SentinelOne

Endpoint detection and response logs

Global Fields (4)

FieldType
ngs.createdAt
Timestamp when the event was created locally.
pdate
ngs.id
Unique identifier for the log entry.
string
ngs.indexedAt
Timestamp when the log was indexed into the SIEM.
pdate
ngs.source
Origin or source system of the log.
string

Generic Fields (6)

These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.

FieldReference-Specific FieldsType
gen.hostname
Normalized hostname of the system generating the log.
sentinelOne.agentRealtimeInfo.agentComputerName
sentinelOne.data.computerName
text_general
gen.username
Username associated with the event.
sentinelOne.data.username
text_general
gen.file.name
File name associated with the event.
sentinelOne.threatInfo.filePath
strings
gen.file.path
Full file path associated with the event.
sentinelOne.threatInfo.filePath
strings
gen.process.process
Name of the process.
sentinelOne.threatInfo.originatorProcess
string
gen.av.infectionName
Name of the detected infection or malware.
sentinelOne.threatInfo.threatName
strings

Reference-Specific Fields (175)

FieldType
sentinelOne.accountId
string
sentinelOne.accountName
text_general
sentinelOne.activityType
plong
sentinelOne.activityUuid
string
sentinelOne.agentDetectionInfo.accountId
string
sentinelOne.agentDetectionInfo.accountName
text_general
sentinelOne.agentDetectionInfo.agentDetectionState
string
sentinelOne.agentDetectionInfo.agentDomain
text_general
sentinelOne.agentDetectionInfo.agentIpV4
text_general
sentinelOne.agentDetectionInfo.agentIpV6
text_general
sentinelOne.agentDetectionInfo.agentLastLoggedInUpn
string
sentinelOne.agentDetectionInfo.agentLastLoggedInUserMail
text_general
sentinelOne.agentDetectionInfo.agentLastLoggedInUserName
text_general
sentinelOne.agentDetectionInfo.agentMitigationMode
string
sentinelOne.agentDetectionInfo.agentOsName
text_general
sentinelOne.agentDetectionInfo.agentOsRevision
text_general
sentinelOne.agentDetectionInfo.agentRegisteredAt
pdate
sentinelOne.agentDetectionInfo.agentUuid
string
sentinelOne.agentDetectionInfo.agentVersion
text_general
sentinelOne.agentDetectionInfo.externalIp
text_general
sentinelOne.agentDetectionInfo.groupId
string
sentinelOne.agentDetectionInfo.groupName
text_general
sentinelOne.agentDetectionInfo.siteId
string
sentinelOne.agentDetectionInfo.siteName
text_general
sentinelOne.agentId
string
sentinelOne.agentRealtimeInfo.accountId
string
sentinelOne.agentRealtimeInfo.accountName
text_general
sentinelOne.agentRealtimeInfo.activeThreats
plong
sentinelOne.agentRealtimeInfo.agentComputerName
text_general
sentinelOne.agentRealtimeInfo.agentDecommissionedAt
pdate
sentinelOne.agentRealtimeInfo.agentDomain
text_general
sentinelOne.agentRealtimeInfo.agentId
string
sentinelOne.agentRealtimeInfo.agentInfected
boolean
sentinelOne.agentRealtimeInfo.agentIsActive
boolean
sentinelOne.agentRealtimeInfo.agentIsDecommissioned
boolean
sentinelOne.agentRealtimeInfo.agentMachineType
string
sentinelOne.agentRealtimeInfo.agentMitigationMode
string
sentinelOne.agentRealtimeInfo.agentNetworkStatus
string
sentinelOne.agentRealtimeInfo.agentOsName
text_general
sentinelOne.agentRealtimeInfo.agentOsRevision
text_general
sentinelOne.agentRealtimeInfo.agentOsType
string
sentinelOne.agentRealtimeInfo.agentUuid
string
sentinelOne.agentRealtimeInfo.agentVersion
text_general
sentinelOne.agentRealtimeInfo.groupId
string
sentinelOne.agentRealtimeInfo.groupName
text_general
sentinelOne.agentRealtimeInfo.networkInterfaces.id
strings
sentinelOne.agentRealtimeInfo.networkInterfaces.inet
text_generals
sentinelOne.agentRealtimeInfo.networkInterfaces.inet6
text_generals
sentinelOne.agentRealtimeInfo.networkInterfaces.name
text_generals
sentinelOne.agentRealtimeInfo.networkInterfaces.physical
text_generals
sentinelOne.agentRealtimeInfo.operationalState
string
sentinelOne.agentRealtimeInfo.rebootRequired
boolean
sentinelOne.agentRealtimeInfo.scanAbortedAt
pdate
sentinelOne.agentRealtimeInfo.scanFinishedAt
pdate
sentinelOne.agentRealtimeInfo.scanStartedAt
pdate
sentinelOne.agentRealtimeInfo.scanStatus
string
sentinelOne.agentRealtimeInfo.siteId
string
sentinelOne.agentRealtimeInfo.siteName
text_general
sentinelOne.agentRealtimeInfo.storageName
text_general
sentinelOne.agentRealtimeInfo.storageType
string
sentinelOne.agentUpdatedVersion
text_general
sentinelOne.createdAt
pdate
sentinelOne.data.accountName
text_general
sentinelOne.data.byUser
text_general
sentinelOne.data.computerName
text_general
sentinelOne.data.deactivationPeriodInDays
string
sentinelOne.data.description
text_general
sentinelOne.data.externalIp
text_general
sentinelOne.data.fullScopeDetails
text_general
sentinelOne.data.fullScopeDetailsPath
text_general
sentinelOne.data.group
text_general
sentinelOne.data.groupName
text_general
sentinelOne.data.groupType
string
sentinelOne.data.ipAddress
text_general
sentinelOne.data.machineType
string
sentinelOne.data.osType
string
sentinelOne.data.role
string
sentinelOne.data.roleName
text_general
sentinelOne.data.scopeLevel
text_general
sentinelOne.data.scopeLevelName
text_general
sentinelOne.data.scopeName
text_general
sentinelOne.data.siteName
text_general
sentinelOne.data.sourceAccountName
text_general
sentinelOne.data.sourceSiteName
text_general
sentinelOne.data.sourceType
string
sentinelOne.data.system
boolean
sentinelOne.data.targetAccountName
text_general
sentinelOne.data.targetSiteName
text_general
sentinelOne.data.userScope
string
sentinelOne.data.username
text_general
sentinelOne.data.uuid
string
sentinelOne.description
text_general
sentinelOne.groupId
string
sentinelOne.groupName
text_general
sentinelOne.hash
string
sentinelOne.id
string
sentinelOne.indicators.category
text_generals
sentinelOne.indicators.description
text_generals
sentinelOne.indicators.ids
plongs
sentinelOne.indicators.tactics.name
text_generals
sentinelOne.indicators.tactics.source
text_generals
sentinelOne.indicators.tactics.techniques.link
text_generals
sentinelOne.indicators.tactics.techniques.name
text_generals
sentinelOne.logType
string
sentinelOne.mitigationStatus.action
strings
sentinelOne.mitigationStatus.actionsCounters.failed
plongs
sentinelOne.mitigationStatus.actionsCounters.notFound
plongs
sentinelOne.mitigationStatus.actionsCounters.pendingReboot
plongs
sentinelOne.mitigationStatus.actionsCounters.success
plongs
sentinelOne.mitigationStatus.actionsCounters.total
plongs
sentinelOne.mitigationStatus.agentSupportsReport
booleans
sentinelOne.mitigationStatus.groupNotFound
booleans
sentinelOne.mitigationStatus.lastUpdate
pdates
sentinelOne.mitigationStatus.latestReport
text_generals
sentinelOne.mitigationStatus.mitigationEndedAt
pdates
sentinelOne.mitigationStatus.mitigationStartedAt
pdates
sentinelOne.mitigationStatus.status
strings
sentinelOne.osFamily
text_general
sentinelOne.primaryDescription
text_general
sentinelOne.secondaryDescription
text_general
sentinelOne.siteId
string
sentinelOne.siteName
text_general
sentinelOne.threatId
string
sentinelOne.threatInfo.analystVerdict
string
sentinelOne.threatInfo.analystVerdictDescription
text_general
sentinelOne.threatInfo.automaticallyResolved
boolean
sentinelOne.threatInfo.browserType
string
sentinelOne.threatInfo.certificateId
string
sentinelOne.threatInfo.classification
text_general
sentinelOne.threatInfo.classificationSource
text_general
sentinelOne.threatInfo.cloudFilesHashVerdict
string
sentinelOne.threatInfo.collectionId
string
sentinelOne.threatInfo.confidenceLevel
string
sentinelOne.threatInfo.createdAt
pdate
sentinelOne.threatInfo.detectionEngines.key
text_generals
sentinelOne.threatInfo.detectionEngines.title
text_generals
sentinelOne.threatInfo.detectionType
string
sentinelOne.threatInfo.engines
text_generals
sentinelOne.threatInfo.externalTicketExists
boolean
sentinelOne.threatInfo.externalTicketId
string
sentinelOne.threatInfo.failedActions
boolean
sentinelOne.threatInfo.fileExtension
text_general
sentinelOne.threatInfo.fileExtensionType
text_general
sentinelOne.threatInfo.filePath
text_general
sentinelOne.threatInfo.fileSize
plong
sentinelOne.threatInfo.fileVerificationType
string
sentinelOne.threatInfo.identifiedAt
pdate
sentinelOne.threatInfo.incidentStatus
string
sentinelOne.threatInfo.incidentStatusDescription
text_general
sentinelOne.threatInfo.initiatedBy
string
sentinelOne.threatInfo.initiatedByDescription
text_general
sentinelOne.threatInfo.initiatingUserId
string
sentinelOne.threatInfo.initiatingUsername
text_general
sentinelOne.threatInfo.isFileless
boolean
sentinelOne.threatInfo.isValidCertificate
boolean
sentinelOne.threatInfo.maliciousProcessArguments
text_general
sentinelOne.threatInfo.md5
string
sentinelOne.threatInfo.mitigatedPreemptively
boolean
sentinelOne.threatInfo.mitigationStatus
string
sentinelOne.threatInfo.mitigationStatusDescription
text_general
sentinelOne.threatInfo.originatorProcess
text_general
sentinelOne.threatInfo.pendingActions
boolean
sentinelOne.threatInfo.processUser
text_general
sentinelOne.threatInfo.publisherName
text_general
sentinelOne.threatInfo.reachedEventsLimit
boolean
sentinelOne.threatInfo.rebootRequired
boolean
sentinelOne.threatInfo.sha1
string
sentinelOne.threatInfo.sha256
string
sentinelOne.threatInfo.storyline
string
sentinelOne.threatInfo.threatId
string
sentinelOne.threatInfo.threatName
text_general
sentinelOne.threatInfo.updatedAt
pdate
sentinelOne.updatedAt
pdate
sentinelOne.userId
string
sentinelOne.whiteningOptions
text_generals

Sample Log Event

Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.