Syslog - SentinelOne CEF

Device Details

Vendor	SentinelOne
Device Type	EndPoint Security
Supported Model Name/Number	Cloud Protection
Supported Software Version	N/A
Collection Method	Syslog
Configurable Log Output	N/A
Log Source Type	Syslog - SentinelOne CEF
Log Processing Policy	LogRhythm Default
Exceptions	N/A
Additional Information	https://www.sentinelone.com/platform/

Type	Version	Supported Schema Fields
Threat Messages	All	<hash>, <path>, <sip>,<dip>,<objectname>,<sname>,<account>,<vendorinfo>,<vmid>,<tag1>,<status>,<severity>,<dname>,<login>,<domainorigin>,<version>,<group>,<action>
Windows Server Messages	All	<vmid>, <vendorinfo>, <severity>, <sip>, <dip>, <dname>, <smac>, <account>, <domainorigin>, <object>, <subject>, <version>, <group>, <action>, <status>, <tag1>
Device Control Messages	All	<hash>, <path>, <sip>, <dip>, <objectname>, <sname>, <account>, <vendorinfo>, <vmid>, <tag1>, <status>, <severity>, <dinterface>, <login>, <domainorigin>, <version>, <group>, <smac>, <subject>, <object>, <objecttype>
Windows Operations Messages	All	<vmid>, <vendorinfo>, <severity>, <sip>, <dip>, <dname>, <smac>, <account>, <domainorigin>, <object>, <subject>, <version>, <group>, <action>, <status>, <tag1>
SentinelOne: Device Control Allowed	All	<vmid>, <vendorinfo>, <severity>, <sip>, <sname>, <dinterface>, <account>, <domainorigin>, <object>, <objecttype>, <subject>, <version>, <group>, <status>
Catch All Level 3	All	<severity>, <object>, <sip>, <vmid>, <subject>, <hash>
General Object/Threat Information	All	<version>, <vmid>, <subject>, <dname>, <severity>, <login>, <domain>, <dip>, <hash>, <object>, <threatname>
SentinelOne : General Alerts	All	<version>, <vmid>, <subject>, <sname>, <severity>, <session>
Catch All : Level 1	All	<tag1>, <severity>