SentinelOne
SentinelOne EDR logs reporting ransomware blocks, behavioral AI alerts, remediation steps and agent health.
EnginsightGlobal Fields (4)
| Field | Type |
|---|---|
ngs.id Unique identifier for the log entry. | string |
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Reference-Specific Fields (175)
| Field | Type |
|---|---|
sentinelOne.agentDetectionInfo.accountId | string |
sentinelOne.agentDetectionInfo.accountName | text_general |
sentinelOne.agentDetectionInfo.agentDetectionState | string |
sentinelOne.agentDetectionInfo.agentDomain | text_general |
sentinelOne.agentDetectionInfo.agentIpV4 | text_general |
sentinelOne.agentDetectionInfo.agentIpV6 | text_general |
sentinelOne.agentDetectionInfo.agentLastLoggedInUpn | string |
sentinelOne.agentDetectionInfo.agentLastLoggedInUserMail | text_general |
sentinelOne.agentDetectionInfo.agentLastLoggedInUserName | text_general |
sentinelOne.agentDetectionInfo.agentMitigationMode | string |
sentinelOne.agentDetectionInfo.agentOsName | text_general |
sentinelOne.agentDetectionInfo.agentOsRevision | text_general |
sentinelOne.agentDetectionInfo.agentRegisteredAt | pdate |
sentinelOne.agentDetectionInfo.agentUuid | string |
sentinelOne.agentDetectionInfo.agentVersion | text_general |
sentinelOne.agentDetectionInfo.externalIp | text_general |
sentinelOne.agentDetectionInfo.groupId | string |
sentinelOne.agentDetectionInfo.groupName | text_general |
sentinelOne.agentDetectionInfo.siteId | string |
sentinelOne.agentDetectionInfo.siteName | text_general |
sentinelOne.agentRealtimeInfo.accountId | string |
sentinelOne.agentRealtimeInfo.accountName | text_general |
sentinelOne.agentRealtimeInfo.activeThreats | plong |
sentinelOne.agentRealtimeInfo.agentComputerName | text_general |
sentinelOne.agentRealtimeInfo.agentDecommissionedAt | pdate |
sentinelOne.agentRealtimeInfo.agentDomain | text_general |
sentinelOne.agentRealtimeInfo.agentId | string |
sentinelOne.agentRealtimeInfo.agentInfected | boolean |
sentinelOne.agentRealtimeInfo.agentIsActive | boolean |
sentinelOne.agentRealtimeInfo.agentIsDecommissioned | boolean |
sentinelOne.agentRealtimeInfo.agentMachineType | string |
sentinelOne.agentRealtimeInfo.agentMitigationMode | string |
sentinelOne.agentRealtimeInfo.agentNetworkStatus | string |
sentinelOne.agentRealtimeInfo.agentOsName | text_general |
sentinelOne.agentRealtimeInfo.agentOsRevision | text_general |
sentinelOne.agentRealtimeInfo.agentOsType | string |
sentinelOne.agentRealtimeInfo.agentUuid | string |
sentinelOne.agentRealtimeInfo.agentVersion | text_general |
sentinelOne.agentRealtimeInfo.groupId | string |
sentinelOne.agentRealtimeInfo.groupName | text_general |
sentinelOne.agentRealtimeInfo.networkInterfaces.id | string [] |
sentinelOne.agentRealtimeInfo.networkInterfaces.inet | text_general [] |
sentinelOne.agentRealtimeInfo.networkInterfaces.inet6 | text_general [] |
sentinelOne.agentRealtimeInfo.networkInterfaces.name | text_general [] |
sentinelOne.agentRealtimeInfo.networkInterfaces.physical | text_general [] |
sentinelOne.agentRealtimeInfo.operationalState | string |
sentinelOne.agentRealtimeInfo.rebootRequired | boolean |
sentinelOne.agentRealtimeInfo.scanAbortedAt | pdate |
sentinelOne.agentRealtimeInfo.scanFinishedAt | pdate |
sentinelOne.agentRealtimeInfo.scanStartedAt | pdate |
sentinelOne.agentRealtimeInfo.scanStatus | string |
sentinelOne.agentRealtimeInfo.siteId | string |
sentinelOne.agentRealtimeInfo.siteName | text_general |
sentinelOne.agentRealtimeInfo.storageName | text_general |
sentinelOne.agentRealtimeInfo.storageType | string |
sentinelOne.indicators.category | text_general [] |
sentinelOne.indicators.description | text_general [] |
sentinelOne.indicators.ids | plong [] |
sentinelOne.indicators.tactics.name | text_general [] |
sentinelOne.indicators.tactics.source | text_general [] |
sentinelOne.indicators.tactics.techniques.name | text_general [] |
sentinelOne.indicators.tactics.techniques.link | text_general [] |
sentinelOne.mitigationStatus.action | string [] |
sentinelOne.mitigationStatus.actionsCounters.failed | plong [] |
sentinelOne.mitigationStatus.actionsCounters.notFound | plong [] |
sentinelOne.mitigationStatus.actionsCounters.pendingReboot | plong [] |
sentinelOne.mitigationStatus.actionsCounters.success | plong [] |
sentinelOne.mitigationStatus.actionsCounters.total | plong [] |
sentinelOne.mitigationStatus.agentSupportsReport | boolean [] |
sentinelOne.mitigationStatus.groupNotFound | boolean [] |
sentinelOne.mitigationStatus.lastUpdate | pdate [] |
sentinelOne.mitigationStatus.latestReport | text_general [] |
sentinelOne.mitigationStatus.mitigationEndedAt | pdate [] |
sentinelOne.mitigationStatus.mitigationStartedAt | pdate [] |
sentinelOne.mitigationStatus.status | string [] |
sentinelOne.threatInfo.analystVerdict | string |
sentinelOne.threatInfo.analystVerdictDescription | text_general |
sentinelOne.threatInfo.automaticallyResolved | boolean |
sentinelOne.threatInfo.browserType | string |
sentinelOne.threatInfo.certificateId | string |
sentinelOne.threatInfo.classification | text_general |
sentinelOne.threatInfo.classificationSource | text_general |
sentinelOne.threatInfo.cloudFilesHashVerdict | string |
sentinelOne.threatInfo.collectionId | string |
sentinelOne.threatInfo.confidenceLevel | string |
sentinelOne.threatInfo.createdAt | pdate |
sentinelOne.threatInfo.detectionEngines.key | text_general [] |
sentinelOne.threatInfo.detectionEngines.title | text_general [] |
sentinelOne.threatInfo.detectionType | string |
sentinelOne.threatInfo.engines | text_general [] |
sentinelOne.threatInfo.externalTicketExists | boolean |
sentinelOne.threatInfo.externalTicketId | string |
sentinelOne.threatInfo.failedActions | boolean |
sentinelOne.threatInfo.fileExtension | text_general |
sentinelOne.threatInfo.fileExtensionType | text_general |
sentinelOne.threatInfo.filePath | text_general |
sentinelOne.threatInfo.fileSize | plong |
sentinelOne.threatInfo.fileVerificationType | string |
sentinelOne.threatInfo.identifiedAt | pdate |
sentinelOne.threatInfo.incidentStatus | string |
sentinelOne.threatInfo.incidentStatusDescription | text_general |
sentinelOne.threatInfo.initiatedBy | string |
sentinelOne.threatInfo.initiatedByDescription | text_general |
sentinelOne.threatInfo.initiatingUserId | string |
sentinelOne.threatInfo.initiatingUsername | text_general |
sentinelOne.threatInfo.isFileless | boolean |
sentinelOne.threatInfo.isValidCertificate | boolean |
sentinelOne.threatInfo.maliciousProcessArguments | text_general |
sentinelOne.threatInfo.md5 | string |
sentinelOne.threatInfo.mitigatedPreemptively | boolean |
sentinelOne.threatInfo.mitigationStatus | string |
sentinelOne.threatInfo.mitigationStatusDescription | text_general |
sentinelOne.threatInfo.originatorProcess | text_general |
sentinelOne.threatInfo.pendingActions | boolean |
sentinelOne.threatInfo.processUser | text_general |
sentinelOne.threatInfo.publisherName | text_general |
sentinelOne.threatInfo.reachedEventsLimit | boolean |
sentinelOne.threatInfo.rebootRequired | boolean |
sentinelOne.threatInfo.sha1 | string |
sentinelOne.threatInfo.sha256 | string |
sentinelOne.threatInfo.storyline | string |
sentinelOne.threatInfo.threatId | string |
sentinelOne.threatInfo.threatName | text_general |
sentinelOne.threatInfo.updatedAt | pdate |
sentinelOne.whiteningOptions | text_general [] |
sentinelOne.accountId | string |
sentinelOne.accountName | text_general |
sentinelOne.activityType | plong |
sentinelOne.activityUuid | string |
sentinelOne.agentId | string |
sentinelOne.agentUpdatedVersion | text_general |
sentinelOne.createdAt | pdate |
sentinelOne.updatedAt | pdate |
sentinelOne.data.accountName | text_general |
sentinelOne.data.computerName | text_general |
sentinelOne.data.externalIp | text_general |
sentinelOne.data.fullScopeDetails | text_general |
sentinelOne.data.fullScopeDetailsPath | text_general |
sentinelOne.data.groupName | text_general |
sentinelOne.data.groupType | string |
sentinelOne.data.scopeLevel | text_general |
sentinelOne.data.scopeName | text_general |
sentinelOne.data.siteName | text_general |
sentinelOne.data.system | boolean |
sentinelOne.data.username | text_general |
sentinelOne.data.uuid | string |
sentinelOne.data.sourceAccountName | text_general |
sentinelOne.data.sourceSiteName | text_general |
sentinelOne.data.targetAccountName | text_general |
sentinelOne.data.targetSiteName | text_general |
sentinelOne.data.byUser | text_general |
sentinelOne.data.ipAddress | text_general |
sentinelOne.data.role | string |
sentinelOne.data.sourceType | string |
sentinelOne.data.userScope | string |
sentinelOne.data.roleName | text_general |
sentinelOne.data.scopeLevelName | text_general |
sentinelOne.data.description | text_general |
sentinelOne.data.deactivationPeriodInDays | string |
sentinelOne.data.group | text_general |
sentinelOne.data.machineType | string |
sentinelOne.data.osType | string |
sentinelOne.description | text_general |
sentinelOne.groupId | string |
sentinelOne.groupName | text_general |
sentinelOne.hash | string |
sentinelOne.id | string |
sentinelOne.osFamily | text_general |
sentinelOne.primaryDescription | text_general |
sentinelOne.secondaryDescription | text_general |
sentinelOne.siteId | string |
sentinelOne.siteName | text_general |
sentinelOne.threatId | string |
sentinelOne.userId | string |
sentinelOne.logType | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they’re emitted by the system. Depending on the context of the event, some fields may be omitted if they’re not applicable.