Device Details

VendorSentinelOne
Device TypeEndPoint Security
Supported Model Name/NumberCloud Protection
Supported Software VersionN/A
Collection MethodSyslog
Configurable Log OutputN/A
Log Source Type

Syslog - SentinelOne CEF

Log Processing PolicyLogRhythm Default
ExceptionsN/A
Additional Information

https://www.sentinelone.com/platform/

Currently Supported Log Types

TypeVersionSupported Schema Fields
Threat MessagesAll

<hash>, <path>, <sip>,<dip>,<objectname>,<sname>,<account>,<vendorinfo>,<vmid>,<tag1>,<status>,<severity>,<dname>,<login>,<domainorigin>,<version>,<group>,<action>

Windows Server MessagesAll

<vmid>, <vendorinfo>, <severity>, <sip>, <dip>, <dname>, <smac>, <account>, <domainorigin>, <object>, <subject>, <version>, <group>, <action>, <status>, <tag1>

Device Control MessagesAll

<hash>, <path>, <sip>, <dip>, <objectname>, <sname>, <account>, <vendorinfo>, <vmid>, <tag1>, <status>, <severity>, <dinterface>, <login>, <domainorigin>, <version>, <group>, <smac>, <subject>, <object>, <objecttype>

Windows Operations MessagesAll<vmid>, <vendorinfo>, <severity>, <sip>, <dip>, <dname>, <smac>, <account>, <domainorigin>, <object>, <subject>, <version>, <group>, <action>, <status>, <tag1>
SentinelOne: Device Control AllowedAll<vmid>, <vendorinfo>, <severity>, <sip>, <sname>, <dinterface>, <account>, <domainorigin>, <object>, <objecttype>, <subject>, <version>, <group>, <status>
Catch All Level 3All<severity>, <object>, <sip>, <vmid>, <subject>, <hash>
General Object/Threat InformationAll<version>, <vmid>, <subject>, <dname>, <severity>, <login>, <domain>, <dip>, <hash>, <object>, <threatname>
SentinelOne : General AlertsAll<version>, <vmid>, <subject>, <sname>, <severity>, <session>
Catch All : Level 1All<tag1>, <severity>

Parsed Metadata Fields

Field NameLogRhythm Metadata FieldValue/Data Type
FileHashHashText/String
FilePathPathString
SeveritySeverityText/ String
IpSipIp Address
IpDipIp Address
VendorVendorInfoText/String
FileNameObjectnameText/String
DeviceHostnameSnameText
EventIdVmidNumber
Originator VersionVersionText
SourceNetworkStateStatusText
SourceDnsDomainDomainOriginText
SourceGroupNameGroupText
CatActionText
EventDescSubjectText
AccountnameAccountText
SourceMacAddressessmacIp Address