 by mapping following fields.
  • Mapped account.id to metadata.product_deployment_id.
  • Mapped agent.uuid to principal.asset.asset_id.
  • Mapped dst.ip.address to target.ip.
  • Mapped src.ip.address to principal.ip.
  • Mapped src.process.parent.image.sha1 to principal.process.parent_process.file.sha1.
  • Mapped src.process.parent.image.sha256 to principal.process.parent_process.file.sha256.
  • Mapped src.process.parent.image.path to principal.process.parent_process.file.full_path.
  • Mapped src.process.parent.cmdline to principal.process.parent_process.command_line.
  • Mapped src.process.parent.image.md5 to principal.process.parent_process.file.md5.
  • Mapped src.process.parent.pid to principal.process.parent_process.pid.
  • Mapped src.process.image.sha1 to principal.process.file.sha1.
  • Mapped src.process.image.md5 to principal.process.file.md5.
  • Mapped src.process.pid to principal.process.pid.
  • Mapped src.process.cmdline to principal.process.command_line.
  • Mapped src.process.image.path to principal.process.file.full_path.
  • Mapped src.process.image.sha256 to principal.process.file.sha256.
  • Mapped src.process.user to principal.user.user_display_name.
  • Mapped src.process.uid to principal.user.userid.
  • Mapped src.process.storyline.id to principal.process.product_specific_process_id.
  • Mapped src.process.parent.storyline.id to principal.process.parent_process.product_specific_process_id.
  • Mapped mgmt.url to target.url.
  • Mapped site.id to principal.namespace.
  • Mapped src.port.number to principal.port.
  • Mapped dst.port.number to target.port.
  • Mapped event_data.id to metadata.product_log_id.

2022-10-11

Enhancement:

  • Mapped threatClassification to security_result.category_details.
  • Mapped threatConfidenceLevel and threatMitigationStatus to security_result.detection_fields.
  • Mapped Location to principal.location.name.
  • Mapped data.filePath to principal.process.parent_process.file.full_path.
  • Updated the mapping (CAT Value)security_result.category_details to metadata.product_event_type

2022-09-01

Enhancement:

  • Changed metadata.product_name from SentinelOne to Singularity.
  • Mapped event.regValue.key.value to target.registry.registry_value_name.
  • Mapped principal_userid to principal.user.userid.
  • Mapped principal_domain to principal.administrative_domain.
  • Mapped threatInfo.threatId to security_result.threat_id
  • Mapped threatInfo.identifiedAt to metadata.event_timestamp.
  • Mapped threatInfo.threatId to metadata.product_log_id.
  • Mapped security_result.alert_state to ALERTING.
  • Mapped threatInfo.maliciousProcessArguments to security_result.description.
  • Mapped threatInfo.threatName to security_result.threat_name.
  • Mapped threatInfo.classification to security_result.category_details.
  • Mapped security_result.category to SOFTWARE_MALICIOUS where threatInfo.classification is malicious else to NETWORK_SUSPICIOUS.
  • Mapped security_result.action to ALLOW where threatInfo.mitigationStatus is mitigated else to BLOCK.
  • Mapped threatInfo.mitigationStatus to security_result.action_details.
  • Mapped threatInfo.classification threatInfo.classificationSource threatInfo.analystVerdictDescription threatInfo.threatName to security_result.summary.
  • Mapped threatInfo.createdAt to metadata.collected_timestamp.
  • Mapped agentRealtimeInfo.accountId to metadata.product_deployment_id.
  • Mapped agentRealtimeInfo.agentVersion to metadata.product_version.
  • Mapped indicator.category to detection_fields.key and indicator.description to detection_fields.value.
  • Mapped detectionEngines.key to detection_fields.key and detectionEngines.title to detection_fields.value.
  • Mapped metadata.event_type to SCAN_UNCATEGORIZED where meta.computerName is not null.

2022-07-21

Enhancement:

  • Mapped event.source.executable.hashes.md5 to principal.process.file.md5.
  • Mapped event.source.executable.hashes.sha256 to principal.process.file.sha256.
  • Mapped event.source.executable.hashes.sha1 to principal.process.file.sha1.
  • Mapped event.source.fullPid.pid to principal.process.pid.
  • Mapped event.source.user.name to principal.user.userid.
  • Mapped meta.agentVersion to metadata.product_version.
  • Mapped event.appName to target.application.
  • Mapped event.contentHash.sha256 to target.process.file.sha256.
  • Mapped event.source.commandLine to target.process.command_line.
  • Mapped event.decodedContent to target.labels.
  • Changed metadata.description from scripts to Command Scripts where event.type is scripts.
  • Mapped vendor to metadata.vendor_name.
  • Mapped data.fileContentHash to target.process.file.md5.
  • Mapped data.ipAddress to principal.ip.
  • Mapped activityUuid to target.asset.product_object_id.
  • Mapped agentId to metadata.product_deployment_id.
  • Added email verification for user_email prior to mapping it to principal.user.email_addresses, if failed mapped it to principal.user.userid.
  • Mapped sourceIpAddresses to principal.ip.
  • Mapped accountName to principal.administrative_domain.
  • Mapped activityId to additional.fields.

2022-07-15

Enhancement:

  • Parsed the new logs with JSON format and mapped the following new fields:-
  • metadata.product_name to SENTINEL_ONE.
  • sourceParentProcessMd5 to principal.process.parent_process.file.md5.
  • sourceParentProcessPath to principal.process.parent_process.file.full_path.
  • sourceParentProcessPid to principal.process.parent_process.pid.
  • sourceParentProcessSha1 to principal.process.parent_process.file.sha1.
  • sourceParentProcessSha256 to principal.process.parent_process.file.sha256.
  • sourceParentProcessCmdArgs to principal.process.parent_process.command_line.
  • sourceProcessCmdArgs to principal.process.command_line.
  • sourceProcessMd5 to principal.process.file.md5.
  • sourceProcessPid to principal.process.pid.
  • sourceProcessSha1 to principal.process.file.sha1.
  • sourceProcessSha256 to principal.process.file.sha256.
  • sourceProcessPath to principal.process.file.full_path.
  • tgtFilePath to target.file.full_path.
  • tgtFileHashSha256 to target.file.sha256.
  • tgtFileHashSha1 to target.file.sha1.
  • tgtProcUid to target.process.product_specific_process_id.
  • tgtProcCmdLine to target.process.command_line.
  • tgtProcPid to target.process.pid.
  • tgtProcName to target.application.
  • dstIp to target.ip.
  • srcIp to principal.ip.
  • dstPort to target.port.
  • srcPort to principal.port.
  • origAgentName to principal.hostname.
  • agentIpV4 to principal.ip.
  • groupId to principal.user.group_identifiers.
  • groupName to principal.user.group_display_name.
  • origAgentVersion to principal.asset.software.version.
  • origAgentOsFamily to principal.platform.
  • origAgentOsName to principal.asset.software.name`.
  • event_type to FILE_MODIFICATION when sourceEventType = FILEMODIFICATION.
  • event_type to FILE_DELETION when sourceEventType = FILEDELETION.
  • event_type to PROCESS_LAUNCH when sourceEventType = PROCESSCREATION.
  • event_type to NETWORK_CONNECTION when sourceEventType = TCPV4.

2022-06-13

Enhancement:

  • for [event][type] == fileCreation and [event][type] == fileDeletion
  • Mapped event.targetFile.path to target.file.full_path.
  • Mapped event.targetFile.hashes.md5 to target.process.file.md5.
  • Mapped event.targetFile.hashes.sha1 to target.process.file.sha1.
  • Mapped event.targetFile.hashes.sha256 to target.process.file.sha256.
  • for [event][type] == fileModification
  • Mapped event.file.path to target.file.full_path.
  • Mapped event.file.hashes.md5 to target.process.file.md5.
  • Mapped event.file.hashes.sha1 to target.process.file.sha1.
  • Mapped event.file.hashes.sha256 to target.process.file.sha256.

2022-04-18

  • Enhanced the parser to handle all the unparsed raw logs.

Need more help? Get answers from Community members and Google SecOps professionals.