Collect SentinelOne EDR logs

Supported in:

This document describes how you can collect SentinelOne EDR logs by setting up a Google Security Operations feed.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the SENTINEL_EDR ingestion label.

Configure SentinelOne EDR

  1. Sign in to the Device Management console with the viewer account.
  2. Select User Name > My User.
  3. In the dialog, click Generate API Token.
  4. Copy and save the API token.

Configure a feed in Google Security Operations to ingest SentinelOne EDR logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add New.
  3. Enter a unique name for the Field Name.
  4. Select Google Cloud Storage as the Source Type.
  5. Select SentinelOne EDR as the Log Type.
  6. Click Get a Service Account. Google Security Operations provides a unique service account that Google Security Operations uses to ingest data.
  7. Configure access for the service account to access the Cloud Storage objects. For more information, see Grant access to the Google Security Operations service account.
  8. Click Next.
  9. Configure the following mandatory input parameters:
    • Storage bucket URI
    • URI is a
    • Source deletion option
  10. Click Next and then click Submit.

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation.

For information about requirements for each feed type, see Feed configuration by type.

If you encounter issues when you create feeds, contact Google Security Operations support.

Field mapping reference

This parser extracts SentinelOne EDR logs, transforms them into UDM, and handles both legacy and Cloud Funnel (v1 and v2) formats. It performs extensive field mapping, including network connections, process events, file and registry activities, scheduled tasks, and threat intelligence indicators, leveraging conditional logic based on event types and data sources. The parser also handles MITRE ATT&CK framework mapping and various data normalization tasks like timestamp conversion and string manipulation.

SentinelOne Parser UDM Mapping

Log Field UDM Mapping Logic
@timestamp metadata.event_timestamp The timestamp of the event as recorded by SentinelOne. Parsed from the @timestamp field in the raw log.
agentDetectionInfo.accountId metadata.product_deployment_id The ID of the account in SentinelOne.
agentDetectionInfo.accountName principal.administrative_domain The name of the account in SentinelOne.
agentDetectionInfo.agentDomain principal.administrative_domain The domain of the agent.
agentDetectionInfo.agentIpV4 principal.ip, principal.asset.ip The IPv4 address of the agent.
agentDetectionInfo.agentLastLoggedInUserName principal.user.user_display_name The username of the last logged-in user on the agent.
agentDetectionInfo.agentMachineType principal.asset.machine_type The type of machine the agent is installed on (e.g., desktop, server, laptop).
agentDetectionInfo.agentMitigationMode N/A The mitigation mode of the agent. Not mapped to UDM.
agentDetectionInfo.agentNetworkStatus N/A The network status of the agent. Not mapped to UDM.
agentDetectionInfo.agentOsName principal.asset.platform_software.platform The operating system name of the agent.
agentDetectionInfo.agentOsRevision principal.asset.platform_software.platform_version The operating system revision of the agent.
agentDetectionInfo.agentRegisteredAt principal.asset.first_discover_time The timestamp when the agent was registered.
agentDetectionInfo.agentUuid principal.asset.asset_id, principal.asset.product_object_id The UUID of the agent. Formatted as "Device ID: {uuid}".
agentDetectionInfo.agentVersion metadata.product_version The version of the SentinelOne agent.
agentDetectionInfo.externalIp principal.ip, principal.asset.ip The external IP address of the agent.
agentDetectionInfo.groupId principal.user.group_identifiers The ID of the group the agent belongs to.
agentDetectionInfo.groupName principal.group.group_display_name The name of the group the agent belongs to.
agentDetectionInfo.siteId principal.namespace The ID of the site the agent belongs to.
agentDetectionInfo.siteName principal.location.name The name of the site the agent belongs to.
agentRealtimeInfo.accountId metadata.product_deployment_id The ID of the account in SentinelOne.
agentRealtimeInfo.accountName principal.administrative_domain The name of the account in SentinelOne.
agentRealtimeInfo.activeThreats N/A The number of active threats on the agent. Not mapped to UDM.
agentRealtimeInfo.agentComputerName principal.hostname, principal.asset.hostname The hostname of the agent's computer.
agentRealtimeInfo.agentDecommissionedAt N/A Indicates if the agent is decommissioned. Not mapped to UDM.
agentRealtimeInfo.agentDomain principal.administrative_domain The domain of the agent.
agentRealtimeInfo.agentId N/A The ID of the agent. Not mapped to UDM.
agentRealtimeInfo.agentInfected N/A Indicates if the agent is infected. Not mapped to UDM.
agentRealtimeInfo.agentIsActive N/A Indicates if the agent is active. Not mapped to UDM.
agentRealtimeInfo.agentIsDecommissioned N/A Indicates if the agent is decommissioned. Not mapped to UDM.
agentRealtimeInfo.agentMachineType principal.asset.machine_type The type of machine the agent is installed on (e.g., desktop, server, laptop).
agentRealtimeInfo.agentMitigationMode N/A The mitigation mode of the agent. Not mapped to UDM.
agentRealtimeInfo.agentNetworkStatus N/A The network status of the agent. Not mapped to UDM.
agentRealtimeInfo.agentOsName principal.asset.platform_software.platform The operating system name of the agent.
agentRealtimeInfo.agentOsRevision principal.asset.platform_software.platform_version The operating system revision of the agent.
agentRealtimeInfo.agentOsType principal.platform The operating system type of the agent.
agentRealtimeInfo.agentUuid principal.asset.asset_id, principal.asset.product_object_id The UUID of the agent. Formatted as "Device ID: {uuid}".
agentRealtimeInfo.agentVersion metadata.product_version The version of the SentinelOne agent.
agentRealtimeInfo.groupId principal.user.group_identifiers The ID of the group the agent belongs to.
agentRealtimeInfo.groupName principal.group.group_display_name The name of the group the agent belongs to.
agentRealtimeInfo.networkInterfaces principal.ip, principal.asset.ip, principal.mac Network interface information, including IP addresses and MAC addresses.
agentRealtimeInfo.operationalState N/A The operational state of the agent. Not mapped to UDM.
agentRealtimeInfo.rebootRequired N/A Indicates if a reboot is required. Not mapped to UDM.
agentRealtimeInfo.scanAbortedAt N/A The timestamp when a scan was aborted. Not mapped to UDM.
agentRealtimeInfo.scanFinishedAt N/A The timestamp when a scan finished. Not mapped to UDM.
agentRealtimeInfo.scanStartedAt N/A The timestamp when a scan started. Not mapped to UDM.
agentRealtimeInfo.scanStatus N/A The status of a scan. Not mapped to UDM.
agentRealtimeInfo.siteId principal.namespace The ID of the site the agent belongs to.
agentRealtimeInfo.siteName principal.location.name The name of the site the agent belongs to.
agentRealtimeInfo.storageName N/A The storage name. Not mapped to UDM.
agentRealtimeInfo.storageType N/A The storage type. Not mapped to UDM.
agentRealtimeInfo.userActionsNeeded N/A User actions needed. Not mapped to UDM.
batch.customer_id N/A The customer ID. Not mapped to UDM.
batch.collector_id N/A The collector ID. Not mapped to UDM.
batch.type metadata.log_type The type of the batch.
collection_time metadata.collected_timestamp The time when the log was collected.
create_time metadata.event_timestamp The time when the event was created.
data (Various) The main data payload of the SentinelOne event. Fields within this object are mapped to various UDM fields depending on the event type.
event.activityType N/A The type of activity. Not mapped to UDM.
event.agentId metadata.product_deployment_id The ID of the agent.
event.agentUpdatedVersion N/A The updated version of the agent. Not mapped to UDM.
event.comments N/A Comments associated with the event. Not mapped to UDM.
event.createdAt metadata.event_timestamp The time when the event was created.
event.data (Various) Data associated with the event. Fields within this object are mapped to various UDM fields depending on the event type.
event.description metadata.product_event_type The description of the event.
event.destinationAddress.address target.ip The IP address of the destination.
event.destinationAddress.port target.port The port of the destination.
event.direction network.direction The direction of the network connection. Mapped to "INBOUND" or "OUTBOUND".
event.executable.commandLine principal.process.command_line, target.process.command_line The command line of the executable.
event.executable.creationTime.millisecondsSinceEpoch N/A The creation time of the executable. Not mapped to UDM.
event.executable.full_path principal.process.file.full_path, target.process.file.full_path The full path of the executable.
event.executable.hashes.md5 principal.process.file.md5, target.process.file.md5 The MD5 hash of the executable.
event.executable.hashes.sha1 principal.process.file.sha1, target.process.file.sha1 The SHA1 hash of the executable.
event.executable.hashes.sha256 principal.process.file.sha256, target.process.file.sha256 The SHA256 hash of the executable.
event.executable.isDir N/A Indicates if the executable is a directory. Not mapped to UDM.
event.executable.isKernelModule N/A Indicates if the executable is a kernel module. Not mapped to UDM.
event.executable.name N/A The name of the executable. Not mapped to UDM.
event.executable.node.key.value N/A The node key value of the executable. Not mapped to UDM.
event.executable.owner.name N/A The owner name of the executable. Not mapped to UDM.
event.executable.owner.sid N/A The owner SID of the executable. Not mapped to UDM.
event.executable.pUnix N/A The pUnix value of the executable. Not mapped to UDM.
event.executable.signature.signed.identity principal.resource.attribute.labels, target.resource.attribute.labels The identity of the signed executable. Formatted as "Source Signature Signed Identity: {identity}".
event.executable.signature.signed.valid N/A Indicates if the signature is valid. Not mapped to UDM.
event.executable.signature.unsigned N/A Indicates if the executable is unsigned. Not mapped to UDM.
event.executable.sizeBytes principal.process.file.size, target.process.file.size The size of the executable in bytes.
event.excluded N/A Indicates if the event is excluded. Not mapped to UDM.
event.file.creationTime.millisecondsSinceEpoch N/A The creation time of the file. Not mapped to UDM.
event.file.full_path target.file.full_path The full path of the file.
event.file.hashes.md5 target.process.file.md5 The MD5 hash of the file.
event.file.hashes.sha1 target.process.file.sha1 The SHA1 hash of the file.
event.file.hashes.sha256 target.process.file.sha256 The SHA256 hash of the file.
event.file.isDir N/A Indicates if the file is a directory. Not mapped to UDM.
event.file.isKernelModule N/A Indicates if the file is a kernel module. Not mapped to UDM.
event.file.node.key.value N/A The node key value of the file. Not mapped to UDM.
event.file.owner.name N/A The owner name of the file. Not mapped to UDM.
event.file.owner.sid N/A The owner SID of the file. Not mapped to UDM.
event.file.pUnix N/A The pUnix value of the file. Not mapped to UDM.
event.file.signature.unsigned N/A Indicates if the file is unsigned. Not mapped to UDM.
event.file.sizeBytes N/A The size of the file in bytes. Not mapped to UDM.
event.fullPid.pid principal.process.pid, target.process.pid The process ID.
event.fullPid.startTime.millisecondsSinceEpoch N/A The start time of the process. Not mapped to UDM.
event.hashes.md5 target.file.md5 The MD5 hash.
event.hashes.sha1 target.file.sha1 The SHA1 hash.
event.hashes.sha256 target.file.sha256 The SHA256 hash.
event.id metadata.product_log_id The event ID.
event.interactive N/A Indicates if the event is interactive. Not mapped to UDM.
event.isRedirectedCommandProcessor N/A Indicates if the event is a redirected command processor. Not mapped to UDM.
event.isWow64 N/A Indicates if the event is WoW64. Not mapped to UDM.
event.method network.http.method The HTTP method.
event.name N/A The name of the event. Not mapped to UDM.
event.node.key.value N/A The node key value of the event. Not mapped to UDM.
event.oldHashes.md5 N/A The old MD5 hash. Not mapped to UDM.
event.oldHashes.sha1 N/A The old SHA1 hash. Not mapped to UDM.
event.oldHashes.sha256 N/A The old SHA256 hash. Not mapped to UDM.
event.parent.commandLine principal.process.parent_process.command_line, target.process.parent_process.command_line The command line of the parent process.
event.parent.excluded N/A Indicates if the parent event is excluded. Not mapped to UDM.
event.parent.executable.creationTime.millisecondsSinceEpoch N/A The creation time of the parent executable. Not mapped to UDM.
event.parent.executable.full_path principal.process.parent_process.file.full_path, target.process.parent_process.file.full_path The full path of the parent executable.
event.parent.executable.hashes.md5 principal.process.parent_process.file.md5, target.process.parent_process.file.md5 The MD5 hash of the parent executable.
event.parent.executable.hashes.sha1 principal.process.parent_process.file.sha1, target.process.parent_process.file.sha1 The SHA1 hash of the parent executable.
event.parent.executable.hashes.sha256 principal.process.parent_process.file.sha256, target.process.parent_process.file.sha256 The SHA256 hash of the parent executable.
event.parent.executable.isDir N/A Indicates if the parent executable is a directory. Not mapped to UDM.
event.parent.executable.isKernelModule N/A Indicates if the parent executable is a kernel module. Not mapped to UDM.
event.parent.executable.node.key.value N/A The node key value of the parent executable. Not mapped to UDM.
event.parent.executable.owner.name N/A The owner name of the parent executable. Not mapped to UDM.
event.parent.executable.owner.sid N/A The owner SID of the parent executable. Not mapped to UDM.
event.parent.executable.pUnix N/A The pUnix value of the parent executable. Not mapped to UDM.
event.parent.executable.signature.signed.identity principal.resource.attribute.labels, target.resource.attribute.labels The identity of the signed parent executable. Formatted as "Source Parent Signature Signed Identity: {identity}".
event.parent.executable.signature.signed.valid N/A Indicates if the parent signature is valid. Not mapped to UDM.
event.parent.executable.signature.unsigned N/A Indicates if the parent executable is unsigned. Not mapped to UDM.
event.parent.executable.sizeBytes principal.process.parent_process.file.size, target.process.parent_process.file.size The size of the parent executable in bytes.
event.parent.fullPid.pid principal.process.parent_process.pid, target.process.parent_process.pid The parent process ID.
event.parent.fullPid.startTime.millisecondsSinceEpoch N/A The start time of the parent process. Not mapped to UDM.
event.parent.interactive N/A Indicates if the parent event is interactive. Not mapped to UDM.
event.parent.isRedirectedCommandProcessor N/A Indicates if the parent event is a redirected command processor. Not mapped to UDM.
event.parent.isWow64 N/A Indicates if the parent event is WoW64. Not mapped to UDM.
event.parent.name N/A The name of the parent event. Not mapped to UDM.
event.parent.node.key.value N/A The node key value of the parent event. Not mapped to UDM.
event.parent.root N/A Indicates if the parent event is root. Not mapped to UDM.
event.parent.sessionId N/A The session ID of the parent event. Not mapped to UDM.
event.parent.subsystem N/A The subsystem of the parent event. Not mapped to UDM.
event.parent.trueContext.key.value N/A The true context key value of the parent event. Not mapped to UDM.
event.parent.user.integrityLevel N/A The integrity level of the parent user. Not mapped to UDM.
event.parent.user.name principal.user.userid The username of the parent process.
event.parent.user.sid principal.user.windows_sid The Windows SID of the parent user.
event.process.commandLine target.process.command_line The command line of the process.
event.process.executable.creationTime.millisecondsSinceEpoch N/A The creation time of the process executable. Not mapped to UDM.
event.process.executable.full_path target.process.file.full_path The full path of the process executable.
event.process.executable.hashes.md5 target.process.file.md5 The MD5 hash of the process executable.
event.process.executable.hashes.sha1 target.process.file.sha1 The SHA1 hash of the process executable.
event.process.executable.hashes.sha256 target.process.file.sha256 The SHA256 hash of the process executable.
event.process.executable.isDir N/A Indicates if the process executable is a directory. Not mapped to UDM.
event.process.executable.isKernelModule N/A Indicates if the process executable is a kernel module. Not mapped to UDM.
event.process.executable.node.key.value N/A The node key value of the process executable. Not mapped to UDM.
event.process.executable.owner.name N/A The owner name of the process executable. Not mapped to UDM.
event.process.executable.owner.sid N/A The owner SID of the process executable. Not mapped to UDM.
event.process.executable.pUnix N/A The pUnix value of the process executable. Not mapped to UDM.
event.process.executable.signature.unsigned N/A Indicates if the process executable is unsigned. Not mapped to UDM.
event.process.executable.sizeBytes target.process.file.size The size of the process executable in bytes.
event.process.excluded N/A Indicates if the process is excluded. Not mapped to UDM.
event.process.fullPid.pid target.process.pid The process ID.
event.process.fullPid.startTime.millisecondsSinceEpoch N/A The start time of the process. Not mapped to UDM.
event.process.interactive N/A Indicates if the process is interactive. Not mapped to UDM.
event.process.isRedirectedCommandProcessor N/A Indicates if the process is a redirected command processor. Not mapped to UDM.
event.process.isWow64 N/A Indicates if the process is WoW64. Not mapped to UDM.
event.process.name N/A The name of the process. Not mapped to UDM.
event.process.node.key.value N/A The node key value of the process. Not mapped to UDM.
event.process.root N/A Indicates if the process is root. Not mapped to UDM.
event.process.sessionId N/A The session ID of the process. Not mapped to UDM.
event.process.subsystem N/A The subsystem of the process. Not mapped to UDM.
event.process.trueContext.key.value N/A The true context key value of the process. Not mapped to UDM.
event.process.user.integrityLevel N/A The integrity level of the process user. Not mapped to UDM.
event.process.user.name target.user.userid The username of the process.
event.process.user.sid target.user.windows_sid The Windows SID of the process user.
event.query network.dns.questions.name The DNS query.
event.regKey.key.value N/A The registry key value. Not mapped to UDM.
event.regKey.full_path target.registry.registry_key The registry key path.
event.regValue.key.value target.registry.registry_value_name The registry value name.
event.regValue.full_path target.registry.registry_key The registry value path.
event.results network.dns.answers.data The DNS results.
event.root N/A Indicates if the event is root. Not mapped to UDM.
event.sessionId N/A The session ID of the event. Not mapped to UDM.
event.signature.signed.identity principal.resource.attribute.labels, target.resource.attribute.labels The identity of the signed event. Formatted as "Source Signature Signed Identity: {identity}".
event.signature.signed.valid N/A Indicates if the signature is valid. Not mapped to UDM.
event.signature.unsigned N/A Indicates if the event is unsigned. Not mapped to UDM.
event.source.commandLine principal.process.command_line, target.process.command_line The command line of the source.
event.source.executable.creationTime.millisecondsSinceEpoch N/A The creation time of the source executable. Not mapped to UDM.
event.source.executable.full_path principal.process.file.full_path, target.process.file.full_path The full path of the source executable.
event.source.executable.hashes.md5 principal.process.file.md5, target.process.file.md5 The MD5 hash of the source executable.
event.source.executable.hashes.sha1 principal.process.file.sha1, target.process.file.sha1 The SHA1 hash of the source executable.
event.source.executable.hashes.sha256 principal.process.file.sha256, target.process.file.sha256 The SHA256 hash of the source executable.
event.source.executable.isDir N/A Indicates if the source executable is a directory. Not mapped to UDM.
event.source.executable.isKernelModule N/A Indicates if the source executable is a kernel module. Not mapped to UDM.
event.source.executable.node.key.value N/A The node key value of the source executable. Not mapped to UDM.
event.source.executable.owner.name N/A The owner name of the source executable. Not mapped to UDM.
event.source.executable.owner.sid N/A The owner SID of the source executable. Not mapped to UDM.
event.source.executable.pUnix N/A The pUnix value of the source executable. Not mapped to UDM.
event.source.executable.signature.signed.identity principal.resource.attribute.labels, target.resource.attribute.labels The identity of the signed source executable. Formatted as "Source Signature Signed Identity: {identity}".
event.source.executable.signature.signed.valid N/A Indicates if the source signature is valid. Not mapped to UDM.
event.source.executable.signature.unsigned N/A Indicates if the source executable is unsigned. Not mapped to UDM.
event.source.executable.sizeBytes principal.process.file.size, target.process.file.size The size of the source executable in bytes.
event.source.excluded N/A Indicates if the source is excluded. Not mapped to UDM.
event.source.fullPid.pid principal.process.pid, target.process.pid The process ID of the source.
event.source.fullPid.startTime.millisecondsSinceEpoch N/A The start time of the source process. Not mapped to UDM.
event.source.interactive N/A Indicates if the source is interactive. Not mapped to UDM.
event.source.isRedirectedCommandProcessor N/A Indicates if the source is a redirected command processor. Not mapped to UDM.
event.source.isWow64 N/A Indicates if the source is WoW64. Not mapped to UDM.
event.source.name N/A The name of the source. Not mapped to UDM.
event.source.node.key.value N/A The node key value of the source. Not mapped to UDM.
event.source.parent.commandLine principal.process.parent_process.command_line The command line of the source's parent.
event.source.parent.excluded N/A Indicates if the source's parent is excluded. Not mapped to UDM.
event.source.parent.executable.full_path principal.process.parent_process.file.full_path The full path of the source's parent executable.
event.source.parent.executable.hashes.md5 principal.process.parent_process.file.md5 The MD5 hash of the source's parent executable.
event.source.parent.executable.hashes.sha1 principal.process.parent_process.file.sha1 The SHA1 hash of the source's parent executable.
event.source.parent.executable.hashes.sha256 principal.process.parent_process.file.sha256 The SHA256 hash of the source's parent executable.
event.source.parent.fullPid.pid principal.process.parent_process.pid The process ID of the source's parent.
event.source.parent.fullPid.startTime.millisecondsSinceEpoch N/A The start time of the source's parent process. Not mapped to UDM.
event.source.parent.interactive N/A Indicates if the source's parent is interactive. Not mapped to UDM.
event.source.parent.isRedirectedCommandProcessor N/A Indicates if the source's parent is a redirected command processor. Not mapped to UDM.
event.source.parent.isWow64 N/A Indicates if the source's parent is WoW64. Not mapped to UDM.
event.source.parent.name N/A The name of the source's parent. Not mapped to UDM.
event.source.parent.node.key.value N/A The node key value of the source's parent. Not mapped to UDM.
event.source.parent.root N/A Indicates if the source's parent is root. Not mapped to UDM.
event.source.parent.sessionId N/A The session ID of the source's parent. Not mapped to UDM.
event.source.parent.subsystem N/A The subsystem of the source's parent. Not mapped to UDM.
event.source.parent.trueContext.key.value N/A The true context key value of the source's parent. Not mapped to UDM.
event.source.parent.user.integrityLevel N/A The integrity level of the source's parent user. Not mapped to UDM.
event.source.parent.user.name N/A The username of the source's parent. Not mapped to UDM.
event.source.parent.user.sid N/A The Windows SID of the source's parent user. Not mapped to UDM.
event.source.root N/A Indicates if the source is root. Not mapped to UDM.
event.source.sessionId N/A The session ID of the source. Not mapped to UDM.
event.source.subsystem N/A The subsystem of the source. Not mapped to UDM.
event.source.trueContext.key.value N/A The true context key value of the source. Not mapped to UDM.
event.source.user.integrityLevel N/A The integrity level of the source user. Not mapped to UDM.
event.source.user.name principal.user.userid The username of the source.
event.source.user.sid principal.user.windows_sid The Windows SID of the source user.
event.sourceAddress.address principal.ip The IP address of the source.
event.sourceAddress.port principal.port The port of the source.
event.status N/A The status of the event. Not mapped to UDM.
event.subsystem N/A The subsystem of the event. Not mapped to UDM.
event.targetFile.creationTime.millisecondsSinceEpoch N/A The creation time of the target file. Not mapped to UDM.
event.targetFile.full_path target.file.full_path The full path of the target file.
event.targetFile.hashes.md5 target.process.file.md5 The MD5 hash of the target file.
event.targetFile.hashes.sha1 target.process.file.sha1 The SHA1 hash of the target file.
event.targetFile.hashes.sha256 target.process.file.sha256 The SHA256 hash of the target file.
event.targetFile.isDir N/A Indicates if the target file is a directory. Not mapped to UDM.
event.targetFile.isKernelModule

Changes

2024-06-03

  • Mapped "suser" to "principal.user.userid".
  • Mapped "accountId" to "target.user.userid".
  • Mapped "MessageSourceAddress" to "principal.ip".
  • Mapped "machine_host" to "principal.hostname".

2024-05-20

  • Mapped "event.dns.response" to "network.dns.answers.data".

2024-05-06

  • Added support for a new pattern of JSON logs.

2024-03-22

  • Added new Grok pattern to parse new format of tab-separated KV logs.
  • Mapped "osName" to "src.platform".

2024-03-15

  • Mapped "site.id:account.id:agent.uuid:tgt.process.uid" to "target.process.product_specific_process_id".
  • Mapped "site.id:account.id:agent.uuid:src.process.uid" to "principal.process.product_specific_process_id".
  • Mapped "site.id:account.id:agent.uuid:src.process.parent.uid" to "principal.process.parent_process.product_specific_process_id".
  • Removed "src.process.cmdline" from being mapped to "target.process.command_line".

2023-11-09

  • Fix:
  • Mapped "tgt.process.user" to "target.user.userid".

2023-10-30

  • Fix:
  • Added not null check to "principal_port" prior mapping to UDM.
  • When "event.category" is "url" and "meta.event.name" is "HTTP", mapped "metadata.event_type" to "NETWORK_HTTP".

2023-09-06

  • Added mapping of "tgt.process.storyline.id" to "security_result.about.resource.attribute.labels".
  • Modified mapping of "src.process.storyline.id" from "principal.process.product_specific_process_id" to "security_result.about.resource.attribute.labels".
  • Modified mapping of "src.process.parent.storyline.id" from "principal.parent.process.product_specific_process_id" to "security_result.about.resource.attribute.labels".

2023-08-31

  • Mapped "indicator.category" to "security_result.category_details".

2023-08-03

  • Initialized "event_data.login.loginIsSuccessful" to null.
  • Mapped "module.path" to "target.process.file.full_path" and "target.file.full_path" where "event.type" is "Module Load".
  • Mapped "module.sha1" to "target.process.file.sha1" and "target.file.sha1" where "event.type" is "Module Load".
  • Mapped "metadata.event_type" to "PROCESS_MODULE_LOAD" where "event.type" is "Module Load".
  • Mapped "registry.keyPath" to "target.registry.registrykey" for "REGISTRY*" events.
  • Mapped "registry.value" to "target.registry.registry_valuedata" for "REGISTRY*" events.
  • Mapped "event.network.protocolName" to "network.application_protocol".
  • Mapped "principal.platform", "principal.asset.platform_software.platform" to "LINUX" if "endpoint.os" is "linux".
  • Mapped "event.login.userName" to "target.user.userid" when "event.type" is "Login" or "Logout."
  • Mapped "target.hostname" by obtaining the hostname from "url.address" when "event.type" is "GET", "OPTIONS", "POST", "PUT", "DELETE", "CONNECT", "HEAD".

2023-06-09

  • Mapped "osSrc.process.parent.publisher" to "principal.resource.attribute.labels".
  • Mapped "src.process.rUserName/src.process.eUserName/src.process.lUserName" to "principal.user.user_display_name".
  • Added check to fields: "src.process.eUserId", "src.process.lUserId", "tgt.process.rUserUid" prior mapping to UDM.
  • Mapped "tgt.file.location", "registry.valueFullSize", "registry.valueType" to "target.resource.attribute.labels".
  • Mapped "indicator.description" to "security_result.summary".
  • Mapped "metadata.event_type" to "SCAN_NETWORK" where "event.type" is "Behavioral Indicators".
  • Mapped "metadata.event_type" to "SCAN_UNCATEGORIZED" where "event.type" is "Command Script".
  • Initialized fields "meta.osFamily", "meta.osRevision", "event.type".
  • Added ISO8601 to date filter to parser ISO8601 timestamp.
  • Added on_error to "@timestamp" string conversion.
  • Added on_error to "meta.uuid" prior mapping.

2023-05-25

  • Mapped "event.source.commandLine" to "principal.process.command_line".
  • Mapped "event.source.executable.path" to "principal.process.file.full_path".
  • Set "metadata.event_type" to "PROCESS_OPEN" where "event.type" is "openProcess".
  • Mapped "site.name:site.id" to "principal.namespace" if both "site.name" and "site.id" are not null.
  • Mapped "event.network.direction" to "network.direction".
  • Mapped "meta.event.name" to "metadata.description".
  • Mapped "task.name" to "target.resource.name".
  • Mapped "agent.uuid" to "principal.asset.product_object_id".
  • Mapped "src.process.publisher" to "principal.resource.attribute.labels".
  • Mapped "src.process.cmdline" to "target.process.command_line".
  • Mapped "mgmt.osRevision" to "principal.asset.platform_software.platform_version".
  • Mapped "security_result.category" according to "indicator.category" value.
  • Mapped "event.dns.response" to "network.dns.answers".
  • Mapped "registry.keyPath" to "target.registry.registry_key".
  • Mapped "event.id" to "target.registry.registry_value_name".

2023-04-27

  • Mapped "event.type" to "metadata.product_event_type" for Cloud Funnel v2 logs.

2023-04-20

  • Added null and '-' conditinal check for the field "data.ipAddress".
  • Added grok conditional check for the field "sourceMacAddresses".

2023-03-02

  • When ("event.type" == "tcpv4" and "event.direction" == "INCOMING") or "event.type" contains "(processExit|processTermination|processModification|duplicate)" , then mapped "event.source.executable.signature.signed.identity" to "target.resource.attribute.labels" else mapped it to "principal.resource.attribute.labels".
  • Mapped "event.parent.executable.signature.signed.identity", "event.process.executable.signature.signed.identity to "principal.resource.attribute.labels", "".
  • Mapped "event.targetFile.signature.signed.identity", "event.target.executable.signature.signed.identity", "event.target.parent.executable.signature.signed.identity" to "target.resource.attribute.labels".

2023-02-24

  • BugFix:
  • Refactored the code to clearly differentiate between the log versions.
  • For USER_LOGIN cloud funnel v2 logs, mapped "event.login.lognIsSuccessful" details to "security_result.action" and "security_result.summary"

2023-02-13

  • BugFix:
  • Parsed cloud funnel v1 logs as required.
  • Mapping all http logs to "NETWORK_HTTP".
  • "NETWORK_HTTP" should have url field mapped to "target.url" instead of "metadata.url_back_to_product".

2023-01-20

  • Mapped the field 'event.url' to 'target.hostname' and 'target.url'.
  • Mapped 'metadata.event_type' to 'NETWORK_HTTP' where 'event.type' == 'http'.

2023-01-16

  • Fix
  • Mapped "mgmt.url" to "metadata.url_back_to_product" instead of "target.url".
  • Mapped "site.name" to "principal.location.name".
  • Mapped "src.process.rUserUid" to "principal.user.userid".
  • Mapped "src.process.eUserId" to "principal.user.userid".
  • Mapped "src.process.lUserId" to "principal.user.userid".
  • Mapped "src.process.parent.rUserUid" to "metadata.ingestion_labels".
  • Mapped "src.process.parent.eUserId" to "metadata.ingestion_labels".
  • Mapped "src.process.parent.lUserId" to "metadata.ingestion_labels".
  • Mapped "tgt.process.rUserUid" to "target.user.userid".
  • Mapped "tgt.process.eUserId" to "target.user.userid".
  • Mapped "tgt.process.lUserId" to "target.user.userid".
  • If "event.type" is "Process Creation" mapped "metadata.event_type" to "PROCESS_LAUNCH".
  • If "event.type" is "Duplicate Process Handle" mapped "metadata.event_type" to "PROCESS_OPEN".
  • If "event.type" is "Duplicate Thread Handle" mapped "metadata.event_type" to "PROCESS_OPEN".
  • If "event.type" is "Open Remote Process Handle" mapped "metadata.event_type" to "PROCESS_OPEN".
  • If "event.type" is "Remote Thread Creation" mapped "metadata.event_type" to "PROCESS_LAUNCH".
  • If "event.type" is "Command Script" mapped "metadata.event_type" to "FILE_UNCATEGORIZED".
  • If "event.type" is "IP Connect" mapped "metadata.event_type" to "NETWORK_CONNECTION".
  • If "event.type" is "IP Listen" mapped "metadata.event_type" to "NETWORK_UNCATEGORIZED".
  • If "event.type" is "File ModIfication" mapped "metadata.event_type" to "FILE_MODIfICATION".
  • If "event.type" is "File Creation" mapped "metadata.event_type" to "FILE_CREATION".
  • If "event.type" is "File Scan" mapped "metadata.event_type" to "FILE_UNCATEGORIZED".
  • If "event.type" is "File Deletion" mapped "metadata.event_type" to "FILE_DELETION".
  • If "event.type" is "File Rename" mapped "metadata.event_type" to "FILE_MODIfICATION".
  • If "event.type" is "Pre Execution Detection" mapped "metadata.event_type" to "FILE_UNCATEGORIZED".
  • If "event.type" is "Login" mapped "metadata.event_type" to "USER_LOGIN".
  • If "event.type" is "Logout" mapped "metadata.event_type" to "USER_LOGOUT".
  • If "event.type" is "GET" mapped "metadata.event_type" to "NETWORK_HTTP".
  • If "event.type" is "OPTIONS" mapped "metadata.event_type" to "NETWORK_HTTP".
  • If "event.type" is "POST" mapped "metadata.event_type" to "NETWORK_HTTP".
  • If "event.type" is "PUT" mapped "metadata.event_type" to "NETWORK_HTTP".
  • If "event.type" is "DELETE" mapped "metadata.event_type" to "NETWORK_HTTP".
  • If "event.type" is "CONNECT" mapped "metadata.event_type" to "NETWORK_HTTP".
  • If "event.type" is "HEAD" mapped "metadata.event_type" to "NETWORK_HTTP".
  • If "event.type" is "Not Reported" mapped "metadata.event_type" to "STATUS_UNCATEGORIZED".
  • If "event.type" is "DNS Resolved" mapped "metadata.event_type" to "NETWORK_DNS".
  • If "event.type" is "DNS Unresolved" mapped "metadata.event_type" to "NETWORK_DNS".
  • If "event.type" is "Task Register" mapped "metadata.event_type" to "SCHEDULED_TASK_CREATION".
  • If "event.type" is "Task Update" mapped "metadata.event_type" to "SCHEDULED_TASK_MODIfICATION".
  • If "event.type" is "Task Start" mapped "metadata.event_type" to "SCHEDULED_TASK_UNCATEGORIZED".
  • If "event.type" is "Task Trigger" mapped "metadata.event_type" to "SCHEDULED_TASK_UNCATEGORIZED".
  • If "event.type" is "Task Delete" mapped "metadata.event_type" to "SCHEDULED_TASK_DELETION".
  • If "event.type" is "Registry Key Create" mapped "metadata.event_type" to "REGISTRY_CREATION".
  • If "event.type" is "Registry Key Rename" mapped "metadata.event_type" to "REGISTRY_MODIfICATION".
  • If "event.type" is "Registry Key Delete" mapped "metadata.event_type" to "REGISTRY_DELETION".
  • If "event.type" is "Registry Key Export" mapped "metadata.event_type" to "REGISTRY_UNCATEGORIZED".
  • If "event.type" is "Registry Key Security Changed" mapped "metadata.event_type" to "REGISTRY_MODIfICATION".
  • If "event.type" is "Registry Key Import" mapped "metadata.event_type" to "REGISTRY_CREATION".
  • If "event.type" is "Registry Value ModIfied" mapped "metadata.event_type" to "REGISTRY_MODIfICATION".
  • If "event.type" is "Registry Value Create" mapped "metadata.event_type" to "REGISTRY_CREATION".
  • If "event.type" is "Registry Value Delete" mapped "metadata.event_type" to "REGISTRY_DELETION".
  • If "event.type" is "Behavioral Indicators" mapped "metadata.event_type" to "SCAN_UNCATEGORIZED".
  • If "event.type" is "Module Load" mapped "metadata.event_type" to "PROCESS_MODULE_LOAD".
  • If "event.type" is "Threat Intelligence Indicators" mapped "metadata.event_type" to "SCAN_UNCATEGORIZED".
  • If "event.type" is "Named Pipe Creation" mapped "metadata.event_type" to "PROCESS_UNCATEGORIZED".
  • If "event.type" is "Named Pipe Connection" mapped "metadata.event_type" to "PROCESS_UNCATEGORIZED".
  • If "event.type" is "Driver Load" mapped "metadata.event_type" to "PROCESS_MODULE_LOAD".

2022-11-30

  • Enhancement
  • Enhanced the parser to support the logs ingested in version V2 by mapping following fields.
  • Mapped "account.id" to "metadata.product_deployment_id".
  • Mapped "agent.uuid" to "principal.asset.asset_id".
  • Mapped "dst.ip.address" to "target.ip".
  • Mapped "src.ip.address" to "principal.ip".
  • Mapped "src.process.parent.image.sha1" to "principal.process.parent_process.file.sha1".
  • Mapped "src.process.parent.image.sha256" to "principal.process.parent_process.file.sha256".
  • Mapped "src.process.parent.image.path" to "principal.process.parent_process.file.full_path".
  • Mapped "src.process.parent.cmdline" to "principal.process.parent_process.command_line".
  • Mapped "src.process.parent.image.md5" to "principal.process.parent_process.file.md5".
  • Mapped "src.process.parent.pid" to "principal.process.parent_process.pid".
  • Mapped "src.process.image.sha1" to "principal.process.file.sha1".
  • Mapped "src.process.image.md5" to "principal.process.file.md5".
  • Mapped "src.process.pid" to "principal.process.pid".
  • Mapped "src.process.cmdline" to "principal.process.command_line".
  • Mapped "src.process.image.path" to "principal.process.file.full_path".
  • Mapped "src.process.image.sha256" to "principal.process.file.sha256".
  • Mapped "src.process.user" to "principal.user.user_display_name".
  • Mapped "src.process.uid" to "principal.user.userid".
  • Mapped "src.process.storyline.id" to "principal.process.product_specific_process_id".
  • Mapped "src.process.parent.storyline.id" to "principal.process.parent_process.product_specific_process_id".
  • Mapped "mgmt.url" to "target.url".
  • Mapped "site.id" to "principal.namespace".
  • Mapped "src.port.number" to "principal.port".
  • Mapped "dst.port.number" to "target.port".
  • Mapped "event_data.id" to "metadata.product_log_id".

2022-10-11

  • Enhancement
  • Mapped "threatClassification" to "security_result.category_details".
  • Mapped "threatConfidenceLevel" and "threatMitigationStatus" to "security_result.detection_fields".
  • Mapped "Location" to "principal.location.name".
  • Mapped "data.filePath" to "principal.process.parent_process.file.full_path".
  • Updated the mapping (CAT Value)security_result.category_details to metadata.product_event_type

2022-09-01

  • Enhancement
  • Changed metadata.product_name from SentinelOne to Singularity.
  • Mapped "event.regValue.key.value" to "target.registry.registry_value_name".
  • Mapped "principal_userid" to "principal.user.userid".
  • Mapped "principal_domain" to "principal.administrative_domain".
  • Mapped "threatInfo.threatId" to "security_result.threat_id"
  • Mapped "threatInfo.identifiedAt" to "metadata.event_timestamp".
  • Mapped "threatInfo.threatId" to "metadata.product_log_id".
  • Mapped "security_result.alert_state" to "ALERTING".
  • Mapped "threatInfo.maliciousProcessArguments" to "security_result.description".
  • Mapped "threatInfo.threatName" to "security_result.threat_name".
  • Mapped "threatInfo.classification" to "security_result.category_details".
  • Mapped "security_result.category" to "SOFTWARE_MALICIOUS" where threatInfo.classification is malicious else to "NETWORK_SUSPICIOUS".
  • Mapped "security_result.action" to "ALLOW" where threatInfo.mitigationStatus is mitigated else to "BLOCK".
  • Mapped "threatInfo.mitigationStatus" to "security_result.action_details".
  • Mapped "threatInfo.classification threatInfo.classificationSource threatInfo.analystVerdictDescription threatInfo.threatName" to "security_result.summary".
  • Mapped "threatInfo.createdAt" to "metadata.collected_timestamp".
  • Mapped "agentRealtimeInfo.accountId" to "metadata.product_deployment_id".
  • Mapped "agentRealtimeInfo.agentVersion" to "metadata.product_version".
  • Mapped "indicator.category" to "detection_fields.key" and "indicator.description" to "detection_fields.value".
  • Mapped "detectionEngines.key" to "detection_fields.key" and "detectionEngines.title" to "detection_fields.value".
  • Mapped "metadata.event_type" to "SCAN_UNCATEGORIZED" where "meta.computerName" is not null.

2022-07-21

  • Enhancement
  • Mapped event.source.executable.hashes.md5 to principal.process.file.md5.
  • Mapped event.source.executable.hashes.sha256 to principal.process.file.sha256.
  • Mapped event.source.executable.hashes.sha1 to principal.process.file.sha1.
  • Mapped event.source.fullPid.pid to principal.process.pid.
  • Mapped event.source.user.name to principal.user.userid.
  • Mapped meta.agentVersion to metadata.product_version.
  • Mapped event.appName to target.application.
  • Mapped event.contentHash.sha256 to target.process.file.sha256.
  • Mapped event.source.commandLine to target.process.command_line.
  • Mapped event.decodedContent to target.labels.
  • Changed metadata.description from scripts to Command Scripts where event.type is scripts.
  • Mapped vendor to metadata.vendor_name.
  • Mapped data.fileContentHash to target.process.file.md5.
  • Mapped data.ipAddress to principal.ip.
  • Mapped activityUuid to target.asset.product_object_id.
  • Mapped agentId to metadata.product_deployment_id.
  • Added email verification for user_email prior to mapping it to principal.user.email_addresses, if failed mapped it to principal.user.userid.
  • Mapped sourceIpAddresses to principal.ip.
  • Mapped accountName to principal.administrative_domain.
  • Mapped activityId to additional.fields.

2022-07-15

  • Enhancement - Parsed the new logs with JSON format and mapped the following new fields:-
  • "metadata.product_name" to "SENTINEL_ONE".
  • "sourceParentProcessMd5" to "principal.process.parent_process.file.md5".
  • "sourceParentProcessPath" to "principal.process.parent_process.file.full_path".
  • "sourceParentProcessPid" to "principal.process.parent_process.pid".
  • "sourceParentProcessSha1" to "principal.process.parent_process.file.sha1".
  • "sourceParentProcessSha256" to "principal.process.parent_process.file.sha256".
  • "sourceParentProcessCmdArgs" to "principal.process.parent_process.command_line".
  • "sourceProcessCmdArgs" to "principal.process.command_line".
  • "sourceProcessMd5" to "principal.process.file.md5".
  • "sourceProcessPid" to "principal.process.pid".
  • "sourceProcessSha1" to "principal.process.file.sha1".
  • "sourceProcessSha256" to "principal.process.file.sha256".
  • "sourceProcessPath" to "principal.process.file.full_path".
  • "tgtFilePath" to "target.file.full_path".
  • "tgtFileHashSha256" to "target.file.sha256".
  • "tgtFileHashSha1" to "target.file.sha1".
  • "tgtProcUid" to "target.process.product_specific_process_id".
  • "tgtProcCmdLine" to "target.process.command_line".
  • "tgtProcPid" to "target.process.pid".
  • "tgtProcName" to "target.application".
  • "dstIp" to "target.ip".
  • "srcIp" to "principal.ip".
  • "dstPort" to "target.port".
  • "srcPort" to "principal.port".
  • "origAgentName" to "principal.hostname".
  • "agentIpV4" to "principal.ip".
  • "groupId" to "principal.user.group_identifiers".
  • "groupName" to "principal.user.group_display_name".
  • "origAgentVersion" to "principal.asset.software.version".
  • "origAgentOsFamily" to "principal.platform".
  • "origAgentOsName" to principal.asset.software.name".
  • "event_type" to "FILE_MODIFICATION" when sourceEventType = FILEMODIFICATION.
  • "event_type" to "FILE_DELETION" when sourceEventType = FILEDELETION.
  • "event_type" to "PROCESS_LAUNCH" when sourceEventType = PROCESSCREATION.
  • "event_type" to "NETWORK_CONNECTION" when sourceEventType = TCPV4.

2022-06-13

  • Enhancement
  • for [event][type] == "fileCreation" and [event][type] == "fileDeletion"
  • Mapped "event.targetFile.path" to "target.file.full_path".
  • Mapped "event.targetFile.hashes.md5" to "target.process.file.md5".
  • Mapped "event.targetFile.hashes.sha1" to "target.process.file.sha1".
  • Mapped "event.targetFile.hashes.sha256" to "target.process.file.sha256".
  • for [event][type] == "fileModification"
  • Mapped "event.file.path" to "target.file.full_path".
  • Mapped "event.file.hashes.md5" to "target.process.file.md5".
  • Mapped "event.file.hashes.sha1" to "target.process.file.sha1".
  • Mapped "event.file.hashes.sha256" to "target.process.file.sha256".

2022-04-18

  • Enhanced the parser to handle all the unparsed raw logs.