Stay organized with collections Save and categorize content based on your preferences.

Change log for SENTINELONE_ALERT

Date Changes
2022-12-06 Fix -
- Parsed logs where agentIpV4 and agentIpV6 has more than one ip.
2022-11-18 Enhancement -
- Added support to parser logs with agentDetectionInfo by adding following mappings.
- Mapped "agentRealtimeInfo.agentId" to "principal.asset_id" and "principal.asset.asset_id".
- Mapped "agentDetectionInfo.accountId" to "metadata.product_deployment_id".
- Mapped "agentRealtimeInfo.agentMachineType" to "principal.asset.category".
- Mapped "threatInfo.classificationSource" to "security_result.category_details".
- Mapped "agentRealtimeInfo.agentOsType" to "principal.asset.platform_software.platform".
- Mapped "threatInfo.filePath" to "target.file.full_path".
- Mapped "threatInfo.fileSize" to "target.file.size".
- Mapped "threatInfo.sha256" to "target.file.sha256".
- Mapped "threatInfo.md5" to "target.file.md5".
- Mapped "agentRealtimeInfo.fileExtensionType" to "target.process.file.mime_type".
- Mapped "agentRealtimeInfo.agentVersion" to "metadata.product_version".
- Mapped "threatInfo.collectionId" to "metadata.ingestion_labels".
- Mapped "threatInfo.storyline" to "principal.process.product_specific_process_id".
- Mapped "agentDetectionInfo.siteName" to "principal.location.name".
- Mapped "agentDetectionInfo.siteId" to "principal.namespace".
- Mapped "agentDetectionInfo.agentDomain" to "principal.administrative_domain".
- Mapped "threatInfo.analystVerdictDescription" to "security_result.summary".
- Mapped "threatInfo.threatName" to "security_result.threat_name".
- Mapped "threatInfo.identifiedAt" to "metadata.event_timestamp".
- Mapped "threatInfo.createdAt" to "metadata.collected_timestamp".
- Mapped "agentDetectionInfo.agentIpV4" to "principal.ip".
- Mapped "agentDetectionInfo.agentIpV6" to "principal.ip".
- Mapped "agentDetectionInfo.agentRegisteredAt" to "principal.asset.first_discover_time".
- Mapped "threatInfo.sha1" to "target.file.sha1".
- Mapped "security_result.confidence" to "HIGH_CONFIDENCE" if "threatInfo.confidenceLevel" is malicious.
- Mapped "security_result.confidence" to "MEDIUM_CONFIDENCE" if "threatInfo.confidenceLevel" is suspicious.
2022-10-27 Enhancement -
- Mapped "agentMachineType" to "prinicipal.asset.category".
- Mapped "agentComputerName" to "principal.hostname" and "principal.asset.hostname".
- Mapped "fileContentHash" to "target.file.md5".
- Mapped "fileSha256" to "target.file.sha256".
- Mapped "filePath" to "target.file.full_path".
- Mapped "fileSize" to "target.file.size".
- Mapped "event_type" to "FILE_UNCATEGORIZED" where "fileContentHash" or "filePath" is not null.
- Mapped "agentDomain" to "principal.administrative_domain".
- Mapped "originatorProcess" to "target.process.parent_process.file.full_path".
- Mapped "threatName" to "target.file.names".
- Mapped "security_result.alert_state" to "ALERTING".
- Mapped "collectionId" to "metadata.ingestion_labels".
- Mapped "storyline" to "principal.process.product_specific_process_id".
- Mapped "metadata.vendor_name" to "SentinelOne".
- Mapped "metadata.product_event_type" to "Threats".
- Mapped "accountId" to "metadata.product_deployment_id".
2022-09-30 - Mapped "idm.is_alert" to true.
- Changed the create_time in log file to avoid larger than allowed timestamp issue.
2022-09-08 Newly created parser