SentinelOneActivities_CL

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Tables Index

---

Attribute	Value
Ingestion API Supported	✓ Yes

Contents

• Schema
• Solutions
• Connectors
• Content Items
• Parsers

Schema (23 columns)

Source: Connector definition

Column Name	Type	Description
AccountId	string	The unique identifier for the account.
AccountName	string	The name of the account associated with the event.
ActivityType	real	The type of activity represented by an integer.
ActivityUuid	string	The UUID of the activity associated with the event.
AgentId	string	The unique identifier for the agent.
AgentUpdatedVersion	string	The version of the agent that was updated.
Comments	string	Any comments associated with the event.
CreatedAt	datetime	The timestamp (UTC) when the record was created.
Data	string	Activity metadata.
Description	string	The description of the event.
GroupId	string	The unique identifier for the group.
GroupName	string	The name of the group associated with the event.
Hash	string	The hash associated with the event.
Id	string	The unique identifier for the record.
OsFamily	string	The operating system family, such as macOS.
PrimaryDescription	string	The primary description of the event.
SecondaryDescription	string	The secondary description of the event.
SiteId	string	The unique identifier for the site.
SiteName	string	The name of the site associated with the event.
ThreatId	string	The unique identifier for the threat.
TimeGenerated	datetime	The timestamp (UTC) reflecting the time in which the event was generated.
UpdatedAt	datetime	The timestamp (UTC) when the record was last updated.
UserId	string	The unique identifier for the user.

Solutions (1)

This table is used by the following solutions:

• SentinelOne

Connectors (2)

This table is ingested by the following connectors:

Connector	Selection Criteria
[DEPRECATED] SentinelOne (using Azure Function)
SentinelOne (via Codeless Connector Framework)

---

Content Items Using This Table (22)

Analytic Rules (11)

In solution SentinelOne:

Analytic Rule	Selection Criteria
Sentinel One - Admin login from new location
Sentinel One - Agent uninstalled from multiple hosts
Sentinel One - Alert from custom rule
Sentinel One - Blacklist hash deleted
Sentinel One - Exclusion added
Sentinel One - Multiple alerts on host
Sentinel One - New admin created
Sentinel One - Rule deleted
Sentinel One - Rule disabled
Sentinel One - Same custom rule triggered on different hosts
Sentinel One - User viewed agent's passphrase

Hunting Queries (10)

In solution SentinelOne:

Hunting Query	Selection Criteria
Sentinel One - Agent not updated
Sentinel One - Agent status
Sentinel One - Alert triggers (files, processes, strings)
Sentinel One - Deleted rules
Sentinel One - Hosts not scanned recently
Sentinel One - New rules
Sentinel One - Scanned hosts
Sentinel One - Sources by alert count
Sentinel One - Uninstalled agents
Sentinel One - Users by alert count

Workbooks (1)

In solution SentinelOne:

Workbook	Selection Criteria
SentinelOne

Parsers Using This Table (1)

Other Parsers (1)

Parser	Solution	Selection Criteria
SentinelOne	SentinelOne

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Tables Index