Collect SentinelOne EDR logs
This document explains how to export SentinelOne logs to Google Cloud Storage using SentinelOne Cloud Funnel. Since SentinelOne doesn't offer a built-in integration to directly export logs to Google Cloud Storage, Cloud Funnel acts as an intermediary service to push logs to the Cloud Storage.
Before You Begin
- Ensure that you have a Google SecOps instance.
- Ensure that you have privileged access to the Google Cloud platform.
- Ensure that you have privileged access to SentinelOne.
Configure Permissions for Cloud Funnel to Access Cloud Storage
- Sign in to the Google Cloud console.
- Go to IAM & Admin.
- In the IAM page, add a new IAM role for the Cloud Funnel service account:
- Assign Storage Object Creator permissions.
- Optional: assign Storage Object Viewer if you need Cloud Funnel to read objects from the bucket.
- Grant these permissions to the Cloud Funnel service account.
Create a Cloud Storage Bucket
- Sign in to the Google Cloud console.
- Go to Storage > Browser.
- Click Create bucket.
- Provide the following configurations:
- Bucket Name: choose a unique name for your bucket (for example, sentinelone-logs).
- Storage Location: select the region where the bucket will reside (for example, US-West1).
- Storage Class: choose a Standard storage class.
- Click Create.
Configure Cloud Funnel in SentinelOne
- In the SentinelOne Console, go to Settings.
- Locate the Cloud Funnel option (under Integrations).
- If it's not already enabled, click Enable Cloud Funnel.
- Once enabled, you're prompted to configure the Destination settings.
- Destination Selection: choose Google Cloud Storage as the destination for exporting logs.
- Google Cloud Storage: provide the Google Cloud Storage credentials.
- Log Export Frequency: set the frequency for exporting logs (for example, hourly or daily).
Configure Cloud Funnel Log Export
- In the Cloud Funnel Configuration section of the SentinelOne Console, set the following:
- Log Export Frequency: choose how often logs should be exported (for example. every hour or every day).
- Log Format: choose the JSON format.
- Bucket Name: enter the name of the Google Cloud Storage bucket you created earlier (for example, sentinelone-logs).
- Optional: Log Path Prefix: specify a prefix to organize logs within the bucket (for example,
sentinelone-logs/
).
- Once the settings are configured, click Save to apply the changes.
Configure a feed in Google SecOps to ingest the Sentinel EDR logs
- Go to SIEM Settings > Feeds.
- Click Add new.
- In the Feed name field, enter a name for the feed (for example, Sentinel EDR Logs).
- Select Google Cloud Storage as the Source type.
- Select Sentinel EDR as the Log type.
- Click Get Service Account as the Chronicle Service Account.
- Click Next.
Specify values for the following input parameters:
- Storage Bucket URI: Cloud Storage bucket URL in
gs://my-bucket/<value>
format. - URI Is A: select Directory which includes subdirectories.
Source deletion options: select the deletion option according to your preference.
Asset namespace: the asset namespace.
Ingestion labels: the label applied to the events from this feed.
- Storage Bucket URI: Cloud Storage bucket URL in
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.
UDM mapping table
Log Field | UDM Mapping | Logic |
---|---|---|
event.contentHash.sha256 |
target.process.file.sha256 |
The SHA-256 hash of the target process's file, extracted from the event.contentHash.sha256 field in the raw log. |
event.decodedContent |
target.labels |
The decoded content of a script, extracted from the event.decodedContent field in the raw log. It is added as a label with the key Decoded Content to the target object. |
event.destinationAddress.address |
target.ip |
The IP address of the destination, extracted from the event.destinationAddress.address field in the raw log. |
event.destinationAddress.port |
target.port |
The port of the destination, extracted from the event.destinationAddress.port field in the raw log. |
event.method |
network.http.method |
The HTTP method of the event, extracted from the event.method field in the raw log. |
event.newValueData |
target.registry.registry_value_data |
The new value data of the registry value, extracted from the event.newValueData field in the raw log. |
event.process.commandLine |
target.process.command_line |
The command line of the process, extracted from the event.process.commandLine field in the raw log. |
event.process.executable.hashes.md5 |
target.process.file.md5 |
The MD5 hash of the process's executable, extracted from the event.process.executable.hashes.md5 field in the raw log. |
event.process.executable.hashes.sha1 |
target.process.file.sha1 |
The SHA-1 hash of the process's executable, extracted from the event.process.executable.hashes.sha1 field in the raw log. |
event.process.executable.hashes.sha256 |
target.process.file.sha256 |
The SHA-256 hash of the process's executable, extracted from the event.process.executable.hashes.sha256 field in the raw log. |
event.process.executable.path |
target.process.file.full_path |
The full path of the process's executable, extracted from the event.process.executable.path field in the raw log. |
event.process.executable.sizeBytes |
target.process.file.size |
The size of the process's executable, extracted from the event.process.executable.sizeBytes field in the raw log. |
event.process.fullPid.pid |
target.process.pid |
The PID of the process, extracted from the event.process.fullPid.pid field in the raw log. |
event.query |
network.dns.questions.name |
The DNS query, extracted from the event.query field in the raw log. |
event.regKey.path |
target.registry.registry_key |
The path of the registry key, extracted from the event.regKey.path field in the raw log. |
event.regValue.key.value |
target.registry.registry_name , target.registry.registry_value_name |
The name of the registry value, extracted from the event.regValue.key.value field in the raw log. |
event.regValue.path |
target.registry.registry_key |
The path of the registry value, extracted from the event.regValue.path field in the raw log. |
event.results |
network.dns.answers.data |
The DNS answers, extracted from the event.results field in the raw log. The data is split into individual answers using the "; " separator. |
event.source.commandLine |
principal.process.command_line |
The command line of the source process, extracted from the event.source.commandLine field in the raw log. |
event.source.executable.hashes.md5 |
principal.process.file.md5 |
The MD5 hash of the source process's executable, extracted from the event.source.executable.hashes.md5 field in the raw log. |
event.source.executable.hashes.sha1 |
principal.process.file.sha1 |
The SHA-1 hash of the source process's executable, extracted from the event.source.executable.hashes.sha1 field in the raw log. |
event.source.executable.hashes.sha256 |
principal.process.file.sha256 |
The SHA-256 hash of the source process's executable, extracted from the event.source.executable.hashes.sha256 field in the raw log. |
event.source.executable.path |
principal.process.file.full_path |
The full path of the source process's executable, extracted from the event.source.executable.path field in the raw log. |
event.source.executable.signature.signed.identity |
principal.resource.attribute.labels |
The signed identity of the source process's executable, extracted from the event.source.executable.signature.signed.identity field in the raw log. It is added as a label with the key Source Signature Signed Identity to the principal resource attribute labels. |
event.source.executable.sizeBytes |
principal.process.file.size |
The size of the source process's executable, extracted from the event.source.executable.sizeBytes field in the raw log. |
event.source.fullPid.pid |
principal.process.pid |
The PID of the source process, extracted from the event.source.fullPid.pid field in the raw log. |
event.source.parent.commandLine |
principal.process.parent_process.command_line |
The command line of the source parent process, extracted from the event.source.parent.commandLine field in the raw log. |
event.source.parent.executable.hashes.md5 |
principal.process.parent_process.file.md5 |
The MD5 hash of the source parent process's executable, extracted from the event.source.parent.executable.hashes.md5 field in the raw log. |
event.source.parent.executable.hashes.sha1 |
principal.process.parent_process.file.sha1 |
The SHA-1 hash of the source parent process's executable, extracted from the event.source.parent.executable.hashes.sha1 field in the raw log. |
event.source.parent.executable.hashes.sha256 |
principal.process.parent_process.file.sha256 |
The SHA-256 hash of the source parent process's executable, extracted from the event.source.parent.executable.hashes.sha256 field in the raw log. |
event.source.parent.executable.signature.signed.identity |
principal.resource.attribute.labels |
The signed identity of the source parent process's executable, extracted from the event.source.parent.executable.signature.signed.identity field in the raw log. It is added as a label with the key Source Parent Signature Signed Identity to the principal resource attribute labels. |
event.source.parent.fullPid.pid |
principal.process.parent_process.pid |
The PID of the source parent process, extracted from the event.source.parent.fullPid.pid field in the raw log. |
event.source.user.name |
principal.user.userid |
The username of the source process's user, extracted from the event.source.user.name field in the raw log. |
event.source.user.sid |
principal.user.windows_sid |
The Windows SID of the source process's user, extracted from the event.source.user.sid field in the raw log. |
event.sourceAddress.address |
principal.ip |
The IP address of the source, extracted from the event.sourceAddress.address field in the raw log. |
event.sourceAddress.port |
principal.port |
The port of the source, extracted from the event.sourceAddress.port field in the raw log. |
event.target.executable.hashes.md5 |
target.process.file.md5 |
The MD5 hash of the target process's executable, extracted from the event.target.executable.hashes.md5 field in the raw log. |
event.target.executable.hashes.sha1 |
target.process.file.sha1 |
The SHA-1 hash of the target process's executable, extracted from the event.target.executable.hashes.sha1 field in the raw log. |
event.target.executable.hashes.sha256 |
target.process.file.sha256 |
The SHA-256 hash of the target process's executable, extracted from the event.target.executable.hashes.sha256 field in the raw log. |
event.target.executable.path |
target.process.file.full_path |
The full path of the target process's executable, extracted from the event.target.executable.path field in the raw log. |
event.target.executable.signature.signed.identity |
target.resource.attribute.labels |
The signed identity of the target process's executable, extracted from the event.target.executable.signature.signed.identity field in the raw log. It is added as a label with the key Target Signature Signed Identity to the target resource attribute labels. |
event.target.executable.sizeBytes |
target.process.file.size |
The size of the target process's executable, extracted from the event.target.executable.sizeBytes field in the raw log. |
event.target.fullPid.pid |
target.process.pid |
The PID of the target process, extracted from the event.target.fullPid.pid field in the raw log. |
event.targetFile.path |
target.file.full_path |
The full path of the target file, extracted from the event.targetFile.path field in the raw log. |
event.targetFile.signature.signed.identity |
target.resource.attribute.labels |
The signed identity of the target file, extracted from the event.targetFile.signature.signed.identity field in the raw log. It is added as a label with the key Target File Signature Signed Identity to the target resource attribute labels. |
event.trueContext.key.value |
Not mapped to the UDM. | |
event.type |
metadata.description |
The type of the event, extracted from the event.type field in the raw log. |
event.url |
target.url |
The URL of the event, extracted from the event.url field in the raw log. |
meta.agentVersion |
metadata.product_version , metadata.product_version |
The version of the agent, extracted from the meta.agentVersion field in the raw log. |
meta.computerName |
principal.hostname , target.hostname |
The hostname of the computer, extracted from the meta.computerName field in the raw log. |
meta.osFamily |
principal.asset.platform_software.platform , target.asset.platform_software.platform |
The operating system family of the computer, extracted from the meta.osFamily field in the raw log. It is mapped to LINUX for linux and WINDOWS for windows . |
meta.osRevision |
principal.asset.platform_software.platform_version , target.asset.platform_software.platform_version |
The operating system revision of the computer, extracted from the meta.osRevision field in the raw log. |
meta.traceId |
metadata.product_log_id |
The trace ID of the event, extracted from the meta.traceId field in the raw log. |
meta.uuid |
principal.asset.product_object_id , target.asset.product_object_id |
The UUID of the computer, extracted from the meta.uuid field in the raw log. |
metadata_event_type |
metadata.event_type |
The type of the event, set by the parser logic based on the event.type field. |
metadata_product_name |
metadata.product_name |
The name of the product, set to Singularity XDR by the parser logic. |
metadata_vendor_name |
metadata.vendor_name |
The name of the vendor, set to SentinelOne by the parser logic. |
network_application_protocol |
network.application_protocol |
The application protocol of the network connection, set to DNS for DNS events by the parser logic. |
network_dns_questions.name |
network.dns.questions.name |
The name of the DNS question, extracted from the event.query field in the raw log. |
network_direction |
network.direction |
The direction of the network connection, set to OUTBOUND for outgoing connections and INBOUND for incoming connections by the parser logic. |
network_http_method |
network.http.method |
The HTTP method of the event, extracted from the event.method field in the raw log. |
principal.process.command_line |
target.process.command_line |
The command line of the principal process, extracted from the principal.process.command_line field and mapped to the target process command line. |
principal.process.file.full_path |
target.process.file.full_path |
The full path of the principal process's file, extracted from the principal.process.file.full_path field and mapped to the target process file full path. |
principal.process.file.md5 |
target.process.file.md5 |
The MD5 hash of the principal process's file, extracted from the principal.process.file.md5 field and mapped to the target process file MD5. |
principal.process.file.sha1 |
target.process.file.sha1 |
The SHA-1 hash of the principal process's file, extracted from the principal.process.file.sha1 field and mapped to the target process file SHA-1. |
principal.process.file.sha256 |
target.process.file.sha256 |
The SHA-256 hash of the principal process's file, extracted from the principal.process.file.sha256 field and mapped to the target process file SHA-256. |
principal.process.file.size |
target.process.file.size |
The size of the principal process's file, extracted from the principal.process.file.size field and mapped to the target process file size. |
principal.process.pid |
target.process.pid |
The PID of the principal process, extracted from the principal.process.pid field and mapped to the target process PID. |
principal.user.userid |
target.user.userid |
The user ID of the principal, extracted from the principal.user.userid field and mapped to the target user ID. |
principal.user.windows_sid |
target.user.windows_sid |
The Windows SID of the principal, extracted from the principal.user.windows_sid field and mapped to the target user Windows SID. |
Changes
2024-07-29
Enhancement:
- If
registry.keyPath
orregistry.value
is not null, then only mappedmetadata.event_type
toREGISTRY_CREATION
.
2024-07-23
Enhancement:
- Mapped
agentDetectionInfo.agentOsName
totarget.platform_version
. - Mapped
agentDetectionInfo.agentLastLoggedInUserName
totarget.user.userid
.
2024-07-09
Bug-Fix:
- Changed mapping for
suser
fromprincipal.user.userid
totarget.user.userid
. - Changed mapping for
suser
fromprincipal.user.user_display_name
totarget.user.user_display_name
. - Removed mapping for
accountId
fromtarget.user.userid
. - Mapped
prin_user
toprincipal.user.userid
.
2024-06-03
Enhancement:
- Mapped
suser
toprincipal.user.userid
. - Mapped
accountId
totarget.user.userid
. - Mapped
MessageSourceAddress
toprincipal.ip
. - Mapped
machine_host
toprincipal.hostname
.
2024-05-20
Enhancement:
- Mapped
event.dns.response
tonetwork.dns.answers.data
.
2024-05-06
Enhancement:
- Added support for a new pattern of JSON logs.
2024-03-22
Enhancement:
- Added new Grok pattern to parse new format of tab-separated KV logs.
- Mapped
osName
tosrc.platform
.
2024-03-15
Enhancement:
- Mapped
site.id:account.id:agent.uuid:tgt.process.uid
totarget.process.product_specific_process_id
. - Mapped
site.id:account.id:agent.uuid:src.process.uid
toprincipal.process.product_specific_process_id
. - Mapped
site.id:account.id:agent.uuid:src.process.parent.uid
toprincipal.process.parent_process.product_specific_process_id
. - Removed
src.process.cmdline
from being mapped totarget.process.command_line
.
2023-11-09
- Fix:
- Mapped
tgt.process.user
totarget.user.userid
.
2023-10-30
- Fix:
- Added not null check to
principal_port
prior mapping to UDM. - When
event.category
isurl
andmeta.event.name
isHTTP
, mappedmetadata.event_type
toNETWORK_HTTP
.
2023-09-06
- Added mapping of
tgt.process.storyline.id
tosecurity_result.about.resource.attribute.labels
. - Modified mapping of
src.process.storyline.id
fromprincipal.process.product_specific_process_id
tosecurity_result.about.resource.attribute.labels
. - Modified mapping of
src.process.parent.storyline.id
fromprincipal.parent.process.product_specific_process_id
tosecurity_result.about.resource.attribute.labels
.
2023-08-31
- Mapped
indicator.category
tosecurity_result.category_details
.
2023-08-03
- Initialized
event_data.login.loginIsSuccessful
to null. - Mapped
module.path
totarget.process.file.full_path
andtarget.file.full_path
whereevent.type
isModule Load
. - Mapped
module.sha1
totarget.process.file.sha1
andtarget.file.sha1
whereevent.type
isModule Load
. - Mapped
metadata.event_type
toPROCESS_MODULE_LOAD
whereevent.type
isModule Load
. - Mapped
registry.keyPath
totarget.registry.registry_key
forREGISTRY_*
events. - Mapped
registry.value
totarget.registry.registry_value_data
forREGISTRY_*
events. - Mapped
event.network.protocolName
tonetwork.application_protocol
. - Mapped
principal.platform
,principal.asset.platform_software.platform
toLINUX
ifendpoint.os
islinux
. - Mapped
event.login.userName
totarget.user.userid
whenevent.type
isLogin
orLogout.
- Mapped
target.hostname
by obtaining the hostname fromurl.address
whenevent.type
isGET
,OPTIONS
,POST
,PUT
,DELETE
,CONNECT
,HEAD
.
2023-06-09
- Mapped
osSrc.process.parent.publisher
toprincipal.resource.attribute.labels
. - Mapped
src.process.rUserName/src.process.eUserName/src.process.lUserName
toprincipal.user.user_display_name
. - Added check to fields:
src.process.eUserId
,src.process.lUserId
,tgt.process.rUserUid
prior mapping to UDM. - Mapped
tgt.file.location
,registry.valueFullSize
,registry.valueType
totarget.resource.attribute.labels
. - Mapped
indicator.description
tosecurity_result.summary
. - Mapped
metadata.event_type
toSCAN_NETWORK
whereevent.type
isBehavioral Indicators
. - Mapped
metadata.event_type
toSCAN_UNCATEGORIZED
whereevent.type
isCommand Script
. - Initialized fields
meta.osFamily
,meta.osRevision
,event.type
. - Added ISO8601 to date filter to parser ISO8601 timestamp.
- Added on_error to
@timestamp
string conversion. - Added on_error to
meta.uuid
prior mapping.
2023-05-25
- Mapped
event.source.commandLine
toprincipal.process.command_line
. - Mapped
event.source.executable.path
toprincipal.process.file.full_path
. - Set
metadata.event_type
toPROCESS_OPEN
whereevent.type
isopenProcess
. - Mapped
site.name:site.id
toprincipal.namespace
if bothsite.name
andsite.id
are not null. - Mapped
event.network.direction
tonetwork.direction
. - Mapped
meta.event.name
tometadata.description
. - Mapped
task.name
totarget.resource.name
. - Mapped
agent.uuid
toprincipal.asset.product_object_id
. - Mapped
src.process.publisher
toprincipal.resource.attribute.labels
. - Mapped
src.process.cmdline
totarget.process.command_line
. - Mapped
mgmt.osRevision
toprincipal.asset.platform_software.platform_version
. - Mapped
security_result.category
according toindicator.category
value. - Mapped
event.dns.response
tonetwork.dns.answers
. - Mapped
registry.keyPath
totarget.registry.registry_key
. - Mapped
event.id
totarget.registry.registry_value_name
.
2023-04-27
- Mapped
event.type
tometadata.product_event_type
for Cloud Funnel v2 logs.
2023-04-20
Enhancement:
- Added null and '-' conditinal check for the field
data.ipAddress
. - Added grok conditional check for the field
sourceMacAddresses
.
2023-03-02
Enhancement:
- When (
event.type
==tcpv4
andevent.direction
==INCOMING
) orevent.type
contains(processExit|processTermination|processModification|duplicate)
, then mappedevent.source.executable.signature.signed.identity
totarget.resource.attribute.labels
else mapped it toprincipal.resource.attribute.labels
. - Mapped
event.parent.executable.signature.signed.identity
,event.process.executable.signature.signed.identity to
principal.resource.attribute.labels,
`. - Mapped
event.targetFile.signature.signed.identity
,event.target.executable.signature.signed.identity
,event.target.parent.executable.signature.signed.identity
totarget.resource.attribute.labels
.
2023-02-24
BugFix:
- Refactored the code to clearly differentiate between the log versions.
- For USER_LOGIN cloud funnel v2 logs, mapped
event.login.lognIsSuccessful
details tosecurity_result.action
andsecurity_result.summary
2023-02-13
BugFix:
- Parsed cloud funnel v1 logs as required.
- Mapping all http logs to
NETWORK_HTTP
. NETWORK_HTTP
should have URL field mapped totarget.url
instead ofmetadata.url_back_to_product
.
2023-01-20
Enhancement:
- Mapped the field 'event.url' to 'target.hostname' and 'target.url'.
- Mapped 'metadata.event_type' to 'NETWORK_HTTP' where 'event.type' == 'http'.
2023-01-16
BugFix:
- Mapped
mgmt.url
tometadata.url_back_to_product
instead oftarget.url
. - Mapped
site.name
toprincipal.location.name
. - Mapped
src.process.rUserUid
toprincipal.user.userid
. - Mapped
src.process.eUserId
toprincipal.user.userid
. - Mapped
src.process.lUserId
toprincipal.user.userid
. - Mapped
src.process.parent.rUserUid
tometadata.ingestion_labels
. - Mapped
src.process.parent.eUserId
tometadata.ingestion_labels
. - Mapped
src.process.parent.lUserId
tometadata.ingestion_labels
. - Mapped
tgt.process.rUserUid
totarget.user.userid
. - Mapped
tgt.process.eUserId
totarget.user.userid
. - Mapped
tgt.process.lUserId
totarget.user.userid
. - If
event.type
isProcess Creation
mappedmetadata.event_type
toPROCESS_LAUNCH
. - If
event.type
isDuplicate Process Handle
mappedmetadata.event_type
toPROCESS_OPEN
. - If
event.type
isDuplicate Thread Handle
mappedmetadata.event_type
toPROCESS_OPEN
. - If
event.type
isOpen Remote Process Handle
mappedmetadata.event_type
toPROCESS_OPEN
. - If
event.type
isRemote Thread Creation
mappedmetadata.event_type
toPROCESS_LAUNCH
. - If
event.type
isCommand Script
mappedmetadata.event_type
toFILE_UNCATEGORIZED
. - If
event.type
isIP Connect
mappedmetadata.event_type
toNETWORK_CONNECTION
. - If
event.type
isIP Listen
mappedmetadata.event_type
toNETWORK_UNCATEGORIZED
. - If
event.type
isFile ModIfication
mappedmetadata.event_type
toFILE_MODIfICATION
. - If
event.type
isFile Creation
mappedmetadata.event_type
toFILE_CREATION
. - If
event.type
isFile Scan
mappedmetadata.event_type
toFILE_UNCATEGORIZED
. - If
event.type
isFile Deletion
mappedmetadata.event_type
toFILE_DELETION
. - If
event.type
isFile Rename
mappedmetadata.event_type
toFILE_MODIfICATION
. - If
event.type
isPre Execution Detection
mappedmetadata.event_type
toFILE_UNCATEGORIZED
. - If
event.type
isLogin
mappedmetadata.event_type
toUSER_LOGIN
. - If
event.type
isLogout
mappedmetadata.event_type
toUSER_LOGOUT
. - If
event.type
isGET
mappedmetadata.event_type
toNETWORK_HTTP
. - If
event.type
isOPTIONS
mappedmetadata.event_type
toNETWORK_HTTP
. - If
event.type
isPOST
mappedmetadata.event_type
toNETWORK_HTTP
. - If
event.type
isPUT
mappedmetadata.event_type
toNETWORK_HTTP
. - If
event.type
isDELETE
mappedmetadata.event_type
toNETWORK_HTTP
. - If
event.type
isCONNECT
mappedmetadata.event_type
toNETWORK_HTTP
. - If
event.type
isHEAD
mappedmetadata.event_type
toNETWORK_HTTP
. - If
event.type
isNot Reported
mappedmetadata.event_type
toSTATUS_UNCATEGORIZED
. - If
event.type
isDNS Resolved
mappedmetadata.event_type
toNETWORK_DNS
. - If
event.type
isDNS Unresolved
mappedmetadata.event_type
toNETWORK_DNS
. - If
event.type
isTask Register
mappedmetadata.event_type
toSCHEDULED_TASK_CREATION
. - If
event.type
isTask Update
mappedmetadata.event_type
toSCHEDULED_TASK_MODIfICATION
. - If
event.type
isTask Start
mappedmetadata.event_type
toSCHEDULED_TASK_UNCATEGORIZED
. - If
event.type
isTask Trigger
mappedmetadata.event_type
toSCHEDULED_TASK_UNCATEGORIZED
. - If
event.type
isTask Delete
mappedmetadata.event_type
toSCHEDULED_TASK_DELETION
. - If
event.type
isRegistry Key Create
mappedmetadata.event_type
toREGISTRY_CREATION
. - If
event.type
isRegistry Key Rename
mappedmetadata.event_type
toREGISTRY_MODIfICATION
. - If
event.type
isRegistry Key Delete
mappedmetadata.event_type
toREGISTRY_DELETION
. - If
event.type
isRegistry Key Export
mappedmetadata.event_type
toREGISTRY_UNCATEGORIZED
. - If
event.type
isRegistry Key Security Changed
mappedmetadata.event_type
toREGISTRY_MODIfICATION
. - If
event.type
isRegistry Key Import
mappedmetadata.event_type
toREGISTRY_CREATION
. - If
event.type
isRegistry Value ModIfied
mappedmetadata.event_type
toREGISTRY_MODIfICATION
. - If
event.type
isRegistry Value Create
mappedmetadata.event_type
toREGISTRY_CREATION
. - If
event.type
isRegistry Value Delete
mappedmetadata.event_type
toREGISTRY_DELETION
. - If
event.type
isBehavioral Indicators
mappedmetadata.event_type
toSCAN_UNCATEGORIZED
. - If
event.type
isModule Load
mappedmetadata.event_type
toPROCESS_MODULE_LOAD
. - If
event.type
isThreat Intelligence Indicators
mappedmetadata.event_type
toSCAN_UNCATEGORIZED
. - If
event.type
isNamed Pipe Creation
mappedmetadata.event_type
toPROCESS_UNCATEGORIZED
. - If
event.type
isNamed Pipe Connection
mappedmetadata.event_type
toPROCESS_UNCATEGORIZED
. - If
event.type
isDriver Load
mappedmetadata.event_type
toPROCESS_MODULE_LOAD
.
2022-11-30
Enhancement:
- Enhanced the parser to support the logs ingested in version V2 by mapping following fields.
- Mapped
account.id
tometadata.product_deployment_id
. - Mapped
agent.uuid
toprincipal.asset.asset_id
. - Mapped
dst.ip.address
totarget.ip
. - Mapped
src.ip.address
toprincipal.ip
. - Mapped
src.process.parent.image.sha1
toprincipal.process.parent_process.file.sha1
. - Mapped
src.process.parent.image.sha256
toprincipal.process.parent_process.file.sha256
. - Mapped
src.process.parent.image.path
toprincipal.process.parent_process.file.full_path
. - Mapped
src.process.parent.cmdline
toprincipal.process.parent_process.command_line
. - Mapped
src.process.parent.image.md5
toprincipal.process.parent_process.file.md5
. - Mapped
src.process.parent.pid
toprincipal.process.parent_process.pid
. - Mapped
src.process.image.sha1
toprincipal.process.file.sha1
. - Mapped
src.process.image.md5
toprincipal.process.file.md5
. - Mapped
src.process.pid
toprincipal.process.pid
. - Mapped
src.process.cmdline
toprincipal.process.command_line
. - Mapped
src.process.image.path
toprincipal.process.file.full_path
. - Mapped
src.process.image.sha256
toprincipal.process.file.sha256
. - Mapped
src.process.user
toprincipal.user.user_display_name
. - Mapped
src.process.uid
toprincipal.user.userid
. - Mapped
src.process.storyline.id
toprincipal.process.product_specific_process_id
. - Mapped
src.process.parent.storyline.id
toprincipal.process.parent_process.product_specific_process_id
. - Mapped
mgmt.url
totarget.url
. - Mapped
site.id
toprincipal.namespace
. - Mapped
src.port.number
toprincipal.port
. - Mapped
dst.port.number
totarget.port
. - Mapped
event_data.id
tometadata.product_log_id
.
2022-10-11
Enhancement:
- Mapped
threatClassification
tosecurity_result.category_details
. - Mapped
threatConfidenceLevel
andthreatMitigationStatus
tosecurity_result.detection_fields
. - Mapped
Location
toprincipal.location.name
. - Mapped
data.filePath
toprincipal.process.parent_process.file.full_path
. - Updated the mapping (CAT Value)security_result.category_details to metadata.product_event_type
2022-09-01
Enhancement:
- Changed metadata.product_name from SentinelOne to Singularity.
- Mapped
event.regValue.key.value
totarget.registry.registry_value_name
. - Mapped
principal_userid
toprincipal.user.userid
. - Mapped
principal_domain
toprincipal.administrative_domain
. - Mapped
threatInfo.threatId
tosecurity_result.threat_id
- Mapped
threatInfo.identifiedAt
tometadata.event_timestamp
. - Mapped
threatInfo.threatId
tometadata.product_log_id
. - Mapped
security_result.alert_state
toALERTING
. - Mapped
threatInfo.maliciousProcessArguments
tosecurity_result.description
. - Mapped
threatInfo.threatName
tosecurity_result.threat_name
. - Mapped
threatInfo.classification
tosecurity_result.category_details
. - Mapped
security_result.category
toSOFTWARE_MALICIOUS
where threatInfo.classification is malicious else toNETWORK_SUSPICIOUS
. - Mapped
security_result.action
toALLOW
where threatInfo.mitigationStatus is mitigated else toBLOCK
. - Mapped
threatInfo.mitigationStatus
tosecurity_result.action_details
. - Mapped
threatInfo.classification threatInfo.classificationSource threatInfo.analystVerdictDescription threatInfo.threatName
tosecurity_result.summary
. - Mapped
threatInfo.createdAt
tometadata.collected_timestamp
. - Mapped
agentRealtimeInfo.accountId
tometadata.product_deployment_id
. - Mapped
agentRealtimeInfo.agentVersion
tometadata.product_version
. - Mapped
indicator.category
todetection_fields.key
andindicator.description
todetection_fields.value
. - Mapped
detectionEngines.key
todetection_fields.key
anddetectionEngines.title
todetection_fields.value
. - Mapped
metadata.event_type
toSCAN_UNCATEGORIZED
wheremeta.computerName
is not null.
2022-07-21
Enhancement:
- Mapped event.source.executable.hashes.md5 to principal.process.file.md5.
- Mapped event.source.executable.hashes.sha256 to principal.process.file.sha256.
- Mapped event.source.executable.hashes.sha1 to principal.process.file.sha1.
- Mapped event.source.fullPid.pid to principal.process.pid.
- Mapped event.source.user.name to principal.user.userid.
- Mapped meta.agentVersion to metadata.product_version.
- Mapped event.appName to target.application.
- Mapped event.contentHash.sha256 to target.process.file.sha256.
- Mapped event.source.commandLine to target.process.command_line.
- Mapped event.decodedContent to target.labels.
- Changed metadata.description from scripts to Command Scripts where event.type is scripts.
- Mapped vendor to metadata.vendor_name.
- Mapped data.fileContentHash to target.process.file.md5.
- Mapped data.ipAddress to principal.ip.
- Mapped activityUuid to target.asset.product_object_id.
- Mapped agentId to metadata.product_deployment_id.
- Added email verification for user_email prior to mapping it to principal.user.email_addresses, if failed mapped it to principal.user.userid.
- Mapped sourceIpAddresses to principal.ip.
- Mapped accountName to principal.administrative_domain.
- Mapped activityId to additional.fields.
2022-07-15
Enhancement:
- Parsed the new logs with JSON format and mapped the following new fields:-
metadata.product_name
toSENTINEL_ONE
.sourceParentProcessMd5
toprincipal.process.parent_process.file.md5
.sourceParentProcessPath
toprincipal.process.parent_process.file.full_path
.sourceParentProcessPid
toprincipal.process.parent_process.pid
.sourceParentProcessSha1
toprincipal.process.parent_process.file.sha1
.sourceParentProcessSha256
toprincipal.process.parent_process.file.sha256
.sourceParentProcessCmdArgs
toprincipal.process.parent_process.command_line
.sourceProcessCmdArgs
toprincipal.process.command_line
.sourceProcessMd5
toprincipal.process.file.md5
.sourceProcessPid
toprincipal.process.pid
.sourceProcessSha1
toprincipal.process.file.sha1
.sourceProcessSha256
toprincipal.process.file.sha256
.sourceProcessPath
toprincipal.process.file.full_path
.tgtFilePath
totarget.file.full_path
.tgtFileHashSha256
totarget.file.sha256
.tgtFileHashSha1
totarget.file.sha1
.tgtProcUid
totarget.process.product_specific_process_id
.tgtProcCmdLine
totarget.process.command_line
.tgtProcPid
totarget.process.pid
.tgtProcName
totarget.application
.dstIp
totarget.ip
.srcIp
toprincipal.ip
.dstPort
totarget.port
.srcPort
toprincipal.port
.origAgentName
toprincipal.hostname
.agentIpV4
toprincipal.ip
.groupId
toprincipal.user.group_identifiers
.groupName
toprincipal.user.group_display_name
.origAgentVersion
toprincipal.asset.software.version
.origAgentOsFamily
toprincipal.platform
.origAgentOsName
to principal.asset.software.name`.event_type
toFILE_MODIFICATION
when sourceEventType = FILEMODIFICATION.event_type
toFILE_DELETION
when sourceEventType = FILEDELETION.event_type
toPROCESS_LAUNCH
when sourceEventType = PROCESSCREATION.event_type
toNETWORK_CONNECTION
when sourceEventType = TCPV4.
2022-06-13
Enhancement:
- for [event][type] ==
fileCreation
and [event][type] ==fileDeletion
- Mapped
event.targetFile.path
totarget.file.full_path
. - Mapped
event.targetFile.hashes.md5
totarget.process.file.md5
. - Mapped
event.targetFile.hashes.sha1
totarget.process.file.sha1
. - Mapped
event.targetFile.hashes.sha256
totarget.process.file.sha256
. - for [event][type] ==
fileModification
- Mapped
event.file.path
totarget.file.full_path
. - Mapped
event.file.hashes.md5
totarget.process.file.md5
. - Mapped
event.file.hashes.sha1
totarget.process.file.sha1
. - Mapped
event.file.hashes.sha256
totarget.process.file.sha256
.
2022-04-18
- Enhanced the parser to handle all the unparsed raw logs.
Need more help? Get answers from Community members and Google SecOps professionals.