Device Details
|
Vendor |
SentinelOne |
|---|---|
|
Device Type |
EndPoint Security |
|
Supported Model Name/Number |
Cloud Protection |
|
Supported Software Version |
N/A |
|
Collection Method |
Syslog |
|
Configurable Log Output |
N/A |
|
Log Source Type |
Syslog - SentinelOne CEF |
|
Log Processing Policy |
LogRhythm Default |
|
Exceptions |
N/A |
|
Additional Information |
Currently Supported Log Types
|
Type |
Version |
Supported Schema Fields
|
|---|---|---|
|
Threat Messages |
All |
<hash>, <path>, <sip>,<dip>,<objectname>,<sname>,<account>,<vendorinfo>,<vmid>,<tag1>,<status>,<severity>,<dname>,<login>,<domainorigin>,<version>,<group>,<action> |
|
Windows Server Messages |
All |
<vmid>, <vendorinfo>, <severity>, <sip>, <dip>, <dname>, <smac>, <account>, <domainorigin>, <object>, <subject>, <version>, <group>, <action>, <status>, <tag1> |
|
Device Control Messages |
All |
<hash>, <path>, <sip>, <dip>, <objectname>, <sname>, <account>, <vendorinfo>, <vmid>, <tag1>, <status>, <severity>, <dinterface>, <login>, <domainorigin>, <version>, <group>, <smac>, <subject>, <object>, <objecttype> |
|
Windows Operations Messages |
All |
<vmid>, <vendorinfo>, <severity>, <sip>, <dip>, <dname>, <smac>, <account>, <domainorigin>, <object>, <subject>, <version>, <group>, <action>, <status>, <tag1> |
|
SentinelOne: Device Control Allowed |
All |
<vmid>, <vendorinfo>, <severity>, <sip>, <sname>, <dinterface>, <account>, <domainorigin>, <object>, <objecttype>, <subject>, <version>, <group>, <status> |
|
Catch All Level 3 |
All |
<severity>, <object>, <sip>, <vmid>, <subject>, <hash> |
|
General Object/Threat Information |
All |
<version>, <vmid>, <subject>, <dname>, <severity>, <login>, <domain>, <dip>, <hash>, <object>, <threatname> |
|
SentinelOne : General Alerts |
All |
<version>, <vmid>, <subject>, <sname>, <severity>, <session> |
|
Catch All : Level 1 |
All |
<tag1>, <severity> |
Parsed Metadata Fields
|
Field Name |
LogRhythm Metadata Field |
Value/Data Type |
|---|---|---|
|
FileHash |
Hash |
Text/String |
|
FilePath |
Path |
String |
|
Severity |
Severity |
Text/ String |
|
Ip |
Sip |
Ip Address |
|
Ip |
Dip |
Ip Address |
|
Vendor |
VendorInfo |
Text/String |
|
FileName |
Objectname |
Text/String |
|
DeviceHostname |
Sname |
Text |
|
EventId |
Vmid |
Number |
|
Originator Version |
Version |
Text |
|
SourceNetworkState |
Status |
Text |
|
SourceDnsDomain |
DomainOrigin |
Text |
|
SourceGroupName |
Group |
Text |
|
Cat |
Action |
Text |
|
EventDesc |
Subject |
Text |
|
Accountname |
Account |
Text |
|
SourceMacAddresses |
smac |
Ip Address |