SentinelOne

SentinelOne Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com
Categories	domains
Version	3.0.9
Author	Microsoft - support@microsoft.com
First Published	2024-11-26
Last Updated	2026-04-17
Solution Folder	SentinelOne
Marketplace	Azure Marketplace · Rating: ★★★★★ 5.0/5 (1 ratings) · Popularity: 🟢 High (87%)

The SentinelOne solution provides ability to bring SentinelOne events to your Microsoft Sentinel Workspace to inform and to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

a. Azure Monitor HTTP Data Collector API

b. Azure Functions

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 2 data connector(s):

🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Tables Used

This solution uses 6 table(s):

Table	Used By Connectors	Used By Content
`SentinelOneActivities_CL`	SentinelOne (via Codeless Connector Framework), [DEPRECATED] SentinelOne (using Azure Function)	Analytics, Hunting, Workbooks
`SentinelOneAgents_CL`	SentinelOne (via Codeless Connector Framework), [DEPRECATED] SentinelOne (using Azure Function)	Analytics, Hunting, Workbooks
`SentinelOneAlerts_CL`	SentinelOne (via Codeless Connector Framework), [DEPRECATED] SentinelOne (using Azure Function)	Analytics, Hunting, Workbooks
`SentinelOneGroups_CL`	SentinelOne (via Codeless Connector Framework), [DEPRECATED] SentinelOne (using Azure Function)	Analytics, Hunting, Workbooks
`SentinelOneThreats_CL`	SentinelOne (via Codeless Connector Framework), [DEPRECATED] SentinelOne (using Azure Function)	Analytics, Hunting, Workbooks
`SentinelOne_CL` 🔶	[DEPRECATED] SentinelOne (using Azure Function)	Analytics, Hunting, Workbooks

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 23 content item(s):

Content Type	Count
Analytic Rules	11
Hunting Queries	10
Workbooks	1
Parsers	1

Analytic Rules

Name	Severity	Tactics	Tables Used
Sentinel One - Admin login from new location	High	InitialAccess, PrivilegeEscalation	`SentinelOneActivities_CL` `SentinelOneAgents_CL` `SentinelOneAlerts_CL` `SentinelOneGroups_CL` `SentinelOneThreats_CL` `SentinelOne_CL`
Sentinel One - Agent uninstalled from multiple hosts	High	DefenseEvasion	`SentinelOneActivities_CL` `SentinelOneAgents_CL` `SentinelOneAlerts_CL` `SentinelOneGroups_CL` `SentinelOneThreats_CL` `SentinelOne_CL`
Sentinel One - Alert from custom rule	High	InitialAccess	`SentinelOneActivities_CL` `SentinelOneAgents_CL` `SentinelOneAlerts_CL` `SentinelOneGroups_CL` `SentinelOneThreats_CL` `SentinelOne_CL`
Sentinel One - Blacklist hash deleted	Medium	DefenseEvasion	`SentinelOneActivities_CL` `SentinelOneAgents_CL` `SentinelOneAlerts_CL` `SentinelOneGroups_CL` `SentinelOneThreats_CL` `SentinelOne_CL`
Sentinel One - Exclusion added	Medium	DefenseEvasion	`SentinelOneActivities_CL` `SentinelOneAgents_CL` `SentinelOneAlerts_CL` `SentinelOneGroups_CL` `SentinelOneThreats_CL` `SentinelOne_CL`
Sentinel One - Multiple alerts on host	High	InitialAccess	`SentinelOneActivities_CL` `SentinelOneAgents_CL` `SentinelOneAlerts_CL` `SentinelOneGroups_CL` `SentinelOneThreats_CL` `SentinelOne_CL`
Sentinel One - New admin created	Medium	PrivilegeEscalation	`SentinelOneActivities_CL` `SentinelOneAgents_CL` `SentinelOneAlerts_CL` `SentinelOneGroups_CL` `SentinelOneThreats_CL` `SentinelOne_CL`
Sentinel One - Rule deleted	Medium	DefenseEvasion	`SentinelOneActivities_CL` `SentinelOneAgents_CL` `SentinelOneAlerts_CL` `SentinelOneGroups_CL` `SentinelOneThreats_CL` `SentinelOne_CL`
Sentinel One - Rule disabled	Medium	DefenseEvasion	`SentinelOneActivities_CL` `SentinelOneAgents_CL` `SentinelOneAlerts_CL` `SentinelOneGroups_CL` `SentinelOneThreats_CL` `SentinelOne_CL`
Sentinel One - Same custom rule triggered on different hosts	High	InitialAccess, LateralMovement	`SentinelOneActivities_CL` `SentinelOneAgents_CL` `SentinelOneAlerts_CL` `SentinelOneGroups_CL` `SentinelOneThreats_CL` `SentinelOne_CL`
Sentinel One - User viewed agent's passphrase	Medium	CredentialAccess	`SentinelOneActivities_CL` `SentinelOneAgents_CL` `SentinelOneAlerts_CL` `SentinelOneGroups_CL` `SentinelOneThreats_CL` `SentinelOne_CL`

Hunting Queries

Name	Tactics	Tables Used
Sentinel One - Agent not updated	DefenseEvasion	`SentinelOneActivities_CL` `SentinelOneAgents_CL` `SentinelOneAlerts_CL` `SentinelOneGroups_CL` `SentinelOneThreats_CL` `SentinelOne_CL`
Sentinel One - Agent status	DefenseEvasion	`SentinelOneActivities_CL` `SentinelOneAgents_CL` `SentinelOneAlerts_CL` `SentinelOneGroups_CL` `SentinelOneThreats_CL` `SentinelOne_CL`
Sentinel One - Alert triggers (files, processes, strings)	InitialAccess	`SentinelOneActivities_CL` `SentinelOneAgents_CL` `SentinelOneAlerts_CL` `SentinelOneGroups_CL` `SentinelOneThreats_CL` `SentinelOne_CL`
Sentinel One - Deleted rules	DefenseEvasion	`SentinelOneActivities_CL` `SentinelOneAgents_CL` `SentinelOneAlerts_CL` `SentinelOneGroups_CL` `SentinelOneThreats_CL` `SentinelOne_CL`
Sentinel One - Hosts not scanned recently	DefenseEvasion	`SentinelOneActivities_CL` `SentinelOneAgents_CL` `SentinelOneAlerts_CL` `SentinelOneGroups_CL` `SentinelOneThreats_CL` `SentinelOne_CL`
Sentinel One - New rules	DefenseEvasion	`SentinelOneActivities_CL` `SentinelOneAgents_CL` `SentinelOneAlerts_CL` `SentinelOneGroups_CL` `SentinelOneThreats_CL` `SentinelOne_CL`
Sentinel One - Scanned hosts	DefenseEvasion	`SentinelOneActivities_CL` `SentinelOneAgents_CL` `SentinelOneAlerts_CL` `SentinelOneGroups_CL` `SentinelOneThreats_CL` `SentinelOne_CL`
Sentinel One - Sources by alert count	InitialAccess	`SentinelOneActivities_CL` `SentinelOneAgents_CL` `SentinelOneAlerts_CL` `SentinelOneGroups_CL` `SentinelOneThreats_CL` `SentinelOne_CL`
Sentinel One - Uninstalled agents	DefenseEvasion	`SentinelOneActivities_CL` `SentinelOneAgents_CL` `SentinelOneAlerts_CL` `SentinelOneGroups_CL` `SentinelOneThreats_CL` `SentinelOne_CL`
Sentinel One - Users by alert count	InitialAccess	`SentinelOneActivities_CL` `SentinelOneAgents_CL` `SentinelOneAlerts_CL` `SentinelOneGroups_CL` `SentinelOneThreats_CL` `SentinelOne_CL`

Workbooks

Name	Tables Used
SentinelOne	`SentinelOneActivities_CL` `SentinelOneAgents_CL` `SentinelOneAlerts_CL` `SentinelOneGroups_CL` `SentinelOneThreats_CL` `SentinelOne_CL`

Parsers

Name	Description	Tables Used
SentinelOne	-	`SentinelOne_CL` (read)

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.9	14-04-2026	Deprecate SentinelOne (using Azure Function)
3.0.8	24-03-2026	Rename CCF solution to SentinelOne (via Codeless Connector Framework)
3.0.7	09-01-2026	Updated broken URL and bumped the SentinelOne solution version
3.0.6	10-02-2025	Advancing CCP Data Connector from Public preview to Global Availability.
3.0.5	20-01-2025	Updated "Sentinel One - Agent uninstalled from multiple hosts" Analytic Rule with ActivityType
3.0.4	15-01-2025	Added older Function app Data Connector again to SOlution until final deprecation of Function app happens
3.0.3	12-12-2024	Added new CCP Data Connector and Updated Parser
3.0.2	11-09-2024	Updated the python runtime version to 3.11 in Data Connector Function App
3.0.1	03-05-2024	Repackaged for Parser issue fix
3.0.0	28-07-2023	Bug fixes in API version.