Skip to content

[sentinel_one] Enhance ECS Mappings and Unify Field Structures across all Data Streams #15931

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+798 −142
Open

[sentinel_one] Enhance ECS Mappings and Unify Field Structures across all Data Streams #15931

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
22176cb
Enhance ECS mappings and unify field structures across all data streams.
mohitjha-elastic Nov 10, 2025
7cf6dfd
Merge branch 'main' of github.com:mohitjha-elastic/integrations into …
mohitjha-elastic Nov 11, 2025
3628d67
Update changelog entry
mohitjha-elastic Nov 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/sentinel_one/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.43.0"
changes:
- description: Enhance ECS mappings and unify field structures across all data streams.
type: enhancement
link: https://github.com/elastic/integrations/pull/15931
- version: "1.42.0"
changes:
- description: Improved input section layout by updating titles to include data stream names.
Expand Down
224 changes: 224 additions & 0 deletions ...inel_one/data_stream/activity/_dev/test/pipeline/test-pipeline-activity.log-expected.json
View file
Open in desktop

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions packages/sentinel_one/data_stream/activity/_dev/test/policy/test-all.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ inputs:
- config_version: 2
cursor:
last_create_at:
ignore_empty_value: true
value: '[[.last_event.createdAt]]'
data_stream:
dataset: sentinel_one.activity
Expand Down
1 change: 1 addition & 0 deletions packages/sentinel_one/data_stream/activity/_dev/test/policy/test-default.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ inputs:
- config_version: 2
cursor:
last_create_at:
ignore_empty_value: true
value: '[[.last_event.createdAt]]'
data_stream:
dataset: sentinel_one.activity
Expand Down
1 change: 1 addition & 0 deletions packages/sentinel_one/data_stream/activity/agent/stream/httpjson.yml.hbs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ response.pagination:
cursor:
last_create_at:
value: '[[.last_event.createdAt]]'
ignore_empty_value: true
Copy link
Contributor

@kcreddy kcreddy Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add this to changelog and commit message?

Copy link
Collaborator Author

@mohitjha-elastic mohitjha-elastic Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was added here to avoid CI failures since the related PR hadn’t been merged yet. As that PR has been merged today, this change will disappear once I sync the latest updates.

response.split:
target: body.data
ignore_empty_value: true
Expand Down
32 changes: 32 additions & 0 deletions packages/sentinel_one/data_stream/activity/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,10 +140,18 @@ processors:
field: json.groupId
target_field: user.group.id
ignore_missing: true
- set:
field: group.id
copy_from: user.group.id
ignore_empty_value: true
- rename:
field: json.groupName
target_field: user.group.name
ignore_missing: true
- set:
field: group.name
copy_from: user.group.name
ignore_empty_value: true
- rename:
field: json.accountId
target_field: sentinel_one.activity.account.id
Expand All @@ -156,6 +164,10 @@ processors:
field: json.accountName
target_field: sentinel_one.activity.account.name
ignore_missing: true
- set:
field: sentinel_one.account.name
copy_from: sentinel_one.activity.account.name
ignore_empty_value: true
- rename:
field: json.agentId
target_field: sentinel_one.activity.agent.id
Expand Down Expand Up @@ -193,14 +205,26 @@ processors:
field: json.id
target_field: sentinel_one.activity.id
ignore_missing: true
- set:
field: event.id
copy_from: sentinel_one.activity.id
ignore_empty_value: true
- rename:
field: json.siteId
target_field: sentinel_one.activity.site.id
ignore_missing: true
- set:
field: sentinel_one.site.id
copy_from: sentinel_one.activity.site.id
ignore_empty_value: true
- rename:
field: json.siteName
target_field: sentinel_one.activity.site.name
ignore_missing: true
- set:
field: sentinel_one.site.name
copy_from: sentinel_one.activity.site.name
ignore_empty_value: true
- rename:
field: json.threatId
target_field: sentinel_one.activity.threat.id
Expand Down Expand Up @@ -481,10 +505,18 @@ processors:
field: json.data.threatClassification
target_field: sentinel_one.activity.data.threat.classification.name
ignore_missing: true
- set:
field: sentinel_one.threat_classification.name
copy_from: sentinel_one.activity.data.threat.classification.name
ignore_empty_value: true
- rename:
field: json.data.threatClassificationSource
target_field: sentinel_one.activity.data.threat.classification.source
ignore_missing: true
- set:
field: sentinel_one.threat_classification.source
copy_from: sentinel_one.activity.data.threat.classification.source
ignore_empty_value: true
Comment on lines 512 to +519
Copy link
Contributor

@kcreddy kcreddy Nov 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't like that we are copying same value into 2 different fields with this change:
sentinel_one.activity.data.threat.classification.source and sentinel_one.threat_classification.source
Same with: sentinel_one.activity.site.name, and sentinel_one.site.name and several others.
Is this to avoid breaking-change?

It is mentioned here that this is worthy to be considered as a breaking-change, with updates to dashboards. @cpascale43 can you confirm if its still the case?

If its going to be a breaking-change, then we should ideally remove the previous fields sentinel_one.activity.data.threat.classification.source, sentinel_one.activity.site.name, etc. unless preserve_duplicate_custom_fields is true.

I checked the pre-built detection rules for sentinel_one and there is no effect there if its a breaking-change.

Copy link
Collaborator Author

@mohitjha-elastic mohitjha-elastic Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, only a few fields are currently being copied into the sentinel_one.* namespace. We decided to keep the existing fields to avoid introducing breaking changes that could impact existing users.

I’ll wait for @cpascale43's suggestion on this. If we can treat it as a breaking change, we can proceed with removing the old fields and updating the dashboards if needed.

Copy link

@cpascale43 cpascale43 Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @mohitjha-elastic @kcreddy I think since the prebuilt rules are not affected, we can remove the old fields and update the dashboards

- rename:
field: json.data.globalStatus
target_field: sentinel_one.activity.data.global.status
Expand Down
22 changes: 22 additions & 0 deletions packages/sentinel_one/data_stream/activity/fields/unified-fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
- name: sentinel_one
type: group
fields:
- name: account
type: group
fields:
- name: name
type: keyword
- name: site
type: group
fields:
- name: id
type: keyword
- name: name
type: keyword
- name: threat_classification
type: group
fields:
- name: name
type: keyword
- name: source
type: keyword
24 changes: 14 additions & 10 deletions packages/sentinel_one/data_stream/activity/sample_event.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,33 +1,34 @@
{
"@timestamp": "2022-04-19T05:14:08.925Z",
"agent": {
"ephemeral_id": "10175f71-9c3d-43ea-9326-e2c1fbfed4fa",
"id": "9b7ecf1c-5873-4d71-b82a-5ef8d4ac574e",
"name": "elastic-agent-48880",
"ephemeral_id": "e221e3f4-db8f-4c12-b101-6e950d362424",
"id": "3ed62b3f-4aa4-4865-8f06-3f89c9856903",
"name": "elastic-agent-15508",
"type": "filebeat",
"version": "8.18.7"
"version": "8.19.7"
},
"data_stream": {
"dataset": "sentinel_one.activity",
"namespace": "26410",
"namespace": "68291",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "9b7ecf1c-5873-4d71-b82a-5ef8d4ac574e",
"snapshot": false,
"version": "8.18.7"
"id": "3ed62b3f-4aa4-4865-8f06-3f89c9856903",
"snapshot": true,
"version": "8.19.7"
},
"event": {
"agent_id_status": "verified",
"category": [
"configuration"
],
"created": "2025-09-22T11:35:05.641Z",
"created": "2025-11-11T10:38:27.181Z",
"dataset": "sentinel_one.activity",
"ingested": "2025-09-22T11:35:08Z",
"id": "1234567890123456789",
"ingested": "2025-11-11T10:38:30Z",
"kind": "event",
"original": "{\"accountId\":\"3214567890123456789\",\"accountName\":\"Default12\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":\"True\",\"createdAt\":\"2022-04-19T05:14:08.925421Z\",\"data\":{\"accountName\":\"Default\",\"byUser\":\"API\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/default\",\"groupName\":null,\"newValue\":true,\"role\":\"Level\",\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"userScope\":\"account\",\"username\":\"API\"},\"description\":\"API\",\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"The management user API enabled Two factor authentication on the user API.\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-18T05:14:08.922553Z\",\"userId\":\"1234567890123456789\"}",
"type": [
Expand All @@ -44,6 +45,9 @@
]
},
"sentinel_one": {
"account": {
"name": "Default12"
},
"activity": {
"account": {
"id": "3214567890123456789",
Expand Down
9 changes: 9 additions & 0 deletions ...s/sentinel_one/data_stream/agent/_dev/test/pipeline/test-pipeline-agent.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
"category": [
"host"
],
"id": "13491234512345",
"kind": "event",
"original": "{\"accountId\":\"12345123451234512345\",\"accountName\":\"Account Name\",\"activeDirectory\":{\"computerDistinguishedName\":null,\"computerMemberOf\":[],\"lastUserDistinguishedName\":null,\"lastUserMemberOf\":[]},\"activeThreats\":7,\"agentVersion\":\"12.x.x.x\",\"allowRemoteShell\":true,\"appsVulnerabilityStatus\":\"not_applicable\",\"cloudProviders\":{},\"computerName\":\"user-test\",\"consoleMigrationStatus\":\"N/A\",\"coreCount\":2,\"missingPermissions\":[\"user-action-needed-bluetooth-per\",\"user_action_needed_fda\"],\"cpuCount\":2,\"cpuId\":\"CPU Name\",\"createdAt\":\"2022-03-18T09:12:00.519500Z\",\"detectionState\":null,\"domain\":\"WORKGROUP\",\"encryptedApplications\":false,\"externalId\":\"\",\"externalIp\":\"81.2.69.143\",\"firewallEnabled\":true,\"firstFullModeTime\":null,\"groupId\":\"1234567890123456789\",\"groupIp\":\"81.2.69.144\",\"groupName\":\"Default Group\",\"id\":\"13491234512345\",\"inRemoteShellSession\":false,\"infected\":true,\"installerType\":\".msi\",\"isActive\":true,\"isDecommissioned\":false,\"isPendingUninstall\":false,\"isUninstalled\":false,\"isUpToDate\":true,\"lastActiveDate\":\"2022-03-17T09:51:28.506000Z\",\"lastIpToMgmt\":\"81.2.69.145\",\"lastLoggedInUserName\":\"\",\"licenseKey\":\"\",\"locationEnabled\":true,\"locationType\":\"not_applicable\",\"locations\":null,\"machineType\":\"server\",\"mitigationMode\":\"detect\",\"mitigationModeSuspicious\":\"detect\",\"modelName\":\"Compute Engine\",\"networkInterfaces\":[{\"gatewayIp\":\"81.2.69.145\",\"gatewayMacAddress\":\"00-00-5E-00-53-00\",\"id\":\"1234567890123456789\",\"inet\":[\"81.2.69.144\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"00-00-5E-00-53-00\"}],\"networkQuarantineEnabled\":false,\"networkStatus\":\"connected\",\"operationalState\":\"na\",\"operationalStateExpiration\":null,\"osArch\":\"64 bit\",\"osName\":\"Linux Server\",\"osRevision\":\"1234\",\"osStartTime\":\"2022-04-06T08:27:14Z\",\"osType\":\"linux\",\"osUsername\":null,\"rangerStatus\":\"Enabled\",\"rangerVersion\":\"21.x.x.x\",\"registeredAt\":\"2022-04-06T08:26:45.515278Z\",\"remoteProfilingState\":\"disabled\",\"remoteProfilingStateExpiration\":null,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"tags\":{\"sentinelone\":[{\"assignedBy\":\"test-user\",\"assignedAt\":\"2018-02-27T04:49:26.257525Z\",\"key\":\"key123\",\"assignedById\":\"123456789012345678\",\"id\":\"123456789012345678\",\"value\":\"value123\"}]},\"threatRebootRequired\":false,\"totalMemory\":1234,\"updatedAt\":\"2022-04-07T08:31:47.481227Z\",\"userActionsNeeded\":[\"reboot_needed\"],\"uuid\":\"XXX35XXX8Xfb4aX0X1X8X12X343X8X30\"}",
"type": [
Expand All @@ -20,6 +21,7 @@
"name": "Default Group"
},
"host": {
"architecture": "64 bit",
"domain": "WORKGROUP",
"geo": {
"city_name": "London",
Expand Down Expand Up @@ -63,6 +65,9 @@
]
},
"sentinel_one": {
"account": {
"name": "Account Name"
},
"agent": {
"account": {
"id": "12345123451234512345",
Expand Down Expand Up @@ -166,6 +171,10 @@
"reboot_needed"
],
"uuid": "XXX35XXX8Xfb4aX0X1X8X12X343X8X30"
},
"site": {
"id": "1234567890123456789",
"name": "Default site"
}
},
"tags": [
Expand Down
1 change: 1 addition & 0 deletions packages/sentinel_one/data_stream/agent/_dev/test/policy/test-all.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ inputs:
- config_version: 2
cursor:
last_update_at:
ignore_empty_value: true
value: '[[.last_event.updatedAt]]'
data_stream:
dataset: sentinel_one.agent
Expand Down
1 change: 1 addition & 0 deletions packages/sentinel_one/data_stream/agent/_dev/test/policy/test-default.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ inputs:
- config_version: 2
cursor:
last_update_at:
ignore_empty_value: true
value: '[[.last_event.updatedAt]]'
data_stream:
dataset: sentinel_one.agent
Expand Down
1 change: 1 addition & 0 deletions packages/sentinel_one/data_stream/agent/agent/stream/httpjson.yml.hbs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ response.pagination:
cursor:
last_update_at:
value: '[[.last_event.updatedAt]]'
ignore_empty_value: true
response.split:
target: body.data
ignore_empty_value: true
Expand Down
20 changes: 20 additions & 0 deletions packages/sentinel_one/data_stream/agent/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,10 @@ processors:
field: json.accountName
target_field: sentinel_one.agent.account.name
ignore_missing: true
- set:
field: sentinel_one.account.name
copy_from: sentinel_one.agent.account.name
ignore_empty_value: true
- rename:
field: json.activeDirectory.computerDistinguishedName
target_field: sentinel_one.agent.active_directory.computer.name
Expand Down Expand Up @@ -272,6 +276,10 @@ processors:
field: json.id
target_field: sentinel_one.agent.agent.id
ignore_missing: true
- set:
field: event.id
copy_from: sentinel_one.agent.agent.id
ignore_empty_value: true
- set:
field: host.id
copy_from: sentinel_one.agent.agent.id
Expand Down Expand Up @@ -611,6 +619,10 @@ processors:
field: json.osArch
target_field: sentinel_one.agent.os.arch
ignore_missing: true
- set:
field: host.architecture
copy_from: sentinel_one.agent.os.arch
ignore_empty_value: true
- rename:
field: json.osName
target_field: host.os.name
Expand Down Expand Up @@ -736,10 +748,18 @@ processors:
field: json.siteId
target_field: sentinel_one.agent.site.id
ignore_missing: true
- set:
field: sentinel_one.site.id
copy_from: sentinel_one.agent.site.id
ignore_empty_value: true
- rename:
field: json.siteName
target_field: sentinel_one.agent.site.name
ignore_missing: true
- set:
field: sentinel_one.site.name
copy_from: sentinel_one.agent.site.name
ignore_empty_value: true
- rename:
field: json.storageName
target_field: sentinel_one.agent.storage.name
Expand Down
15 changes: 15 additions & 0 deletions packages/sentinel_one/data_stream/agent/fields/unified-fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
- name: sentinel_one
type: group
fields:
- name: account
type: group
fields:
- name: name
type: keyword
- name: site
type: group
fields:
- name: id
type: keyword
- name: name
type: keyword
29 changes: 19 additions & 10 deletions packages/sentinel_one/data_stream/agent/sample_event.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,33 +1,34 @@
{
"@timestamp": "2022-04-07T08:31:47.481Z",
"agent": {
"ephemeral_id": "e30ba73f-f169-4f6a-868b-79481d37c732",
"id": "e8901d6d-1c15-41f6-acf8-046dbbd754ce",
"name": "elastic-agent-22310",
"ephemeral_id": "8ede3676-50f4-4125-8a8e-d75daef6cd2c",
"id": "566a386d-cce5-401d-a55a-1f618760f004",
"name": "elastic-agent-23551",
"type": "filebeat",
"version": "8.18.7"
"version": "8.19.7"
},
"data_stream": {
"dataset": "sentinel_one.agent",
"namespace": "13010",
"namespace": "54654",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "e8901d6d-1c15-41f6-acf8-046dbbd754ce",
"snapshot": false,
"version": "8.18.7"
"id": "566a386d-cce5-401d-a55a-1f618760f004",
"snapshot": true,
"version": "8.19.7"
},
"event": {
"agent_id_status": "verified",
"category": [
"host"
],
"created": "2025-09-22T11:35:56.007Z",
"created": "2025-11-11T10:31:58.670Z",
"dataset": "sentinel_one.agent",
"ingested": "2025-09-22T11:35:59Z",
"id": "13491234512345",
"ingested": "2025-11-11T10:32:01Z",
"kind": "event",
"original": "{\"accountId\":\"892341123451234512345\",\"accountName\":\"ABC\",\"activeDirectory\":{\"computerDistinguishedName\":null,\"computerMemberOf\":[],\"lastUserDistinguishedName\":null,\"lastUserMemberOf\":[]},\"activeThreats\":7,\"agentVersion\":\"12.x.x.x\",\"allowRemoteShell\":true,\"appsVulnerabilityStatus\":\"not_applicable\",\"cloudProviders\":{},\"computerName\":\"user-test\",\"consoleMigrationStatus\":\"N/A\",\"coreCount\":2,\"cpuCount\":2,\"cpuId\":\"CPU Name\",\"createdAt\":\"2022-03-18T09:12:00.519500Z\",\"detectionState\":null,\"domain\":\"WORKGROUP\",\"encryptedApplications\":false,\"externalId\":\"\",\"externalIp\":\"81.2.69.143\",\"firewallEnabled\":true,\"firstFullModeTime\":null,\"groupId\":\"1234567890123456789\",\"groupIp\":\"81.2.69.144\",\"groupName\":\"Default Group\",\"id\":\"13491234512345\",\"inRemoteShellSession\":false,\"infected\":true,\"installerType\":\".msi\",\"isActive\":true,\"isDecommissioned\":false,\"isPendingUninstall\":false,\"isUninstalled\":false,\"isUpToDate\":true,\"lastActiveDate\":\"2022-03-17T09:51:28.506000Z\",\"lastIpToMgmt\":\"81.2.69.145\",\"lastLoggedInUserName\":\"\",\"licenseKey\":\"\",\"locationEnabled\":true,\"locationType\":\"not_applicable\",\"locations\":null,\"machineType\":\"server\",\"missingPermissions\":[\"user-action-needed-bluetooth-per\",\"user_action_needed_fda\"],\"mitigationMode\":\"detect\",\"mitigationModeSuspicious\":\"detect\",\"modelName\":\"Compute Engine\",\"networkInterfaces\":[{\"gatewayIp\":\"81.2.69.145\",\"gatewayMacAddress\":\"00-00-5E-00-53-00\",\"id\":\"1234567890123456789\",\"inet\":[\"81.2.69.144\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"00-00-5E-00-53-00\"}],\"networkQuarantineEnabled\":false,\"networkStatus\":\"connected\",\"operationalState\":\"na\",\"operationalStateExpiration\":null,\"osArch\":\"64 bit\",\"osName\":\"Linux Server\",\"osRevision\":\"1234\",\"osStartTime\":\"2022-04-06T08:27:14Z\",\"osType\":\"linux\",\"osUsername\":null,\"rangerStatus\":\"Enabled\",\"rangerVersion\":\"21.x.x.x\",\"registeredAt\":\"2022-04-06T08:26:45.515278Z\",\"remoteProfilingState\":\"disabled\",\"remoteProfilingStateExpiration\":null,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"tags\":{\"sentinelone\":[{\"assignedAt\":\"2018-02-27T04:49:26.257525Z\",\"assignedBy\":\"test-user\",\"assignedById\":\"123456789012345678\",\"id\":\"123456789012345678\",\"key\":\"key123\",\"value\":\"value123\"}]},\"threatRebootRequired\":false,\"totalMemory\":1234,\"updatedAt\":\"2022-04-07T08:31:47.481227Z\",\"userActionsNeeded\":[\"reboot_needed\"],\"uuid\":\"XXX35XXX8Xfb4aX0X1X8X12X343X8X30\"}",
"type": [
Expand All @@ -39,6 +40,7 @@
"name": "Default Group"
},
"host": {
"architecture": "64 bit",
"domain": "WORKGROUP",
"geo": {
"city_name": "London",
Expand Down Expand Up @@ -85,6 +87,9 @@
]
},
"sentinel_one": {
"account": {
"name": "ABC"
},
"agent": {
"account": {
"id": "892341123451234512345",
Expand Down Expand Up @@ -188,6 +193,10 @@
"reboot_needed"
],
"uuid": "XXX35XXX8Xfb4aX0X1X8X12X343X8X30"
},
"site": {
"id": "1234567890123456789",
"name": "Default site"
}
},
"tags": [
Expand Down
Loading