SentinelOne
| Version | 1.30.0 (View all) |
| Compatible Kibana version(s) | 8.18.0 or higher 9.0.0 or higher |
| Supported Serverless project types What's this? |
Security Observability |
| Subscription level What's this? |
Basic |
| Level of support What's this? |
Elastic |
The SentinelOne integration collects and parses data from SentinelOne REST APIs. This integration also offers the capability to perform response actions on SentinelOne hosts directly through the Elastic Security interface (introduced with v8.12.0). Additional configuration is required; for detailed guidance, refer to documentation.
Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to Agentless integrations and the Agentless integrations FAQ.
Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
This module has been tested against SentinelOne Management Console API version 2.1.
To collect data from SentinelOne APIs, you must have an API token. To create an API token, follow these steps:
- Log in to the SentinelOne Management Console as an Admin.
- Navigate to Logged User Account from top right panel in the navigation bar.
- Click My User.
- In the API token section, click Generate.
The API token generated by the user is time-limited. To rotate a new token, log in with the dedicated admin account.
The alert data stream depends on STAR Custom Rules. STAR Custom Rules are supported in Cloud environments, but are not supported in on-premises environments. Because of this, the alert data stream is not supported in on-premises environments.
This is the activity dataset.
Example
{
"@timestamp": "2022-04-05T16:01:56.995Z",
"agent": {
"ephemeral_id": "630c4de2-59ec-4613-ab7d-261434a79313",
"id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "sentinel_one.activity",
"namespace": "83396",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"configuration"
],
"created": "2024-06-12T03:21:55.005Z",
"dataset": "sentinel_one.activity",
"ingested": "2024-06-12T03:22:05Z",
"kind": "event",
"original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-05T16:01:56.995120Z\",\"data\":{\"accountId\":1234567890123456800,\"accountName\":\"Default\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/path\",\"groupName\":null,\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"username\":\"test user\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"created Default account.\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-05T16:01:56.992136Z\",\"userId\":\"1234567890123456789\"}",
"type": [
"creation"
]
},
"input": {
"type": "httpjson"
},
"related": {
"user": [
"test user"
]
},
"sentinel_one": {
"activity": {
"account": {
"id": "1234567890123456789",
"name": "Default"
},
"data": {
"account": {
"id": "1234567890123456800",
"name": "Default"
},
"fullscope": {
"details": "Account Default",
"details_path": "test/path"
},
"scope": {
"level": "Account",
"name": "Default"
}
},
"description": {
"primary": "created Default account."
},
"id": "1234567890123456789",
"type": 1234,
"updated_at": "2022-04-05T16:01:56.992Z"
}
},
"tags": [
"preserve_original_event",
"forwarded",
"sentinel_one-activity"
],
"user": {
"full_name": "test user",
"id": "1234567890123456789"
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Input type | keyword |
| log.offset | Log offset | long |
| log.source.address | Source address from which the log event was read / sent from. | keyword |
| sentinel_one.activity.account.id | Related account ID (if applicable). | keyword |
| sentinel_one.activity.account.name | Related account name (if applicable). | keyword |
| sentinel_one.activity.agent.id | Related agent (if applicable). | keyword |
| sentinel_one.activity.comments | Comments. | keyword |
| sentinel_one.activity.data.account.id | Related account ID (if applicable). | keyword |
| sentinel_one.activity.data.account.name | Related account name (if applicable). | keyword |
| sentinel_one.activity.data.attr | Attribute. | keyword |
| sentinel_one.activity.data.changed_keys | Changed keys. | keyword |
| sentinel_one.activity.data.confidence.level | Confidence level. | keyword |
| sentinel_one.activity.data.created_at | Created time. | date |
| sentinel_one.activity.data.description | Description. | keyword |
| sentinel_one.activity.data.downloaded.url | Downloaded URL. | keyword |
| sentinel_one.activity.data.flattened | Extra activity specific data. | flattened |
| sentinel_one.activity.data.fullscope.details | fullscope details. | keyword |
| sentinel_one.activity.data.fullscope.details_path | fullscope details path. | keyword |
| sentinel_one.activity.data.global.status | Global status. | keyword |
| sentinel_one.activity.data.group | Related group (if applicable). | keyword |
| sentinel_one.activity.data.group_name | Related group name (if applicable). | keyword |
| sentinel_one.activity.data.malicious.process.arguments | Malicious process arguments. | keyword |
| sentinel_one.activity.data.new.confidence_level | New confidence level. | keyword |
| sentinel_one.activity.data.new.status | Status. | keyword |
| sentinel_one.activity.data.new.value | Value. | keyword |
| sentinel_one.activity.data.old.confidence_level | Old confidence level. | keyword |
| sentinel_one.activity.data.optionals_groups | Optionals groups. | keyword |
| sentinel_one.activity.data.original.status | Original status. | keyword |
| sentinel_one.activity.data.policy | Policy. | flattened |
| sentinel_one.activity.data.policy_name | Policy name. | keyword |
| sentinel_one.activity.data.reason | Reason. | keyword |
| sentinel_one.activity.data.role | Role. | keyword |
| sentinel_one.activity.data.role_name | Role name. | keyword |
| sentinel_one.activity.data.scope.level | Scope Level. | keyword |
| sentinel_one.activity.data.scope.name | Scope name. | keyword |
| sentinel_one.activity.data.scope_level.name | Scope level name. | keyword |
| sentinel_one.activity.data.site.name | Related site name (if applicable). | keyword |
| sentinel_one.activity.data.source | Source. | keyword |
| sentinel_one.activity.data.status | Status. | keyword |
| sentinel_one.activity.data.system | System. | boolean |
| sentinel_one.activity.data.threat.classification.name | Threat classification name. | keyword |
| sentinel_one.activity.data.threat.classification.source | Threat classification source. | keyword |
| sentinel_one.activity.data.user.name | User name. | keyword |
| sentinel_one.activity.data.user.scope | User scope. | keyword |
| sentinel_one.activity.data.uuid | UUID. | keyword |
| sentinel_one.activity.description.primary | Primary description. | keyword |
| sentinel_one.activity.description.secondary | Secondary description. | keyword |
| sentinel_one.activity.id | Activity ID. | keyword |
| sentinel_one.activity.site.id | Related site ID (if applicable). | keyword |
| sentinel_one.activity.site.name | Related site name (if applicable). | keyword |
| sentinel_one.activity.threat.id | Related threat ID (if applicable). | keyword |
| sentinel_one.activity.type | Activity type. | long |
| sentinel_one.activity.updated_at | Activity last updated time (UTC). | date |
This is the agent dataset.
Example
{
"@timestamp": "2022-04-07T08:31:47.481Z",
"agent": {
"ephemeral_id": "bc127c14-939d-445f-ba71-65c2a9cd997e",
"id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "sentinel_one.agent",
"namespace": "27680",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"host"
],
"created": "2024-06-12T03:22:47.058Z",
"dataset": "sentinel_one.agent",
"ingested": "2024-06-12T03:22:59Z",
"kind": "event",
"original": "{\"accountId\":\"12345123451234512345\",\"accountName\":\"Account Name\",\"activeDirectory\":{\"computerDistinguishedName\":null,\"computerMemberOf\":[],\"lastUserDistinguishedName\":null,\"lastUserMemberOf\":[]},\"activeThreats\":7,\"agentVersion\":\"12.x.x.x\",\"allowRemoteShell\":true,\"appsVulnerabilityStatus\":\"not_applicable\",\"cloudProviders\":{},\"computerName\":\"user-test\",\"consoleMigrationStatus\":\"N/A\",\"coreCount\":2,\"cpuCount\":2,\"cpuId\":\"CPU Name\",\"createdAt\":\"2022-03-18T09:12:00.519500Z\",\"detectionState\":null,\"domain\":\"WORKGROUP\",\"encryptedApplications\":false,\"externalId\":\"\",\"externalIp\":\"81.2.69.143\",\"firewallEnabled\":true,\"firstFullModeTime\":null,\"groupId\":\"1234567890123456789\",\"groupIp\":\"81.2.69.144\",\"groupName\":\"Default Group\",\"id\":\"13491234512345\",\"inRemoteShellSession\":false,\"infected\":true,\"installerType\":\".msi\",\"isActive\":true,\"isDecommissioned\":false,\"isPendingUninstall\":false,\"isUninstalled\":false,\"isUpToDate\":true,\"lastActiveDate\":\"2022-03-17T09:51:28.506000Z\",\"lastIpToMgmt\":\"81.2.69.145\",\"lastLoggedInUserName\":\"\",\"licenseKey\":\"\",\"locationEnabled\":true,\"locationType\":\"not_applicable\",\"locations\":null,\"machineType\":\"server\",\"missingPermissions\":[\"user-action-needed-bluetooth-per\",\"user_action_needed_fda\"],\"mitigationMode\":\"detect\",\"mitigationModeSuspicious\":\"detect\",\"modelName\":\"Compute Engine\",\"networkInterfaces\":[{\"gatewayIp\":\"81.2.69.145\",\"gatewayMacAddress\":\"00-00-5E-00-53-00\",\"id\":\"1234567890123456789\",\"inet\":[\"81.2.69.144\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"00-00-5E-00-53-00\"}],\"networkQuarantineEnabled\":false,\"networkStatus\":\"connected\",\"operationalState\":\"na\",\"operationalStateExpiration\":null,\"osArch\":\"64 bit\",\"osName\":\"Linux Server\",\"osRevision\":\"1234\",\"osStartTime\":\"2022-04-06T08:27:14Z\",\"osType\":\"linux\",\"osUsername\":null,\"rangerStatus\":\"Enabled\",\"rangerVersion\":\"21.x.x.x\",\"registeredAt\":\"2022-04-06T08:26:45.515278Z\",\"remoteProfilingState\":\"disabled\",\"remoteProfilingStateExpiration\":null,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"tags\":{\"sentinelone\":[{\"assignedAt\":\"2018-02-27T04:49:26.257525Z\",\"assignedBy\":\"test-user\",\"assignedById\":\"123456789012345678\",\"id\":\"123456789012345678\",\"key\":\"key123\",\"value\":\"value123\"}]},\"threatRebootRequired\":false,\"totalMemory\":1234,\"updatedAt\":\"2022-04-07T08:31:47.481227Z\",\"userActionsNeeded\":[\"reboot_needed\"],\"uuid\":\"XXX35XXX8Xfb4aX0X1X8X12X343X8X30\"}",
"type": [
"info"
]
},
"group": {
"id": "1234567890123456789",
"name": "Default Group"
},
"host": {
"domain": "WORKGROUP",
"geo": {
"city_name": "London",
"continent_name": "Europe",
"country_iso_code": "GB",
"country_name": "United Kingdom",
"location": {
"lat": 51.5142,
"lon": -0.0931
},
"region_iso_code": "GB-ENG",
"region_name": "England"
},
"id": "13491234512345",
"ip": [
"81.2.69.143"
],
"mac": [
"00-00-5E-00-53-00"
],
"name": "user-test",
"os": {
"name": "Linux Server",
"type": "linux",
"version": "1234"
}
},
"input": {
"type": "httpjson"
},
"observer": {
"version": "12.x.x.x"
},
"related": {
"hosts": [
"user-test",
"WORKGROUP"
],
"ip": [
"81.2.69.143",
"81.2.69.145",
"81.2.69.144",
"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"
]
},
"sentinel_one": {
"agent": {
"account": {
"id": "12345123451234512345",
"name": "Account Name"
},
"active_threats_count": 7,
"agent": {
"id": "13491234512345"
},
"allow_remote_shell": true,
"apps_vulnerability_status": "not_applicable",
"console_migration_status": "N/A",
"core": {
"count": 2
},
"cpu": {
"count": 2,
"id": "CPU Name"
},
"created_at": "2022-03-18T09:12:00.519Z",
"encrypted_application": false,
"firewall_enabled": true,
"group": {
"ip": "81.2.69.144"
},
"in_remote_shell_session": false,
"infected": true,
"installer_type": ".msi",
"is_active": true,
"is_decommissioned": false,
"is_pending_uninstall": false,
"is_uninstalled": false,
"is_up_to_date": true,
"last_active_date": "2022-03-17T09:51:28.506Z",
"last_ip_to_mgmt": "81.2.69.145",
"location": {
"enabled": true,
"type": "not_applicable"
},
"machine": {
"type": "server"
},
"missing_permissions": [
"user-action-needed-bluetooth-per",
"user_action_needed_fda"
],
"mitigation_mode": "detect",
"mitigation_mode_suspicious": "detect",
"model_name": "Compute Engine",
"network_interfaces": [
{
"gateway": {
"ip": "81.2.69.145",
"mac": "00-00-5E-00-53-00"
},
"id": "1234567890123456789",
"inet": [
"81.2.69.144"
],
"inet6": [
"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"
],
"name": "Ethernet"
}
],
"network_quarantine_enabled": false,
"network_status": "connected",
"operational_state": "na",
"os": {
"arch": "64 bit",
"start_time": "2022-04-06T08:27:14.000Z"
},
"ranger": {
"status": "Enabled",
"version": "21.x.x.x"
},
"registered_at": "2022-04-06T08:26:45.515Z",
"remote_profiling_state": "disabled",
"scan": {
"finished_at": "2022-04-06T09:18:21.090Z",
"started_at": "2022-04-06T08:26:52.838Z",
"status": "finished"
},
"site": {
"id": "1234567890123456789",
"name": "Default site"
},
"tags": [
{
"assigned_at": "2018-02-27T04:49:26.257Z",
"assigned_by": "test-user",
"assigned_by_id": "123456789012345678",
"id": "123456789012345678",
"key": "key123",
"value": "value123"
}
],
"threat_reboot_required": false,
"total_memory": 1234,
"user_action_needed": [
"reboot_needed"
],
"uuid": "XXX35XXX8Xfb4aX0X1X8X12X343X8X30"
}
},
"tags": [
"preserve_original_event",
"forwarded",
"sentinel_one-agent"
]
}
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Input type | keyword |
| log.offset | Log offset | long |
| sentinel_one.agent.account.id | A reference to the containing account. | keyword |
| sentinel_one.agent.account.name | Name of the containing account. | keyword |
| sentinel_one.agent.active_directory.computer.member_of | Computer member of. | keyword |
| sentinel_one.agent.active_directory.computer.name | Computer distinguished name. | keyword |
| sentinel_one.agent.active_directory.last_user.distinguished_name | Last user distinguished name. | keyword |
| sentinel_one.agent.active_directory.last_user.member_of | Last user member of. | keyword |
| sentinel_one.agent.active_directory.mail | Mail. | keyword |
| sentinel_one.agent.active_directory.user.principal_name | User principal name. | keyword |
| sentinel_one.agent.active_threats_count | Current number of active threats. | long |
| sentinel_one.agent.agent.id | Related agent (if applicable). | keyword |
| sentinel_one.agent.allow_remote_shell | Agent is capable and policy enabled for remote shell. | boolean |
| sentinel_one.agent.apps_vulnerability_status | Apps vulnerability status. | keyword |
| sentinel_one.agent.cloud_provider | Cloud providers for this agent. | flattened |
| sentinel_one.agent.console_migration_status | What step the agent is at in the process of migrating to another console, if any. | keyword |
| sentinel_one.agent.core.count | CPU cores. | long |
| sentinel_one.agent.cpu.count | Number of CPUs. | long |
| sentinel_one.agent.cpu.id | CPU model. | keyword |
| sentinel_one.agent.created_at | Created at. | date |
| sentinel_one.agent.detection_state | Detection State. | keyword |
| sentinel_one.agent.encrypted_application | Disk encryption status. | boolean |
| sentinel_one.agent.external.id | External ID set by customer. | keyword |
| sentinel_one.agent.firewall_enabled | Firewall enabled. | boolean |
| sentinel_one.agent.first_full_mode_time | Date of the first time the Agent moved to full or slim detection modes. | date |
| sentinel_one.agent.group.ip | Group subnet address. | keyword |
| sentinel_one.agent.group.updated_at | Group updated at. | date |
| sentinel_one.agent.in_remote_shell_session | Is the Agent in a remote shell session. | boolean |
| sentinel_one.agent.infected | Indicates if the Agent has active threats. | boolean |
| sentinel_one.agent.installer_type | Installer package type (file extension). | keyword |
| sentinel_one.agent.is_active | Indicates if the agent was recently active. | boolean |
| sentinel_one.agent.is_decommissioned | Is Agent decommissioned. | boolean |
| sentinel_one.agent.is_pending_uninstall | Agent with a pending uninstall request. | boolean |
| sentinel_one.agent.is_uninstalled | Indicates if Agent was removed from the device. | boolean |
| sentinel_one.agent.is_up_to_date | Indicates if the agent version is up to date. | boolean |
| sentinel_one.agent.last_active_date | Last active date. | date |
| sentinel_one.agent.last_ip_to_mgmt | The last IP used to connect to the Management console. | ip |
| sentinel_one.agent.last_logged_in_user_name | Last logged in user name. | keyword |
| sentinel_one.agent.license.key | License key. | keyword |
| sentinel_one.agent.location.enabled | Location enabled. | boolean |
| sentinel_one.agent.location.type | Reported location type. | keyword |
| sentinel_one.agent.locations.id | Location ID. | keyword |
| sentinel_one.agent.locations.name | Location name. | keyword |
| sentinel_one.agent.locations.scope | Location scope. | keyword |
| sentinel_one.agent.machine.type | Machine type. | keyword |
| sentinel_one.agent.missing_permissions | keyword | |
| sentinel_one.agent.mitigation_mode | Agent mitigation mode policy. | keyword |
| sentinel_one.agent.mitigation_mode_suspicious | Mitigation mode policy for suspicious activity. | keyword |
| sentinel_one.agent.model_name | Device model. | keyword |
| sentinel_one.agent.network_interfaces.gateway.ip | The default gateway ip. | ip |
| sentinel_one.agent.network_interfaces.gateway.mac | The default gateway mac address. | keyword |
| sentinel_one.agent.network_interfaces.id | Id. | keyword |
| sentinel_one.agent.network_interfaces.inet | IPv4 addresses. | ip |
| sentinel_one.agent.network_interfaces.inet6 | IPv6 addresses. | ip |
| sentinel_one.agent.network_interfaces.name | Name. | keyword |
| sentinel_one.agent.network_quarantine_enabled | Network quarantine enabled. | boolean |
| sentinel_one.agent.network_status | Agent's network connectivity status. | keyword |
| sentinel_one.agent.operational_state | Agent operational state. | keyword |
| sentinel_one.agent.operational_state_expiration | Agent operational state expiration. | keyword |
| sentinel_one.agent.os.arch | OS architecture. | keyword |
| sentinel_one.agent.os.start_time | Last boot time. | date |
| sentinel_one.agent.policy.updated_at | Policy updated at. | date |
| sentinel_one.agent.ranger.status | Is Agent disabled as a Ranger. | keyword |
| sentinel_one.agent.ranger.version | The version of Ranger. | keyword |
| sentinel_one.agent.registered_at | Time of first registration to management console (similar to createdAt). | date |
| sentinel_one.agent.remote_profiling_state | Agent remote profiling state. | keyword |
| sentinel_one.agent.remote_profiling_state_expiration | Agent remote profiling state expiration in seconds. | keyword |
| sentinel_one.agent.scan.aborted_at | Abort time of last scan (if applicable). | date |
| sentinel_one.agent.scan.finished_at | Finish time of last scan (if applicable). | date |
| sentinel_one.agent.scan.started_at | Start time of last scan. | date |
| sentinel_one.agent.scan.status | Last scan status. | keyword |
| sentinel_one.agent.site.id | A reference to the containing site. | keyword |
| sentinel_one.agent.site.name | Name of the containing site. | keyword |
| sentinel_one.agent.storage.name | Storage name. | keyword |
| sentinel_one.agent.storage.type | Storage type. | keyword |
| sentinel_one.agent.tags.assigned_at | When tag assigned to the agent. | date |
| sentinel_one.agent.tags.assigned_by | full user name who assigned the tag to the agent. | keyword |
| sentinel_one.agent.tags.assigned_by_id | User ID who assigned the tag to the agent. | keyword |
| sentinel_one.agent.tags.id | Tag ID. | keyword |
| sentinel_one.agent.tags.key | Tag key. | keyword |
| sentinel_one.agent.tags.value | Tag value. | keyword |
| sentinel_one.agent.threat_reboot_required | Flag representing if the Agent has at least one threat with at least one mitigation action that is pending reboot to succeed. | boolean |
| sentinel_one.agent.total_memory | Memory size (MB). | long |
| sentinel_one.agent.user_action_needed | A list of pending user actions. | keyword |
| sentinel_one.agent.uuid | Agent's universally unique identifier. | keyword |
This is the alert dataset.
Example
{
"@timestamp": "2018-02-27T04:49:26.257Z",
"agent": {
"ephemeral_id": "5076489f-5b52-4bc8-a887-13206a7b5ebd",
"id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"container": {
"id": "string",
"image": {
"name": "string"
},
"name": "string"
},
"data_stream": {
"dataset": "sentinel_one.alert",
"namespace": "68976",
"type": "logs"
},
"destination": {
"ip": "81.2.69.144",
"port": 1234
},
"dll": {
"hash": {
"sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d"
},
"path": "string"
},
"dns": {
"question": {
"name": "string"
}
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"malware"
],
"created": "2024-06-12T03:23:40.343Z",
"dataset": "sentinel_one.alert",
"id": "123456789123456789",
"ingested": "2024-06-12T03:23:52Z",
"kind": "event",
"original": "{\"agentDetectionInfo\":{\"machineType\":\"string\",\"name\":\"string\",\"osFamily\":\"string\",\"osName\":\"string\",\"osRevision\":\"string\",\"siteId\":\"123456789123456789\",\"uuid\":\"string\",\"version\":\"3.x.x.x\"},\"alertInfo\":{\"alertId\":\"123456789123456789\",\"analystVerdict\":\"string\",\"createdAt\":\"2018-02-27T04:49:26.257525Z\",\"dnsRequest\":\"string\",\"dnsResponse\":\"string\",\"dstIp\":\"81.2.69.144\",\"dstPort\":\"1234\",\"dvEventId\":\"string\",\"eventType\":\"info\",\"hitType\":\"Events\",\"incidentStatus\":\"string\",\"indicatorCategory\":\"string\",\"indicatorDescription\":\"string\",\"indicatorName\":\"string\",\"loginAccountDomain\":\"string\",\"loginAccountSid\":\"string\",\"loginIsAdministratorEquivalent\":\"string\",\"loginIsSuccessful\":\"string\",\"loginType\":\"string\",\"loginsUserName\":\"string\",\"modulePath\":\"string\",\"moduleSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"netEventDirection\":\"string\",\"registryKeyPath\":\"string\",\"registryOldValue\":\"string\",\"registryOldValueType\":\"string\",\"registryPath\":\"string\",\"registryValue\":\"string\",\"reportedAt\":\"2018-02-27T04:49:26.257525Z\",\"source\":\"string\",\"srcIp\":\"81.2.69.142\",\"srcMachineIp\":\"81.2.69.142\",\"srcPort\":\"1234\",\"tiIndicatorComparisonMethod\":\"string\",\"tiIndicatorSource\":\"string\",\"tiIndicatorType\":\"string\",\"tiIndicatorValue\":\"string\",\"updatedAt\":\"2018-02-27T04:49:26.257525Z\"},\"containerInfo\":{\"id\":\"string\",\"image\":\"string\",\"labels\":\"string\",\"name\":\"string\"},\"kubernetesInfo\":{\"cluster\":\"string\",\"controllerKind\":\"string\",\"controllerLabels\":\"string\",\"controllerName\":\"string\",\"namespace\":\"string\",\"namespaceLabels\":\"string\",\"node\":\"string\",\"pod\":\"string\",\"podLabels\":\"string\"},\"ruleInfo\":{\"description\":\"string\",\"id\":\"string\",\"name\":\"string\",\"scopeLevel\":\"string\",\"severity\":\"Low\",\"treatAsThreat\":\"UNDEFINED\"},\"sourceParentProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"sourceProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"targetProcessInfo\":{\"tgtFileCreatedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"tgtFileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"tgtFileId\":\"string\",\"tgtFileIsSigned\":\"string\",\"tgtFileModifiedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileOldPath\":\"string\",\"tgtFilePath\":\"string\",\"tgtProcCmdLine\":\"string\",\"tgtProcImagePath\":\"string\",\"tgtProcIntegrityLevel\":\"unknown\",\"tgtProcName\":\"string\",\"tgtProcPid\":\"12345\",\"tgtProcSignedStatus\":\"string\",\"tgtProcStorylineId\":\"string\",\"tgtProcUid\":\"string\",\"tgtProcessStartTime\":\"2018-02-27T04:49:26.257525Z\"}}",
"type": [
"info"
]
},
"file": {
"created": "2018-02-27T04:49:26.257Z",
"mtime": "2018-02-27T04:49:26.257Z"
},
"host": {
"ip": [
"81.2.69.142"
],
"name": "string",
"os": {
"family": "string",
"name": "string",
"version": "string"
},
"type": "string"
},
"input": {
"type": "httpjson"
},
"observer": {
"serial_number": "string",
"version": "3.x.x.x"
},
"orchestrator": {
"cluster": {
"name": "string"
},
"namespace": "string"
},
"process": {
"code_signature": {
"signing_id": "string"
},
"command_line": "string",
"entity_id": "string",
"executable": "string",
"hash": {
"md5": "5d41402abc4b2a76b9719d911017c592",
"sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d",
"sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
},
"name": "string",
"parent": {
"code_signature": {
"signing_id": "string"
},
"command_line": "string",
"entity_id": "string",
"executable": "string",
"hash": {
"md5": "5d41402abc4b2a76b9719d911017c592",
"sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d",
"sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
},
"name": "string",
"pid": 12345,
"start": "2018-02-27T04:49:26.257Z",
"user": {
"name": "string"
}
},
"pid": 12345,
"start": "2018-02-27T04:49:26.257Z",
"user": {
"name": "string"
}
},
"registry": {
"key": "string",
"path": "string",
"value": "string"
},
"related": {
"hash": [
"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d",
"5d41402abc4b2a76b9719d911017c592",
"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
],
"hosts": [
"string"
],
"ip": [
"81.2.69.142",
"81.2.69.144"
],
"user": [
"string"
]
},
"rule": {
"description": "string",
"id": "string",
"name": "string"
},
"sentinel_one": {
"alert": {
"agent": {
"site_id": "123456789123456789"
},
"analyst_verdict": "string",
"container": {
"info": {
"labels": "string"
}
},
"dv_event": {
"id": "string"
},
"info": {
"dns": {
"response": "string"
},
"event_type": "info",
"hit": {
"type": "Events"
},
"indicator": {
"category": "string",
"description": "string",
"name": "string"
},
"login": {
"account": {
"sid": "string"
},
"is_administrator": "string",
"is_successful": "string",
"type": "string"
},
"registry": {
"old_value": "string",
"old_value_type": "string"
},
"reported_at": "2018-02-27T04:49:26.257Z",
"source": "string",
"status": "string",
"ti_indicator": {
"comparison_method": "string",
"source": "string",
"type": "string",
"value": "string"
},
"updated_at": "2018-02-27T04:49:26.257Z"
},
"kubernetes": {
"controller": {
"kind": "string",
"labels": "string",
"name": "string"
},
"namespace": {
"labels": "string"
},
"node": "string",
"pod": {
"labels": "string",
"name": "string"
}
},
"process": {
"integrity_level": "unknown",
"parent": {
"integrity_level": "unknown",
"storyline": "string",
"subsystem": "unknown"
},
"storyline": "string",
"subsystem": "unknown"
},
"rule": {
"scope_level": "string",
"severity": "Low",
"treat_as_threat": "UNDEFINED"
},
"target": {
"process": {
"file": {
"hash": {
"sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d",
"sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
},
"id": "string",
"is_signed": "string",
"old_path": "string",
"path": "string"
},
"proc": {
"cmdline": "string",
"image_path": "string",
"integrity_level": "unknown",
"name": "string",
"pid": 12345,
"signed_status": "string",
"storyline_id": "string",
"uid": "string"
},
"start_time": "2018-02-27T04:49:26.257Z"
}
}
}
},
"source": {
"ip": "81.2.69.142",
"port": 1234
},
"tags": [
"preserve_original_event",
"forwarded",
"sentinel_one-alert"
],
"user": {
"domain": "string",
"name": "string"
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Input type | keyword |
| log.offset | Log offset | long |
| log.source.address | Source address from which the log event was read / sent from. | keyword |
| sentinel_one.alert.agent.computer_name | Computer distinguished name. | keyword |
| sentinel_one.alert.agent.id | Agent ID. | keyword |
| sentinel_one.alert.agent.infected | Agent infected. | boolean |
| sentinel_one.alert.agent.is_active | Is active. | boolean |
| sentinel_one.alert.agent.is_decommissioned | Is decommissioned. | boolean |
| sentinel_one.alert.agent.machine_type | Machine type. | keyword |
| sentinel_one.alert.agent.os.type | OS type. | keyword |
| sentinel_one.alert.agent.site_id | Site id. | keyword |
| sentinel_one.alert.analyst_verdict | Analyst verdict. | keyword |
| sentinel_one.alert.container.info.labels | Container info labels. | keyword |
| sentinel_one.alert.dv_event.id | DV event id. | keyword |
| sentinel_one.alert.info.dns.response | IP address, DNS, type, etc. in response. | keyword |
| sentinel_one.alert.info.event_type | Event type. | keyword |
| sentinel_one.alert.info.hit.type | Type of hit reported from agent. | keyword |
| sentinel_one.alert.info.indicator.category | Indicator categories for this process. | keyword |
| sentinel_one.alert.info.indicator.description | Indicator_description. | keyword |
| sentinel_one.alert.info.indicator.name | Indicator names for this process. | keyword |
| sentinel_one.alert.info.login.account.sid | SID of the account that attempted to login. | keyword |
| sentinel_one.alert.info.login.is_administrator | Is the login attempt administrator equivalent. | keyword |
| sentinel_one.alert.info.login.is_successful | Was the login attempt successful. | keyword |
| sentinel_one.alert.info.login.type | Type of login which was performed. | keyword |
| sentinel_one.alert.info.registry.old_value | Registry previous value (in case of modification). | keyword |
| sentinel_one.alert.info.registry.old_value_type | Registry previous value type (in case of modification). | keyword |
| sentinel_one.alert.info.reported_at | Timestamp of alert creation in STAR. | date |
| sentinel_one.alert.info.source | Source reported from agent. | keyword |
| sentinel_one.alert.info.status | Incident status. | keyword |
| sentinel_one.alert.info.ti_indicator.comparison_method | The comparison method used by SentinelOne to trigger the event. | keyword |
| sentinel_one.alert.info.ti_indicator.source | The value of the identified Threat Intelligence indicator. | keyword |
| sentinel_one.alert.info.ti_indicator.type | The type of the identified Threat Intelligence indicator. | keyword |
| sentinel_one.alert.info.ti_indicator.value | The value of the identified Threat Intelligence indicator. | keyword |
| sentinel_one.alert.info.updated_at | Date of alert updated in Star MMS. | date |
| sentinel_one.alert.kubernetes.controller.kind | Controller kind. | keyword |
| sentinel_one.alert.kubernetes.controller.labels | Controller labels. | keyword |
| sentinel_one.alert.kubernetes.controller.name | Controller name. | keyword |
| sentinel_one.alert.kubernetes.namespace.labels | Namespace labels. | keyword |
| sentinel_one.alert.kubernetes.node | Node. | keyword |
| sentinel_one.alert.kubernetes.pod.labels | Pod Labels. | keyword |
| sentinel_one.alert.kubernetes.pod.name | Pod name. | keyword |
| sentinel_one.alert.process.integrity_level | Integrity level. | keyword |
| sentinel_one.alert.process.parent.integrity_level | Integrity level. | keyword |
| sentinel_one.alert.process.parent.storyline | StoryLine. | keyword |
| sentinel_one.alert.process.parent.subsystem | Subsystem. | keyword |
| sentinel_one.alert.process.storyline | StoryLine. | keyword |
| sentinel_one.alert.process.subsystem | Subsystem. | keyword |
| sentinel_one.alert.rule.scope_level | Scope level. | keyword |
| sentinel_one.alert.rule.severity | Rule severity. | keyword |
| sentinel_one.alert.rule.treat_as_threat | Rule treat as threat type. | keyword |
| sentinel_one.alert.target.process.file.hash.sha1 | SHA1 Signature of File. | keyword |
| sentinel_one.alert.target.process.file.hash.sha256 | SHA256 Signature of File. | keyword |
| sentinel_one.alert.target.process.file.id | Unique ID of file. | keyword |
| sentinel_one.alert.target.process.file.is_signed | Is fle signed. | keyword |
| sentinel_one.alert.target.process.file.old_path | Old path before 'Rename'. | keyword |
| sentinel_one.alert.target.process.file.path | Path and filename. | keyword |
| sentinel_one.alert.target.process.proc.cmdline | Target Process Command Line. | keyword |
| sentinel_one.alert.target.process.proc.image_path | Target Process Image path | keyword |
| sentinel_one.alert.target.process.proc.integrity_level | Integrity level of target process. | keyword |
| sentinel_one.alert.target.process.proc.name | Target Process Name. | keyword |
| sentinel_one.alert.target.process.proc.pid | Target Process ID (PID). | long |
| sentinel_one.alert.target.process.proc.signed_status | Target Process Signed Status. | keyword |
| sentinel_one.alert.target.process.proc.storyline_id | Target Process StoryLine ID. | keyword |
| sentinel_one.alert.target.process.proc.uid | Target Process Unique ID. | keyword |
| sentinel_one.alert.target.process.start_time | Target Process Start Time. | date |
This is the group dataset.
Example
{
"@timestamp": "2022-04-05T16:01:57.564Z",
"agent": {
"ephemeral_id": "99777f03-5c73-4831-b833-2489562ef8fb",
"id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "sentinel_one.group",
"namespace": "81222",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"iam"
],
"created": "2024-06-12T03:24:33.387Z",
"dataset": "sentinel_one.group",
"ingested": "2024-06-12T03:24:45Z",
"kind": "event",
"original": "{\"createdAt\":\"2022-04-05T16:01:56.928383Z\",\"creator\":\"Test User\",\"creatorId\":\"1234567890123456789\",\"filterId\":null,\"filterName\":null,\"id\":\"1234567890123456789\",\"inherits\":true,\"isDefault\":true,\"name\":\"Default Group\",\"rank\":null,\"registrationToken\":\"eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=\",\"siteId\":\"1234567890123456789\",\"totalAgents\":1,\"type\":\"static\",\"updatedAt\":\"2022-04-05T16:01:57.564266Z\"}",
"type": [
"info"
]
},
"group": {
"id": "1234567890123456789",
"name": "Default Group"
},
"input": {
"type": "httpjson"
},
"related": {
"user": [
"Test User"
]
},
"sentinel_one": {
"group": {
"agent": {
"count": 1
},
"created_at": "2022-04-05T16:01:56.928Z",
"creator": {
"id": "1234567890123456789"
},
"inherits": true,
"is_default": true,
"registration_token": "eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=",
"site": {
"id": "1234567890123456789"
},
"type": "static"
}
},
"tags": [
"preserve_original_event",
"forwarded",
"sentinel_one-group"
],
"user": {
"full_name": "Test User"
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Input type | keyword |
| log.offset | Log offset | long |
| log.source.address | Source address from which the log event was read / sent from. | keyword |
| sentinel_one.group.agent.count | long | |
| sentinel_one.group.created_at | date | |
| sentinel_one.group.creator.id | keyword | |
| sentinel_one.group.filter.id | keyword | |
| sentinel_one.group.filter.name | keyword | |
| sentinel_one.group.inherits | boolean | |
| sentinel_one.group.is_default | boolean | |
| sentinel_one.group.rank | long | |
| sentinel_one.group.registration_token | keyword | |
| sentinel_one.group.site.id | keyword | |
| sentinel_one.group.type | keyword |
This is the threat dataset.
Example
{
"@timestamp": "2022-04-06T08:54:17.194Z",
"agent": {
"ephemeral_id": "a2264e16-9431-4dd9-9e8a-6209c36c3c1e",
"id": "59bbe264-6d1c-48b7-9f6a-f2172d817ded",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "sentinel_one.threat",
"namespace": "80468",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "59bbe264-6d1c-48b7-9f6a-f2172d817ded",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"action": "SentinelOne Cloud",
"agent_id_status": "verified",
"category": [
"malware"
],
"created": "2024-06-18T21:22:32.743Z",
"dataset": "sentinel_one.threat",
"id": "1234567890123456789",
"ingested": "2024-06-18T21:22:44Z",
"kind": "alert",
"original": "{\"agentDetectionInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"agentDetectionState\":null,\"agentDomain\":\"WORKGROUP\",\"agentIpV4\":\"10.0.0.1\",\"agentIpV6\":\"2a02:cf40::\",\"agentLastLoggedInUpn\":null,\"agentLastLoggedInUserMail\":null,\"agentLastLoggedInUserName\":\"\",\"agentMitigationMode\":\"protect\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentRegisteredAt\":\"2022-04-06T08:26:45.515278Z\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x\",\"cloudProviders\":{},\"externalIp\":\"81.2.69.143\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\"},\"agentRealtimeInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activeThreats\":7,\"agentComputerName\":\"test-LINUX\",\"agentDecommissionedAt\":null,\"agentDomain\":\"WORKGROUP\",\"agentId\":\"1234567890123456789\",\"agentInfected\":true,\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"server\",\"agentMitigationMode\":\"detect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentOsType\":\"linux\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x.1234\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"networkInterfaces\":[{\"id\":\"1234567890123456789\",\"inet\":[\"10.0.0.1\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"DE:AD:00:00:BE:EF\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"id\":\"1234567890123456789\",\"indicators\":[],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[{\"action\":\"unquarantine\",\"actionsCounters\":{\"failed\":0,\"notFound\":0,\"pendingReboot\":0,\"success\":1,\"total\":1},\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:54:17.198002Z\",\"latestReport\":\"/threats/mitigation-report\",\"mitigationEndedAt\":\"2022-04-06T08:54:17.101000Z\",\"mitigationStartedAt\":\"2022-04-06T08:54:17.101000Z\",\"status\":\"success\"},{\"action\":\"kill\",\"actionsCounters\":null,\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:45:55.303355Z\",\"latestReport\":null,\"mitigationEndedAt\":\"2022-04-06T08:45:55.297364Z\",\"mitigationStartedAt\":\"2022-04-06T08:45:55.297363Z\",\"status\":\"success\"}],\"threatInfo\":{\"analystVerdict\":\"undefined\",\"analystVerdictDescription\":\"Undefined\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":\"\",\"classification\":\"Trojan\",\"classificationSource\":\"Cloud\",\"cloudFilesHashVerdict\":\"black\",\"collectionId\":\"1234567890123456789\",\"confidenceLevel\":\"malicious\",\"createdAt\":\"2022-04-06T08:45:54.519988Z\",\"detectionEngines\":[{\"key\":\"sentinelone_cloud\",\"title\":\"SentinelOne Cloud\"}],\"detectionType\":\"static\",\"engines\":[\"SentinelOne Cloud\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":\"EXE\",\"fileExtensionType\":\"Executable\",\"filePath\":\"default.exe\",\"fileSize\":1234,\"fileVerificationType\":\"NotSigned\",\"identifiedAt\":\"2022-04-06T08:45:53.968000Z\",\"incidentStatus\":\"unresolved\",\"incidentStatusDescription\":\"Unresolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":false,\"maliciousProcessArguments\":null,\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"not_mitigated\",\"mitigationStatusDescription\":\"Not mitigated\",\"originatorProcess\":\"default.exe\",\"pendingActions\":false,\"processUser\":\"test user\",\"publisherName\":\"\",\"reachedEventsLimit\":false,\"rebootRequired\":false,\"sha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"sha256\":null,\"storyline\":\"D0XXXXXXXXXXAF4D\",\"threatId\":\"1234567890123456789\",\"threatName\":\"default.exe\",\"updatedAt\":\"2022-04-06T08:54:17.194122Z\"},\"whiteningOptions\":[\"hash\"]}",
"type": [
"info"
]
},
"host": {
"domain": "WORKGROUP",
"geo": {
"city_name": "London",
"continent_name": "Europe",
"country_iso_code": "GB",
"country_name": "United Kingdom",
"location": {
"lat": 51.5142,
"lon": -0.0931
},
"region_iso_code": "GB-ENG",
"region_name": "England"
},
"id": "1234567890123456789",
"ip": [
"81.2.69.143"
],
"mac": [
"DE-AD-00-00-BE-EF"
],
"name": "test-LINUX",
"os": {
"name": "linux",
"type": "linux"
}
},
"input": {
"type": "httpjson"
},
"observer": {
"version": "21.x.x.1234"
},
"process": {
"name": "default.exe"
},
"related": {
"hash": [
"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d"
],
"hosts": [
"test-LINUX"
],
"ip": [
"10.0.0.1",
"2a02:cf40::",
"81.2.69.143",
"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"
],
"user": [
"test user"
]
},
"sentinel_one": {
"threat": {
"agent": {
"account": {
"id": "1234567890123456789",
"name": "Default"
},
"active_threats": 7,
"group": {
"id": "1234567890123456789",
"name": "Default Group"
},
"id": "1234567890123456789",
"infected": true,
"is_active": true,
"is_decommissioned": false,
"machine_type": "server",
"mitigation_mode": "detect",
"network_interface": [
{
"id": "1234567890123456789",
"inet": [
"10.0.0.1"
],
"inet6": [
"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"
],
"name": "Ethernet"
}
],
"network_status": "connected",
"operational_state": "na",
"os": {
"version": "1234"
},
"reboot_required": false,
"scan": {
"finished_at": "2022-04-06T09:18:21.090Z",
"started_at": "2022-04-06T08:26:52.838Z",
"status": "finished"
},
"site": {
"id": "1234567890123456789",
"name": "Default site"
},
"uuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx"
},
"analysis": {
"description": "Undefined",
"verdict": "undefined"
},
"automatically_resolved": false,
"classification": "Trojan",
"classification_source": "Cloud",
"cloudfiles_hash_verdict": "black",
"collection": {
"id": "1234567890123456789"
},
"confidence_level": "malicious",
"created_at": "2022-04-06T08:45:54.519Z",
"detection": {
"account": {
"id": "1234567890123456789",
"name": "Default"
},
"agent": {
"domain": "WORKGROUP",
"group": {
"id": "1234567890123456789",
"name": "Default Group"
},
"ipv4": "10.0.0.1",
"ipv6": "2a02:cf40::",
"mitigation_mode": "protect",
"os": {
"name": "linux",
"version": "1234"
},
"registered_at": "2022-04-06T08:26:45.515Z",
"site": {
"id": "1234567890123456789",
"name": "Default site"
},
"uuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx",
"version": "21.x.x"
},
"engines": [
{
"key": "sentinelone_cloud",
"title": "SentinelOne Cloud"
}
],
"type": "static"
},
"engines": [
"SentinelOne Cloud"
],
"external_ticket": {
"exist": false
},
"failed_actions": false,
"file": {
"extension": {
"type": "Executable"
},
"identified_at": "2022-04-06T08:45:53.968Z",
"verification_type": "NotSigned"
},
"id": "1234567890123456789",
"incident": {
"status": "unresolved",
"status_description": "Unresolved"
},
"initiated": {
"description": "Agent Policy",
"name": "agent_policy"
},
"is_fileless": false,
"is_valid_certificate": false,
"mitigated_preemptively": false,
"mitigation": {
"description": "Not mitigated",
"status": "not_mitigated"
},
"mitigation_status": [
{
"action": "unquarantine",
"action_counters": {
"failed": 0,
"not_found": 0,
"pending_reboot": 0,
"success": 1,
"total": 1
},
"agent_supports_report": true,
"group_not_found": false,
"last_update": "2022-04-06T08:54:17.198Z",
"latest_report": "/threats/mitigation-report",
"mitigation_ended_at": "2022-04-06T08:54:17.101Z",
"mitigation_started_at": "2022-04-06T08:54:17.101Z",
"status": "success"
},
{
"action": "kill",
"agent_supports_report": true,
"group_not_found": false,
"last_update": "2022-04-06T08:45:55.303Z",
"mitigation_ended_at": "2022-04-06T08:45:55.297Z",
"mitigation_started_at": "2022-04-06T08:45:55.297Z",
"status": "success"
}
],
"name": "default.exe",
"originator_process": "default.exe",
"pending_actions": false,
"process_user": "test user",
"reached_events_limit": false,
"reboot_required": false,
"storyline": "D0XXXXXXXXXXAF4D",
"threat_id": "1234567890123456789",
"whitening_option": [
"hash"
]
}
},
"tags": [
"preserve_original_event",
"forwarded",
"sentinel_one-threat"
],
"threat": {
"indicator": {
"file": {
"extension": "EXE",
"hash": {
"sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d"
},
"path": "default.exe",
"size": 1234
}
}
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Input type | keyword |
| log.offset | Log offset | long |
| sentinel_one.threat.agent.account.id | Account id. | keyword |
| sentinel_one.threat.agent.account.name | Account name. | keyword |
| sentinel_one.threat.agent.active_threats | Active threats. | long |
| sentinel_one.threat.agent.decommissioned_at | Decommissioned at. | boolean |
| sentinel_one.threat.agent.group.id | Group id. | keyword |
| sentinel_one.threat.agent.group.name | Group name. | keyword |
| sentinel_one.threat.agent.id | Related agent (if applicable). | keyword |
| sentinel_one.threat.agent.infected | Agent infected. | boolean |
| sentinel_one.threat.agent.is_active | Is active. | boolean |
| sentinel_one.threat.agent.is_decommissioned | Is decommissioned. | boolean |
| sentinel_one.threat.agent.machine_type | Machine type. | keyword |
| sentinel_one.threat.agent.mitigation_mode | Agent mitigation mode policy. | keyword |
| sentinel_one.threat.agent.network_interface.id | Device's network interfaces id. | keyword |
| sentinel_one.threat.agent.network_interface.inet | Device's network interfaces IPv4 addresses. | keyword |
| sentinel_one.threat.agent.network_interface.inet6 | Device's network interfaces IPv6 addresses. | keyword |
| sentinel_one.threat.agent.network_interface.name | Device's network interfaces IPv4 Name. | keyword |
| sentinel_one.threat.agent.network_status | Network status. | keyword |
| sentinel_one.threat.agent.operational_state | Agent operational state. | keyword |
| sentinel_one.threat.agent.os.version | OS revision. | keyword |
| sentinel_one.threat.agent.reboot_required | A reboot is required on the endpoint for at least one acton on the threat. | boolean |
| sentinel_one.threat.agent.scan.aborted_at | Abort time of last scan (if applicable). | keyword |
| sentinel_one.threat.agent.scan.finished_at | Finish time of last scan (if applicable). | keyword |
| sentinel_one.threat.agent.scan.started_at | Start time of last scan. | keyword |
| sentinel_one.threat.agent.scan.status | Scan status. | keyword |
| sentinel_one.threat.agent.site.id | Site id. | keyword |
| sentinel_one.threat.agent.site.name | Site name. | keyword |
| sentinel_one.threat.agent.storage.name | Storage Name. | keyword |
| sentinel_one.threat.agent.storage.type | Storage Type. | keyword |
| sentinel_one.threat.agent.user_action_needed | A list of pending user actions. List items possible values: "none, reboot_needed, user_acton_needed, upgrade_needed, incompatible_os, unprotected, user_acton_needed_fda, user_acton_needed_rs_fda,user_acton_needed_network, rebootless_without_dynamic_detection, extended_exclusions_partially_accepted, user_action_needed_bluetooth_per". | keyword |
| sentinel_one.threat.agent.uuid | UUID. | keyword |
| sentinel_one.threat.analysis.description | Analyst verdict description. | keyword |
| sentinel_one.threat.analysis.verdict | Analyst verdict. | keyword |
| sentinel_one.threat.automatically_resolved | Automatically resolved. | boolean |
| sentinel_one.threat.browser_type | Browser type. | keyword |
| sentinel_one.threat.certificate.id | File Certificate ID. | keyword |
| sentinel_one.threat.classification | Classification of the threat. | keyword |
| sentinel_one.threat.classification_source | Source of the threat Classification. | keyword |
| sentinel_one.threat.cloudfiles_hash_verdict | Cloud files hash verdict. | keyword |
| sentinel_one.threat.collection.id | Collection id. | keyword |
| sentinel_one.threat.confidence_level | SentinelOne threat confidence level. | keyword |
| sentinel_one.threat.container.labels | Container labels. | keyword |
| sentinel_one.threat.created_at | Timestamp of date creation in the Management Console. | date |
| sentinel_one.threat.detection.account.id | Orig account id. | keyword |
| sentinel_one.threat.detection.account.name | Orig account name. | keyword |
| sentinel_one.threat.detection.agent.domain | Network domain. | keyword |
| sentinel_one.threat.detection.agent.group.id | Orig group id. | keyword |
| sentinel_one.threat.detection.agent.group.name | Orig group name. | keyword |
| sentinel_one.threat.detection.agent.ipv4 | Orig agent ipv4. | ip |
| sentinel_one.threat.detection.agent.ipv6 | Orig agent ipv6. | ip |
| sentinel_one.threat.detection.agent.last_logged_in.upn | UPN of last logged in user. | keyword |
| sentinel_one.threat.detection.agent.mitigation_mode | Agent mitigation mode policy. | keyword |
| sentinel_one.threat.detection.agent.os.name | Orig agent OS name. | keyword |
| sentinel_one.threat.detection.agent.os.version | Orig agent OS revision. | keyword |
| sentinel_one.threat.detection.agent.registered_at | Time of first registration to management console. | date |
| sentinel_one.threat.detection.agent.site.id | Orig site id. | keyword |
| sentinel_one.threat.detection.agent.site.name | Orig site name. | keyword |
| sentinel_one.threat.detection.agent.uuid | UUID of the agent. | keyword |
| sentinel_one.threat.detection.agent.version | Orig agent version. | keyword |
| sentinel_one.threat.detection.cloud_providers | Cloud providers for this agent. | flattened |
| sentinel_one.threat.detection.engines.key | List of engines that detected the threat key. | keyword |
| sentinel_one.threat.detection.engines.title | List of engines that detected the threat title. | keyword |
| sentinel_one.threat.detection.state | The Agent's detection state at time of detection. | keyword |
| sentinel_one.threat.detection.type | Detection type. | keyword |
| sentinel_one.threat.engines | List of engines that detected the threat. | keyword |
| sentinel_one.threat.external_ticket.exist | External ticket exists. | boolean |
| sentinel_one.threat.external_ticket.id | External ticket id. | keyword |
| sentinel_one.threat.failed_actions | At least one action failed on the threat. | boolean |
| sentinel_one.threat.file.extension.type | File extension type. | keyword |
| sentinel_one.threat.file.identified_at | Identified at. | keyword |
| sentinel_one.threat.file.verification_type | File verification type. | keyword |
| sentinel_one.threat.id | Threat id. | keyword |
| sentinel_one.threat.incident.status | Incident status. | keyword |
| sentinel_one.threat.incident.status_description | Incident status description. | keyword |
| sentinel_one.threat.indicators.category.id | Indicators Category Id. | long |
| sentinel_one.threat.indicators.category.name | Indicators Category Name. | keyword |
| sentinel_one.threat.indicators.description | Indicators Description. | keyword |
| sentinel_one.threat.initiated.description | Initiated by description. | keyword |
| sentinel_one.threat.initiated.name | Source of threat. | keyword |
| sentinel_one.threat.initiating_user.id | Initiating user id. | keyword |
| sentinel_one.threat.initiating_user.name | Initiating user username. | keyword |
| sentinel_one.threat.is_fileless | Is fileless. | boolean |
| sentinel_one.threat.is_valid_certificate | True if the certificate is valid. | boolean |
| sentinel_one.threat.kubernetes.cluster | Cluster. | keyword |
| sentinel_one.threat.kubernetes.controller.kind | Controller kind. | keyword |
| sentinel_one.threat.kubernetes.controller.labels | Controller labels. | keyword |
| sentinel_one.threat.kubernetes.controller.name | Controller name. | keyword |
| sentinel_one.threat.kubernetes.namespace.labels | Namespace labels. | keyword |
| sentinel_one.threat.kubernetes.namespace.name | Namespace name. | keyword |
| sentinel_one.threat.kubernetes.node | Node. | keyword |
| sentinel_one.threat.kubernetes.pod.labels | Pod labels. | keyword |
| sentinel_one.threat.kubernetes.pod.name | Pod name. | keyword |
| sentinel_one.threat.malicious_process_arguments | Malicious process arguments. | keyword |
| sentinel_one.threat.mitigated_preemptively | True is the threat was blocked before execution. | boolean |
| sentinel_one.threat.mitigation.description | Mitigation status description. | keyword |
| sentinel_one.threat.mitigation.status | Mitigation status. | keyword |
| sentinel_one.threat.mitigation_status.action | Action. | keyword |
| sentinel_one.threat.mitigation_status.action_counters.failed | Actions counters Failed. | long |
| sentinel_one.threat.mitigation_status.action_counters.not_found | Actions counters Not found. | long |
| sentinel_one.threat.mitigation_status.action_counters.pending_reboot | Actions counters Pending reboot. | long |
| sentinel_one.threat.mitigation_status.action_counters.success | Actions counters Success. | long |
| sentinel_one.threat.mitigation_status.action_counters.total | Actions counters Total. | long |
| sentinel_one.threat.mitigation_status.agent_supports_report | The Agent generates a full mitigation report. | boolean |
| sentinel_one.threat.mitigation_status.group_not_found | Agent could not find the threat. | boolean |
| sentinel_one.threat.mitigation_status.last_update | Timestamp of last mitigation status update. | keyword |
| sentinel_one.threat.mitigation_status.latest_report | Report download URL. If None, there is no report. | keyword |
| sentinel_one.threat.mitigation_status.mitigation_ended_at | The time the Agent finished the mitigation. | keyword |
| sentinel_one.threat.mitigation_status.mitigation_started_at | The time the Agent started the mitigation. | keyword |
| sentinel_one.threat.mitigation_status.report_id | Report identifier. | keyword |
| sentinel_one.threat.mitigation_status.status | Status. | keyword |
| sentinel_one.threat.name | Threat name. | keyword |
| sentinel_one.threat.originator_process | Originator process. | keyword |
| sentinel_one.threat.pending_actions | At least one action is pending on the threat. | boolean |
| sentinel_one.threat.process_user | Process user. | keyword |
| sentinel_one.threat.publisher.name | Certificate publisher. | keyword |
| sentinel_one.threat.reached_events_limit | Has number of OS events for this threat reached the limit, resulting in a partial attack storyline. | boolean |
| sentinel_one.threat.reboot_required | A reboot is required on the endpoint for at least one threat. | boolean |
| sentinel_one.threat.storyline | Storyline identifier from agent. | keyword |
| sentinel_one.threat.threat_id | Threat id. | keyword |
| sentinel_one.threat.whitening_option | Whitening options. | keyword |
Changelog
| Version | Details | Kibana version(s) |
|---|---|---|
| 1.30.0 | Enhancement (View pull request) Add agentless deployment. |
8.18.0 or higher 9.0.0 or higher |
| 1.29.1 | Bug fix (View pull request) Updated SSL description in package manifest.yml to be uniform and to include links to documentation. |
8.13.0 or higher 9.0.0 or higher |
| 1.29.0 | Enhancement (View pull request) Update Kibana constraint to support 9.0.0. |
8.13.0 or higher 9.0.0 or higher |
| 1.28.0 | Enhancement (View pull request) Handle comma-separated IP lists. Enhancement (View pull request) Improve error handling. |
8.13.0 or higher |
| 1.27.0 | Enhancement (View pull request) Do not remove event.original in main ingest pipeline. |
8.13.0 or higher |
| 1.26.0 | Enhancement (View pull request) Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error". |
8.13.0 or higher |
| 1.25.1 | Bug fix (View pull request) Document limitation for using the alert data stream in on-premises environments. |
8.13.0 or higher |
| 1.25.0 | Enhancement (View pull request) Add agent.* to alerts data. |
8.13.0 or higher |
| 1.24.0 | Enhancement (View pull request) Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. |
8.13.0 or higher |
| 1.23.3 | Bug fix (View pull request) Fix sample event MAC address. |
8.12.0 or higher |
| 1.23.2 | Enhancement (View pull request) Change default interval to 30s for all data streams. |
8.12.0 or higher |
| 1.23.1 | Bug fix (View pull request) Fix sample event. |
8.12.0 or higher |
| 1.23.0 | Enhancement (View pull request) Make host.ip field conform to ECS field definition. |
8.12.0 or higher |
| 1.22.0 | Enhancement (View pull request) Add agent.id to all agent related data. |
8.12.0 or higher |
| 1.21.1 | Bug fix (View pull request) Fix Ingest Pipline Error in SentinelOne Package with k8s Elastic Agent. |
8.12.0 or higher |
| 1.21.0 | Enhancement (View pull request) Improve handling of empty responses. |
8.12.0 or higher |
| 1.20.0 | Enhancement (View pull request) Set sensitive values as secret and fix incorrect mappings. |
8.12.0 or higher |
| 1.19.2 | Enhancement (View pull request) Changed owners |
8.7.1 or higher |
| 1.19.1 | Enhancement (View pull request) Add information to README about support for response actions |
8.7.1 or higher |
| 1.19.0 | Enhancement (View pull request) Limit request tracer log count to five. |
8.7.1 or higher |
| 1.18.0 | Enhancement (View pull request) ECS version updated to 8.11.0. |
8.7.1 or higher |
| 1.17.0 | Enhancement (View pull request) Improve 'event.original' check to avoid errors if set. |
8.7.1 or higher |
| 1.16.1 | Bug fix (View pull request) Add support for a missing field. |
8.7.1 or higher |
| 1.16.0 | Enhancement (View pull request) Update the package format_version to 3.0.0. |
8.7.1 or higher |
| 1.15.0 | Bug fix (View pull request) Correct invalid ECS field usages at root-level. |
8.7.1 or higher |
| 1.14.0 | Enhancement (View pull request) ECS version updated to 8.10.0. |
8.7.1 or higher |
| 1.13.0 | Enhancement (View pull request) Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. |
8.7.1 or higher |
| 1.12.0 | Enhancement (View pull request) Update package to ECS 8.9.0. |
8.7.1 or higher |
| 1.11.0 | Enhancement (View pull request) Convert dashboards to Lens. |
8.7.1 or higher |
| 1.10.0 | Enhancement (View pull request) Ensure event.kind is correctly set for pipeline errors. |
8.7.1 or higher |
| 1.9.0 | Enhancement (View pull request) Update package to ECS 8.8.0. |
8.7.1 or higher |
| 1.8.0 | Enhancement (View pull request) Update package-spec version to 2.7.0. |
8.7.1 or higher |
| 1.7.0 | Enhancement (View pull request) Add a new flag to enable request tracing |
8.7.1 or higher |
| 1.6.0 | Enhancement (View pull request) Update package to ECS 8.7.0. |
7.17.0 or higher 8.0.0 or higher |
| 1.5.2 | Enhancement (View pull request) Added categories and/or subcategories. |
7.17.0 or higher 8.0.0 or higher |
| 1.5.1 | Enhancement (View pull request) Set event.id from SentinelOne Threat ID |
7.17.0 or higher 8.0.0 or higher |
| 1.5.0 | Enhancement (View pull request) Update package to ECS 8.6.0. |
7.17.0 or higher 8.0.0 or higher |
| 1.4.0 | Enhancement (View pull request) Add an on_failure processor to the date processor and update the pagination termination condition. Bug fix (View pull request) Update newValue field type in Activity data stream. |
7.17.0 or higher 8.0.0 or higher |
| 1.3.0 | Enhancement (View pull request) Update package to ECS 8.5.0. |
7.17.0 or higher 8.0.0 or higher |
| 1.2.2 | Bug fix (View pull request) Ensure stability of related.hash array ordering. |
7.17.0 or higher 8.0.0 or higher |
| 1.2.1 | Bug fix (View pull request) Enrich the event.category, event.type, event.kind and event.outcome field based on activity. |
7.17.0 or higher 8.0.0 or higher |
| 1.2.0 | Enhancement (View pull request) Set event.kind to alert for Sentinel One Threats. |
7.17.0 or higher 8.0.0 or higher |
| 1.1.0 | Enhancement (View pull request) Update package to ECS 8.4.0 |
7.17.0 or higher 8.0.0 or higher |
| 1.0.0 | Enhancement (View pull request) Make GA |
7.17.0 or higher 8.0.0 or higher |
| 0.2.1 | Bug fix (View pull request) Fix proxy URL documentation rendering. |
— |
| 0.2.0 | Enhancement (View pull request) Update package to ECS 8.3.0. |
— |
| 0.1.0 | Enhancement (View pull request) Initial Release |
— |