Skip to content

[sentinel_one] Add Support for Threat Event Data Stream #15771

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

[sentinel_one] Add Support for Threat Event Data Stream #15771

wants to merge 5 commits into from
+8,070 −1,354

Conversation

@mohitjha-elastic
Copy link
Collaborator

@mohitjha-elastic mohitjha-elastic commented Oct 27, 2025

Proposed commit message

sentinel_one: Add support for threat event data stream.

Added support for ingesting data through the SentinelOne Threat Event data stream, 
enabling the collection and parsing of threat-related events for accurate ingestion
and processing of security insights.

Tested on the live samples collected through the SentinelOne API.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/sentinel_one directory.
  • Run the following command to run tests.

elastic-package test -v

Related Issue

@mohitjha-elastic mohitjha-elastic self-assigned this Oct 27, 2025
@mohitjha-elastic mohitjha-elastic requested a review from a team as a code owner October 27, 2025 20:30
@mohitjha-elastic mohitjha-elastic added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request dashboard Relates to a Kibana dashboard bug, enhancement, or modification. Integration:sentinel_one SentinelOne Category: Integration quality Category: Quality used for SI planning Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Oct 27, 2025
@elasticmachine
Copy link

elasticmachine commented Oct 27, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@mohitjha-elastic mohitjha-elastic mentioned this pull request Oct 27, 2025
Merged
@mohitjha-elastic
Copy link
Collaborator Author

mohitjha-elastic commented Oct 27, 2025

Will update the kibana version once the ILM Policy Index Deletion PR will be merged.

efd6
efd6 reviewed Oct 27, 2025
View reviewed changes
packages/sentinel_one/data_stream/threat_event/agent/stream/cel.yml.hbs Outdated
Comment on lines 110 to 112
"want_more": state.?fetch_more.orValue(false) ?
state.fetch_more
:
Copy link
Contributor

@efd6 efd6 Oct 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"want_more": state.?fetch_more.orValue(false) ?
state.fetch_more
:
"want_more": state.?fetch_more.orValue(false) ?
state.fetch_more
:

will fix the policy test failures.

Copy link
Collaborator Author

@mohitjha-elastic mohitjha-elastic Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Oct 28, 2025

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@mohitjha-elastic mohitjha-elastic requested a review from efd6 October 28, 2025 12:53
efd6
efd6 approved these changes Oct 28, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after query

@mohitjha-elastic
Copy link
Collaborator Author

mohitjha-elastic commented Nov 4, 2025

Updated the kibana version as the ILM Policy Index Deletion PR has been merged. Will merge this PR after the public release.

@elasticmachine
Copy link

elasticmachine commented Nov 4, 2025
edited
Loading

💔 Build Failed

Failed CI Steps

History

cc @mohitjha-elastic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

@mohitjha-elastic mohitjha-elastic

Labels

Category: Integration quality Category: Quality used for SI planning dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:sentinel_one SentinelOne Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Sentinel One: Update documentation per new template

3 participants

@mohitjha-elastic @elasticmachine @efd6