Skip to content

[sentinel_one] Enhance ECS Mappings and Unify Field Structures across all Data Streams #15931

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[sentinel_one] Enhance ECS Mappings and Unify Field Structures across all Data Streams #15931

wants to merge 3 commits into from
+798 −142

Conversation

@mohitjha-elastic
Copy link
Collaborator

@mohitjha-elastic mohitjha-elastic commented Nov 11, 2025

Proposed commit message

sentinel_one: Enhance ECS mappings and unify fields across all data streams.

Refined and expanded ECS field mappings to ensure consistency across all data streams. 
Aligned field names and structures with the latest ECS standards to improve interoperability, 
data quality, and search normalization in Elastic SIEM.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/sentinel_one directory.
  • Run the following command to run tests.

elastic-package test -v

Related Issue

@mohitjha-elastic mohitjha-elastic self-assigned this Nov 11, 2025
@mohitjha-elastic mohitjha-elastic requested a review from a team as a code owner November 11, 2025 11:02
@mohitjha-elastic mohitjha-elastic added enhancement New feature or request Integration:sentinel_one SentinelOne Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Nov 11, 2025
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Nov 11, 2025

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

elasticmachine commented Nov 11, 2025

💚 Build Succeeded

cc @mohitjha-elastic

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Nov 11, 2025
@kcreddy kcreddy self-requested a review November 12, 2025 05:27
kcreddy
kcreddy reviewed Nov 12, 2025
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cpascale43 can you confirm if this requires a dashboard changes as well?

packages/sentinel_one/data_stream/activity/elasticsearch/ingest_pipeline/default.yml
Comment on lines 512 to +519
- rename:
field: json.data.threatClassificationSource
target_field: sentinel_one.activity.data.threat.classification.source
ignore_missing: true
- set:
field: sentinel_one.threat_classification.source
copy_from: sentinel_one.activity.data.threat.classification.source
ignore_empty_value: true
Copy link
Contributor

@kcreddy kcreddy Nov 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't like that we are copying same value into 2 different fields with this change:
sentinel_one.activity.data.threat.classification.source and sentinel_one.threat_classification.source
Same with: sentinel_one.activity.site.name, and sentinel_one.site.name and several others.
Is this to avoid breaking-change?

It is mentioned here that this is worthy to be considered as a breaking-change, with updates to dashboards. @cpascale43 can you confirm if its still the case?

If its going to be a breaking-change, then we should ideally remove the previous fields sentinel_one.activity.data.threat.classification.source, sentinel_one.activity.site.name, etc. unless preserve_duplicate_custom_fields is true.

I checked the pre-built detection rules for sentinel_one and there is no effect there if its a breaking-change.

Copy link
Collaborator Author

@mohitjha-elastic mohitjha-elastic Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, only a few fields are currently being copied into the sentinel_one.* namespace. We decided to keep the existing fields to avoid introducing breaking changes that could impact existing users.

I’ll wait for @cpascale43's suggestion on this. If we can treat it as a breaking change, we can proceed with removing the old fields and updating the dashboards if needed.

packages/sentinel_one/data_stream/activity/agent/stream/httpjson.yml.hbs
cursor:
last_create_at:
value: '[[.last_event.createdAt]]'
ignore_empty_value: true
Copy link
Contributor

@kcreddy kcreddy Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add this to changelog and commit message?

Copy link
Collaborator Author

@mohitjha-elastic mohitjha-elastic Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was added here to avoid CI failures since the related PR hadn’t been merged yet. As that PR has been merged today, this change will disappear once I sync the latest updates.

packages/sentinel_one/data_stream/application/fields/unified-fields.yml
Comment on lines +4 to +8
- name: account
type: group
fields:
- name: name
type: keyword
Copy link
Contributor

@kcreddy kcreddy Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you confirm if site.id and site.name is not available in all data streams as per API reference, or if we just ignored adding to the pipeline and hence ignored here as well ?

Copy link
Collaborator Author

@mohitjha-elastic mohitjha-elastic Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We had ignored this since it’s not present in the pipeline neither in the test samples. I’ll review the API documentation again to verify whether these fields exist in the data streams and will update both the pipeline and this if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kcreddy kcreddy kcreddy left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@mohitjha-elastic mohitjha-elastic

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:sentinel_one SentinelOne Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mohitjha-elastic @elasticmachine @kcreddy @andrewkroh