Skip to content

[sentinel_one] Add Support for Threat Event Data Stream #15771

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
+8,075 −1,354
Open

[sentinel_one] Add Support for Threat Event Data Stream #15771

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
3794241
Add support for threat event data stream
mohitjha-elastic Oct 27, 2025
cd06861
Update changelog entry
mohitjha-elastic Oct 27, 2025
27e61ff
Update validation.yml
mohitjha-elastic Oct 27, 2025
fbc8a44
Resolve policy test
mohitjha-elastic Oct 28, 2025
9d6addf
Update the kibana versions in manifest
mohitjha-elastic Nov 4, 2025
c9fe680
Add ignore_empty_value in httpjson cursor
mohitjha-elastic Nov 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions packages/sentinel_one/_dev/benchmark/rally/threat_event-benchmark.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
description: Benchmark 100000 sentinel_one.threat_event events ingested
data_stream:
name: threat_event
corpora:
generator:
total_events: 100000
template:
type: gotext
path: ./threatevent-benchmark/template.ndjson
config:
path: ./threatevent-benchmark/config.yml
fields:
path: ./threatevent-benchmark/fields.yml
192 changes: 192 additions & 0 deletions packages/sentinel_one/_dev/benchmark/rally/threatevent-benchmark/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,192 @@
fields:
- name: activeContentFileId
cardinality: 1000
- name: activeContentHash
cardinality: 1000
- name: activeContentPath
cardinality: 1000
- name: agentDomain
cardinality: 1000
- name: agentGroupId
cardinality: 1000
- name: agentId
cardinality: 1000
- name: agentIp
cardinality: 1000
- name: agentMachineType
cardinality: 1000
- name: agentName
cardinality: 1000
- name: agentNetworkStatus
cardinality: 1000
- name: agentOs
enum:
- linux
- windows
- macos
- unix
- android
- ios
- name: agentUuid
cardinality: 1000
- name: agentVersion
cardinality: 1000
- name: connectionStatus
cardinality: 1000
- name: direction
cardinality: 1000
- name: dnsRequest
cardinality: 1000
- name: dnsResponse
cardinality: 1000
- name: dstIp
cardinality: 1000
- name: dstPort
range:
min: 0
max: 65535
- name: eventType
cardinality: 1000
- name: fileFullName
cardinality: 1000
- name: fileId
cardinality: 1000
- name: fileMd5
cardinality: 1000
- name: fileSha1
cardinality: 1000
- name: fileSha256
cardinality: 1000
- name: fileSize
range:
min: 1
max: 1000
cardinality: 100
- name: fileType
cardinality: 1000
- name: hasActiveContent
- name: id
range:
min: 100000000000000000
max: 999999999999999999
cardinality: 100000
- name: indicatorCategory
cardinality: 1000
- name: indicatorDescription
cardinality: 1000
- name: indicatorMetadata
cardinality: 1000
- name: indicatorName
cardinality: 1000
- name: loginsBaseType
cardinality: 1000
- name: loginsUserName
cardinality: 1000
- name: md5
cardinality: 1000
- name: networkMethod
cardinality: 1000
- name: networkSource
cardinality: 1000
- name: networkUrl
cardinality: 1000
- name: objectType
cardinality: 1000
- name: oldFileMd5
cardinality: 1000
- name: oldFileName
cardinality: 1000
- name: oldFileSha1
cardinality: 1000
- name: oldFileSha256
cardinality: 1000
- name: parentPid
range:
min: 0
max: 10000
- name: parentProcessGroupId
cardinality: 1000
- name: parentProcessName
cardinality: 1000
- name: parentProcessUniqueKey
cardinality: 1000
- name: pid
range:
min: 0
max: 10000
- name: processCmd
cardinality: 1000
- name: processDisplayName
cardinality: 1000
- name: processGroupId
cardinality: 1000
- name: processImagePath
cardinality: 1000
- name: processImageSha1Hash
cardinality: 1000
- name: processIntegrityLevel
cardinality: 1000
- name: processIsMalicious
- name: processIsRedirectedCommandProcessor
cardinality: 1000
- name: processIsWow64
cardinality: 1000
- name: processName
cardinality: 1000
- name: processRoot
cardinality: 1000
- name: processSessionId
cardinality: 1000
- name: processSubSystem
cardinality: 1000
- name: processUniqueKey
cardinality: 1000
- name: processUserName
cardinality: 1000
- name: protocol
cardinality: 1000
- name: publisher
cardinality: 1000
- name: registryClassification
cardinality: 1000
- name: registryId
cardinality: 1000
- name: registryPath
cardinality: 1000
- name: relatedToThreat
- name: rpid
cardinality: 1000
- name: sha1
cardinality: 1000
- name: sha256
cardinality: 1000
- name: signatureSignedInvalidReason
cardinality: 1000
- name: signedStatus
cardinality: 1000
- name: siteId
cardinality: 1000
- name: siteName
cardinality: 1000
- name: srcIp
cardinality: 1000
- name: srcPort
range:
min: 0
max: 65535
- name: storyline
cardinality: 1000
- name: taskName
cardinality: 1000
- name: taskPath
cardinality: 1000
- name: threatStatus
cardinality: 1000
- name: tid
cardinality: 1000
- name: trueContext
cardinality: 1000
- name: user
cardinality: 1000
- name: verifiedStatus
cardinality: 1000
186 changes: 186 additions & 0 deletions packages/sentinel_one/_dev/benchmark/rally/threatevent-benchmark/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,186 @@
- name: activeContentFileId
type: keyword
- name: activeContentHash
type: keyword
- name: activeContentPath
type: keyword
- name: agentDomain
type: keyword
- name: agentGroupId
type: keyword
- name: agentId
type: keyword
- name: agentInfected
type: boolean
- name: agentIp
type: ip
- name: agentIsActive
type: boolean
- name: agentIsDecommissioned
type: boolean
- name: agentMachineType
type: keyword
- name: agentName
type: keyword
- name: agentNetworkStatus
type: keyword
- name: agentOs
type: keyword
- name: agentUuid
type: keyword
- name: agentVersion
type: keyword
- name: connectionStatus
type: keyword
- name: createdAt
type: date
- name: direction
type: keyword
- name: dnsRequest
type: keyword
- name: dnsResponse
type: keyword
- name: dstIp
type: ip
- name: dstPort
type: long
- name: eventType
type: keyword
- name: fileFullName
type: keyword
- name: fileId
type: keyword
- name: fileMd5
type: keyword
- name: fileSha1
type: keyword
- name: fileSha256
type: keyword
- name: fileSize
type: long
- name: fileType
type: keyword
- name: hasActiveContent
type: boolean
- name: id
type: keyword
- name: indicatorCategory
type: keyword
- name: indicatorDescription
type: keyword
- name: indicatorMetadata
type: keyword
- name: indicatorName
type: keyword
- name: loginsBaseType
type: keyword
- name: loginsUserName
type: keyword
- name: md5
type: keyword
- name: networkMethod
type: keyword
- name: networkSource
type: keyword
- name: networkUrl
type: keyword
- name: objectType
type: keyword
- name: oldFileMd5
type: keyword
- name: oldFileName
type: keyword
- name: oldFileSha1
type: keyword
- name: oldFileSha256
type: keyword
- name: parentPid
type: long
- name: parentProcessGroupId
type: keyword
- name: parentProcessIsMalicious
type: boolean
- name: parentProcessName
type: keyword
- name: parentProcessUniqueKey
type: keyword
- name: pid
type: long
- name: processCmd
type: keyword
- name: processDisplayName
type: keyword
- name: processGroupId
type: keyword
- name: processImagePath
type: keyword
- name: processImageSha1Hash
type: keyword
- name: processIntegrityLevel
type: keyword
- name: processIsMalicious
type: boolean
- name: processIsRedirectedCommandProcessor
type: keyword
- name: processIsWow64
type: keyword
- name: processName
type: keyword
- name: processRoot
type: keyword
- name: processSessionId
type: keyword
- name: processStartTime
type: date
- name: processSubSystem
type: keyword
- name: processUniqueKey
type: keyword
- name: processUserName
type: keyword
- name: protocol
type: keyword
- name: publisher
type: keyword
- name: registryClassification
type: keyword
- name: registryId
type: keyword
- name: registryPath
type: keyword
- name: relatedToThreat
type: boolean
- name: rpid
type: keyword
- name: sha1
type: keyword
- name: sha256
type: keyword
- name: signatureSignedInvalidReason
type: keyword
- name: signedStatus
type: keyword
- name: siteId
type: keyword
- name: siteName
type: keyword
- name: srcIp
type: ip
- name: srcPort
type: long
- name: storyline
type: keyword
- name: taskName
type: keyword
- name: taskPath
type: keyword
- name: threatStatus
type: keyword
- name: tid
type: keyword
- name: trueContext
type: keyword
- name: user
type: keyword
- name: verifiedStatus
type: keyword
Loading