Solutions/SentinelOne/Parsers/SentinelOne.yaml (651 lines of code) (raw):
id: e1cb35b3-ee01-4c8f-a361-0850d0554ab6
Function:
Title: Parser for SentinelOne
Version: '1.0.1'
LastUpdated: '2024-11-25'
Category: Microsoft Sentinel Parser
FunctionName: SentinelOne
FunctionAlias: SentinelOne
FunctionQuery: |
let SentinelOne_view = view () {
let SentinelOneV2_Empty = datatable(
AccountId:string,
AccountName:string,
ActivityType:real ,
EventCreationTime:datetime,
DataAccountName:string,
DataFullScopeDetails:string,
DataScopeLevel:string,
DataScopeName:string,
DataSiteId:int,
SecondaryDescription:string ,
DataSiteName:string,
SourceProcessInfo:string,
SrcUserName:string,
EventId:string,
EventOriginalMessage:string,
SiteId:string,
SiteName:string,
UpdatedAt:datetime ,
UserIdentity:string,
EventType:string,
DataByUser:string,
DataRole:string,
DataUserScope:string,
EventTypeDetailed:string,
DataSource:string,
DataExpiryDateStr:string,
DataExpiryTime:int,
DataNetworkquarantine:bool,
DataRuleCreationTime:int,
DataRuleDescription:string,
DataRuleExpirationMode:string,
DataRuleId:int,
DataRuleName:string,
DataRuleQueryDetails:string,
DataRuleQueryType:string,
DataRuleSeverity:string,
DataScopeId:int,
DataStatus:string,
DataSystemUser:int,
DataTreatasthreat:string,
DataUserId:int,
RuleInfo:string,
DataUserName:string,
EventSubStatus:string,
AgentId:string,
DataComputerName:string,
DataExternalIp:string,
DataGroupName:string,
DataSystem:bool,
DataUuid:string,
GroupId:string,
GroupName:string,
DataGroup:string,
UserId:string ,
DataOptionalGroups:string,
DataCreatedAt:string,
DataDownloadUrl:string,
DataFilePath:string,
DataFilename:string,
DataUploadedFilename:string,
Comments:string,
DataNewValue:string,
DataPolicyId:string,
DataPolicyName:string,
DataNewValueb:string,
DataShouldReboot:bool,
DataRoleName:string,
DataScopeLevelName:string,
ActiveDirectoryComputerDistinguishedName:string,
ActiveDirectoryComputerMemberOf:string,
ActiveDirectoryLastUserDistinguishedName:string,
ActiveDirectoryLastUserMemberOf:string,
ActiveThreats:int,
AgentVersion:string,
AllowRemoteShell:bool,
AppsVulnerabilityStatus:string,
ComputerName:string,
ConsoleMigrationStatus:string,
CoreCount:int,
CpuCount:int,
CpuId:string,
SrcDvcDomain:string,
EncryptedApplications:bool,
ExternalId:string,
ExternalIp:string,
FirewallEnabled:bool,
GroupIp:string,
InRemoteShellSession:bool,
Infected:bool,
InstallerType:string,
IsActive:bool,
IsDecommissioned:bool,
IsPendingUninstall:bool,
IsUninstalled:bool,
IsUpToDate:bool,
LastActiveDate:string,
TargetProcessInfo:string ,
LastIpToMgmt:string,
LastLoggedInUserName:string,
LicenseKey:string,
LocationEnabled:bool,
LocationType:string,
Locations:string,
MachineType:string,
MitigationMode:string,
MitigationModeSuspicious:string,
SrcDvcModelName:string,
NetworkInterfaces:string,
NetworkQuarantineEnabled:bool,
NetworkStatus:string,
OperationalState:string,
OsArch:string,
SrcDvcOs:string,
OsRevision:string,
OsStartTime:datetime ,
OsType:string,
RangerStatus:string,
RangerVersion:string,
RegisteredAt:string,
RemoteProfilingState:string,
ScanFinishedAt:string,
ScanStartedAt:string,
ScanStatus:string,
ThreatRebootRequired:bool,
TotalMemory:int,
SourceParentProcessInfo:string ,
UserActionsNeeded:string,
Uuid:string,
Creator:string,
ContainerInfo:string,
CreatorId:string,
Inherits:string ,
IsDefault:string ,
Name:string,
RegistrationToken:string,
AlertInfo:string,
PrimaryDescription:string ,
TotalAgents:real ,
CreatedAt:datetime ,
Id:string,
Type:string
)[];
let SentinelOneV1_Empty = datatable (
accountId_s:string,
accountName_s:string,
activityType_d:real,
createdAt_t:datetime ,
data_accountName_s:string,
data_fullScopeDetails_s:string,
data_scopeLevel_s:string,
data_scopeName_s:string,
data_siteId_d:int,
data_siteName_s:string,
data_username_s:string,
id_s:string,
primaryDescription_s:string,
siteId_s:string,
siteName_s:string,
updatedAt_t:datetime ,
userId_s:string,
event_name_s:string,
data_byUser_s:string,
data_role_s:string,
data_userScope_s:string,
description_s:string,
data_source_s:string,
data_expiryDateStr_s:string,
data_expiryTime_d:int,
data_networkquarantine_b:bool,
data_ruleCreationTime_d:int,
data_ruleDescription_s:string,
data_ruleExpirationMode_s:string,
data_ruleId_d:int,
data_ruleName_s:string,
data_ruleQueryDetails_s:string,
data_ruleQueryType_s:string,
data_ruleSeverity_s:string,
data_scopeId_d:int,
data_status_s:string,
data_systemUser_d:int,
data_treatasthreat_s:string,
data_userId_d:int,
data_userName_s:string,
secondaryDescription_s:string,
agentId_s:string,
data_computerName_s:string,
data_externalIp_s:string,
data_groupName_s:string,
data_system_b:bool,
data_uuid_g:string,
groupId_s:string,
groupName_s:string,
data_group_s:string,
data_optionalGroups_s:string,
data_createdAt_t:string,
data_downloadUrl_s:string,
data_filePath_s:string,
data_filename_s:string,
data_uploadedFilename_s:string,
comments_s:string,
data_newValue_s:string,
data_policy_id_s:string,
data_policyName_s:string,
data_newValue_b:bool,
data_shouldReboot_b:bool,
data_roleName_s:string,
data_scopeLevelName_s:string,
activeDirectory_computerDistinguishedName_s:string,
activeDirectory_computerMemberOf_s:string,
activeDirectory_lastUserDistinguishedName_s:string,
activeDirectory_lastUserMemberOf_s:string,
activeThreats_d:real,
agentVersion_s:string,
allowRemoteShell_b:bool,
appsVulnerabilityStatus_s:string,
computerName_s:string,
consoleMigrationStatus_s:string,
coreCount_d:real,
cpuCount_d:real ,
cpuId_s:string,
domain_s:string,
encryptedApplications_b:bool,
externalId_s:string,
externalIp_s:string,
firewallEnabled_b:bool,
groupIp_s:string,
inRemoteShellSession_b:bool,
infected_b:bool,
installerType_s:string,
isActive_b:bool,
isDecommissioned_b:bool,
isPendingUninstall_b:bool,
isUninstalled_b:bool,
isUpToDate_b:bool,
lastActiveDate_t:string,
lastIpToMgmt_s:string,
lastLoggedInUserName_s:string,
licenseKey_s:string,
locationEnabled_b:bool,
locationType_s:string,
locations_s:string,
machineType_s:string,
mitigationMode_s:string,
mitigationModeSuspicious_s:string,
modelName_s:string,
networkInterfaces_s:string,
networkQuarantineEnabled_b:bool,
networkStatus_s:string,
operationalState_s:string,
osArch_s:string,
osName_s:string,
osRevision_s:string,
osStartTime_t:datetime ,
osType_s:string,
rangerStatus_s:string,
rangerVersion_s:string,
registeredAt_t:string,
remoteProfilingState_s:string,
scanFinishedAt_t:string,
scanStartedAt_t:string,
scanStatus_s:string,
threatRebootRequired_b:bool,
totalMemory_d:real ,
userActionsNeeded_s:string,
uuid_g:string,
creator_s:string,
creatorId_s:string,
inherits_b:string ,
isDefault_b:string ,
name_s:string,
registrationToken_s:string,
totalAgents_d:real ,
AlertInfo:string,
type_s:string
)[];
let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty
| extend
EventVendor="SentinelOne",
EventProduct="SentinelOne",
AccountId=column_ifexists('accountId_s', ''),
AccountName=column_ifexists('accountName_s', ''),
ActivityType=toreal(column_ifexists('activityType_d', '')),
EventCreationTime=todatetime(column_ifexists('createdAt_t', 'CreatedAt')),
DataAccountName=column_ifexists('data_accountName_s', ''),
DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''),
DataScopeLevel=column_ifexists('data_scopeLevel_s', ''),
DataScopeName=column_ifexists('data_scopeName_s', ''),
DataSiteId=column_ifexists('data_siteId_d', ''),
DataSiteName=column_ifexists('data_siteName_s', ''),
SrcUserName=column_ifexists('data_username_s', ''),
EventId=column_ifexists('id_s', ''),
EventOriginalMessage=column_ifexists('primaryDescription_s', ''),
PrimaryDescription=column_ifexists('primaryDescription_s', ''),
SiteId=column_ifexists('siteId_s', ''),
SiteName=column_ifexists('siteName_s', ''),
UpdatedAt=column_ifexists('updatedAt_t', ''),
UserIdentity=column_ifexists('userId_s', ''),
UserId=column_ifexists('userId_s', ''),
EventType=column_ifexists('event_name_s', ''),
DataByUser=column_ifexists('data_byUser_s', ''),
DataRole=column_ifexists('data_role_s', ''),
DataUserScope=column_ifexists('data_userScope_s', ''),
EventTypeDetailed=column_ifexists('description_s', ''),
DataSource=column_ifexists('data_source_s', ''),
DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''),
DataExpiryTime=column_ifexists('data_expiryTime_d', ''),
DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''),
DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''),
DataRuleDescription=column_ifexists('data_ruleDescription_s', ''),
DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''),
DataRuleId=column_ifexists('data_ruleId_d', ''),
DataRuleName=column_ifexists('data_ruleName_s', ''),
DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''),
DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''),
DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''),
DataScopeId=column_ifexists('data_scopeId_d', ''),
Id=column_ifexists('id_s', ''),
DataStatus=column_ifexists('data_status_s', ''),
DataSystemUser=column_ifexists('data_systemUser_d', ''),
DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''),
DataUserId=column_ifexists('data_userId_d', ''),
DataUserName=column_ifexists('data_userName_s', ''),
EventSubStatus=column_ifexists('secondaryDescription_s', ''),
SecondaryDescription=column_ifexists('secondaryDescription_s', ''),
AgentId=column_ifexists('agentId_s', ''),
DataComputerName=column_ifexists('data_computerName_s', ''),
DataExternalIp=column_ifexists('data_externalIp_s', ''),
DataGroupName=column_ifexists('data_groupName_s', ''),
DataSystem=column_ifexists('data_system_b', ''),
DataUuid=column_ifexists('data_uuid_g', ''),
GroupId=column_ifexists('groupId_s', ''),
GroupName=column_ifexists('groupName_s', ''),
DataGroup=column_ifexists('data_group_s', ''),
DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''),
DataCreatedAt=column_ifexists('data_createdAt_t', ''),
DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''),
DataFilePath=column_ifexists('data_filePath_s', ''),
DataFilename=column_ifexists('data_filename_s', ''),
DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''),
Comments=column_ifexists('comments_s', ''),
DataNewValue=column_ifexists('data_newValue_s', ''),
DataPolicyId=column_ifexists('data_policy_id_s', ''),
DataPolicyName=column_ifexists('data_policyName_s', ''),
DataNewValueb=column_ifexists('data_newValue_b', ''),
DataShouldReboot=column_ifexists('data_shouldReboot_b', ''),
DataRoleName=column_ifexists('data_roleName_s', ''),
DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''),
ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''),
ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''),
ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''),
ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''),
ActiveThreats=column_ifexists('activeThreats_d', ''),
AgentVersion=column_ifexists('agentVersion_s', ''),
AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''),
AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''),
ComputerName=column_ifexists('computerName_s', ''),
ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''),
CoreCount=column_ifexists('coreCount_d', ''),
CpuCount=column_ifexists('cpuCount_d', ''),
CpuId=column_ifexists('cpuId_s', ''),
SrcDvcDomain=column_ifexists('domain_s', ''),
EncryptedApplications=column_ifexists('encryptedApplications_b', ''),
ExternalId=column_ifexists('externalId_s', ''),
ExternalIp=column_ifexists('externalIp_s', ''),
FirewallEnabled=column_ifexists('firewallEnabled_b', ''),
GroupIp=column_ifexists('groupIp_s', ''),
InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''),
Infected=column_ifexists('infected_b', ''),
InstallerType=column_ifexists('installerType_s', ''),
IsActive=column_ifexists('isActive_b', ''),
IsDecommissioned=column_ifexists('isDecommissioned_b', ''),
IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''),
IsUninstalled=column_ifexists('isUninstalled_b', ''),
IsUpToDate=column_ifexists('isUpToDate_b', ''),
LastActiveDate=column_ifexists('lastActiveDate_t', ''),
LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''),
LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''),
LicenseKey=column_ifexists('licenseKey_s', ''),
LocationEnabled=column_ifexists('locationEnabled_b', ''),
LocationType=column_ifexists('locationType_s', ''),
Locations=column_ifexists('locations_s', ''),
MachineType=column_ifexists('machineType_s', ''),
MitigationMode=column_ifexists('mitigationMode_s', ''),
MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''),
SrcDvcModelName=column_ifexists('modelName_s', ''),
NetworkInterfaces=column_ifexists('networkInterfaces_s', ''),
NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''),
NetworkStatus=column_ifexists('networkStatus_s', ''),
OperationalState=column_ifexists('operationalState_s', ''),
OsArch=column_ifexists('osArch_s', ''),
SrcDvcOs=column_ifexists('osName_s', ''),
OsRevision=column_ifexists('osRevision_s', ''),
OsStartTime=column_ifexists('osStartTime_t', ''),
OsType=column_ifexists('osType_s', ''),
RangerStatus=column_ifexists('rangerStatus_s', ''),
RangerVersion=column_ifexists('rangerVersion_s', ''),
RegisteredAt=column_ifexists('registeredAt_t', ''),
RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''),
ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''),
ScanStartedAt=column_ifexists('scanStartedAt_t', ''),
ScanStatus=column_ifexists('scanStatus_s', ''),
ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''),
TotalMemory=column_ifexists('totalMemory_d', ''),
UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''),
Uuid=column_ifexists('uuid_g', ''),
Creator=column_ifexists('creator_s', ''),
CreatedAt=column_ifexists('createdAt_t',''),
CreatorId=column_ifexists('creatorId_s', ''),
Inherits=column_ifexists('inherits_b', ''),
IsDefault=column_ifexists('isDefault_b', ''),
Name=column_ifexists('name_s', ''),
RegistrationToken=column_ifexists('registrationToken_s', ''),
TotalAgents=column_ifexists('totalAgents_d', ''),
Type=column_ifexists('type_s', '');
union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union
| extend
ActivityType,
EventVendor="SentinelOne",
EventProduct="SentinelOne",
DataAccountName=tostring(parse_json(todynamic(Data)).accountName),
DataFullScopeDetails=tostring(parse_json(todynamic(Data)).fullScopeDetails),
DataScopeLevel=tostring(parse_json(todynamic(Data)).scopeLevel),
DataScopeName=tostring(parse_json(todynamic(Data)).scopeName),
DataSiteId=tostring(parse_json(todynamic(Data)).siteId),
DataSiteName=tostring(parse_json(todynamic(Data)).siteName),
SrcUserName=tostring(parse_json(todynamic(Data)).userName),
EventId=Id,
SourceParentProcessInfo,
EventOriginalMessage=PrimaryDescription,
UserIdentity=UserId,
EventTypeDetailed=Description,
DataRuleId=tostring(parse_json(todynamic(Data)).ruleId),
DataRuleName=tostring(parse_json(todynamic(Data)).rulename),
DataScopeId=tostring(parse_json(todynamic(Data)).scopeId),
DataSystemUser=tostring(parse_json(todynamic(Data)).systemUser),
DataUserId=tostring(parse_json(todynamic(Data)).userId),
DataUserName=tostring(parse_json(todynamic(Data)).userName),
EventSubStatus=SecondaryDescription,
DataComputerName=tostring(parse_json(todynamic(Data)).computerName),
DataExternalIp=tostring(parse_json(todynamic(Data)).externalIp),
DataGroupName=tostring(parse_json(todynamic(Data)).groupName),
DataStatus=tostring(parse_json(todynamic(Data)).status),
DataByUser=tostring(parse_json(todynamic(Data)).byUser),
DataRole=tostring(parse_json(todynamic(Data)).role),
DataUserScope=tostring(parse_json(todynamic(Data)).userScope),
DataSource=tostring(parse_json(todynamic(Data)).source),
DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr),
DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime),
DataNetworkquarantine=tostring(parse_json(todynamic(Data)).networkquarantine),
DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime),
DataUuid=Uuid,
DataGroup=tostring(parse_json(todynamic(Data)).group),
DataRuleDescription=tostring(parse_json(todynamic(Data)).ruleDescription),
EventType=tostring(parse_json(todynamic(AlertInfo)).eventType),
DataRuleExpirationMode=tostring(parse_json(todynamic(Data)).ruleExpirationMode),
DataRuleQueryDetails=tostring(parse_json(todynamic(Data)).ruleQueryDetails),
DataRuleQueryType=tostring(parse_json(todynamic(Data)).ruleQueryType),
DataRuleSeverity=tostring(parse_json(todynamic(Data)).ruleSeverity),
DataSystem=tostring(parse_json(todynamic(Data)).system),
DataOptionalGroups=tostring(parse_json(todynamic(Data)).optionalGroups),
DataCreatedAt=tostring(parse_json(todynamic(Data)).createdAt),
DataDownloadUrl=tostring(parse_json(todynamic(Data)).downloadUrl),
DataFilePath=tostring(parse_json(todynamic(Data)).filePath),
DataFilename=tostring(parse_json(todynamic(Data)).filename),
DataUploadedFilename=tostring(parse_json(todynamic(Data)).uploadedFilename),
DataNewValue=tostring(parse_json(todynamic(Data)).newValue),
DataPolicyId=tostring(parse_json(todynamic(Data)).policyId),
DataPolicyName=tostring(parse_json(todynamic(Data)).policyName),
DataShouldReboot=tostring(parse_json(todynamic(Data)).shouldReboot),
DataRoleName=tostring(parse_json(todynamic(Data)).roleName),
DataScopeLevelName=tostring(parse_json(todynamic(Data)).scopeLevelName),
ActiveDirectoryComputerDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).computerDistinguishedName),
ActiveDirectoryComputerMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).computerMemberOf),
ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName),
ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf),
SrcDvcDomain=Domain,
AlertInfo=tostring(AlertInfo),
FirewallEnabled=column_ifexists('FirewallEnabled',''),
IsUninstalled=column_ifexists('IsUninstalled',''),
EncryptedApplications=column_ifexists('EncryptedApplications',''),
OsStartTime=column_ifexists('OsStartTime',''),
InRemoteShellSession=column_ifexists('InRemoteShellSession',''),
ThreatRebootRequired=column_ifexists('ThreatRebootRequired',''),
IsPendingUninstall=column_ifexists('IsPendingUninstall',''),
IsUpToDate=column_ifexists('IsUpToDate',''),
IsDecommissioned=column_ifexists('IsDecommissioned',''),
IsActive=column_ifexists('IsActive',''),
Infected=column_ifexists('Infected',''),
AllowRemoteShell=column_ifexists('AllowRemoteShell',''),
LocationEnabled=column_ifexists('LocationEnabled',''),
SrcDvcModelName=ModelName,
NetworkQuarantineEnabled=column_ifexists('NetworkQuarantineEnabled',''),
SrcDvcOs=OsName,
SourceProcessInfo,
RuleInfo,
TargetProcessInfo,
ContainerInfo,
EventCreationTime=CreatedAt,
RemoteProfilingState=column_ifexists('RemoteProfilingState','')
| project
TimeGenerated,
EventVendor,
EventProduct,
AccountName,
SourceParentProcessInfo,
TargetProcessInfo,
ActivityType,
EventCreationTime,
DataAccountName,
DataFullScopeDetails,
DataScopeLevel,
DataScopeName,
DataSiteId,
SourceProcessInfo,
DataSiteName,
SrcUserName,
EventId,
EventOriginalMessage,
SiteId,
SiteName,
UpdatedAt,
UserIdentity,
EventType,
DataByUser,
DataRole,
DataUserScope,
EventTypeDetailed,
DataSource,
DataExpiryDateStr,
DataExpiryTime,
DataNetworkquarantine,
DataRuleCreationTime,
DataRuleDescription,
DataRuleExpirationMode,
DataRuleId,
DataRuleName,
DataRuleQueryDetails,
DataRuleQueryType,
DataRuleSeverity,
DataScopeId,
DataStatus,
DataSystemUser,
DataTreatasthreat,
DataUserId,
DataUserName,
EventSubStatus,
AgentId,
DataComputerName,
DataExternalIp,
DataGroupName,
DataSystem,
DataUuid,
GroupId,
GroupName,
DataGroup,
DataOptionalGroups,
DataCreatedAt,
DataDownloadUrl,
DataFilePath,
DataFilename,
DataUploadedFilename,
Comments,
DataNewValue,
DataPolicyId,
DataPolicyName,
DataNewValueb,
DataShouldReboot,
DataRoleName,
DataScopeLevelName,
ActiveDirectoryComputerDistinguishedName,
ActiveDirectoryComputerMemberOf,
ActiveDirectoryLastUserDistinguishedName,
ActiveDirectoryLastUserMemberOf,
ActiveThreats=toreal(activeThreats_d),
AgentVersion,
AllowRemoteShell,
AppsVulnerabilityStatus,
ComputerName,
ConsoleMigrationStatus,
CoreCount=toreal(coreCount_d),
CpuCount=toreal(cpuCount_d),
CpuId,
SrcDvcDomain,
EncryptedApplications,
ExternalId,
ExternalIp,
FirewallEnabled,
GroupIp,
InRemoteShellSession,
Infected,
InstallerType,
IsActive,
IsDecommissioned,
IsPendingUninstall,
IsUninstalled,
IsUpToDate,
LastActiveDate=tostring(LastActiveDate_datetime),
LastIpToMgmt,
LastLoggedInUserName,
LicenseKey,
LocationEnabled,
LocationType,
Locations,
MachineType,
MitigationMode,
MitigationModeSuspicious,
SrcDvcModelName,
NetworkInterfaces,
NetworkQuarantineEnabled,
NetworkStatus,
OperationalState,
OsArch,
SrcDvcOs,
OsRevision,
OsStartTime,
OsType,
RangerStatus,
RangerVersion,
RegisteredAt=tostring(RegisteredAt_datetime),
RemoteProfilingState,
ScanFinishedAt=tostring(ScanFinishedAt_datetime),
ScanStartedAt=tostring(ScanStartedAt_datetime),
ScanStatus,
ThreatRebootRequired,
TotalMemory=toreal(totalMemory_d),
UserActionsNeeded,
Uuid,
Creator,
CreatorId,
Inherits,
IsDefault,
Name,
AlertInfo,
RuleInfo,
ContainerInfo,
RegistrationToken,
TotalAgents=totalAgents_d,
Type;
};
SentinelOne_view