Sentinel DV¶
About¶
SentinelOne extends its Endpoint Protection Platform (EPP) to offer the ability to search for attack indicators, investigate existing incidents, perform file integrity monitoring and root out hidden threats. Deep Visibility supports the needs of Enterprise IT and provides visibility into encrypted traffic. This unique solution helps security teams gain comprehensive insight into all endpoints so that responses can be prioritized and efficient without highly trained personnel or outsourcing EDR needs.
Product Details¶
Vendor URL: Sentinel DV
Product Type: EDR
Product Tier: Tier I
Integration Method: Custom
Integration URL: Sentinel DV - Cyderes Documentation
Log Guide: n/a
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: SENTINEL_DV
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| "SentinelOne" | metadata.vendor_name |
| "Deep Visibility" | metadata.product_name |
| event_type | metadata.product_event_type |
| "TCP" | network.ip_protocol |
| dnsType | network.dns.answers.type |
| dnsResult | network.dns.answers.data |
| "DNS" | network.application_protocol |
| query | network.dns.questions.name |
| event.network.direction | network.direction |
| site.name | observer.cloud.project.name |
| timestamp.millisecondsSinceEpoch | metadata.event_timestamp |
| domain | principal.administrative_domain |
| source.name | principal.application |
| src.process.name | principal.application |
| SENTINELONE:meta.uuid | principal.asset_id |
| meta.computer_name | principal.hostname |
| sourceAddress.address | principal.ip |
| src.ip.address | principal.ip |
| local.address | principal.ip |
| os_family | principal.platform |
| meta.os_revision | principal.platform_patch_level |
| os_version | principal.platform_version |
| os.name | principal.platform_version |
| sourceAddress.port | principal.port |
| src.port.number | principal.port |
| localAddress.port | principal.port |
| source.commandLine | principal.process.command_line |
| source.executable.hashes.md5 | principal.process.file.md5 |
| source.executable.hashes.sha1 | principal.process.file.sha1 |
| source.executable.hashes.sha256 | principal.process.file.sha256 |
| source.executable.sizeBytes | principal.process.file.size |
| source.fullPid.pid | principal.process.pid |
| username | principal.user.userid |
| source.user.sid | principal.user.windows_sid |
| endpoint.name | target.hostname |
| targetFile.path | target.file.full_path |
| targetFile.hashes.md5 | target.file.md5 |
| targetFile.hashes.sha1 | target.file.sha1 |
| targetFile.hashes.sha256 | target.file.sha256 |
| destinationAddress.address | target.ip |
| dst.ip.address | target.ip |
| destinationAddress.port | target.port |
| dst.port.number | target.port |
| source.commandLine | target.process.command_line |
| parent.commandLine | target.process.parent_process.command_line |
| parent.executable.hashes.md5 | target.process.parent_process.file.md5 |
| parent.executable.hashes.sha1 | target.process.parent_process.file.sha1 |
| parent.executable.hashes.sha256 | target.process.parent_process.file.sha256 |
| parent.fullPid.pid | target.process.parent_process.pid |
| source.fullPid.pid | target.process.pid |
| regValue.path | target.registry.registry_key |
| taskName | target.resource.name |
| "TASK" | target.resource.resource_type |
| "TASK" | target.resource.type |
| url | target.url |
| event.network.protocolName | security_result.about.labels |
| event.network.connectionStatus | security_result.about.labels |
| filter | security_result.detection_fields |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| FileDeletion | FILE_DELETION |
| FileCreation | FILE_CREATION |
| FileModification | FILE_MODIFICATION |
| Http | NETWORK_HTTP |
| Tcpv4 | NETWORK_CONNECTION |
| ProcessExit, ProcessTermination | PROCESS_TERMINATION |
| ProcessCreation | PROCESS_LAUNCH |
| Dns | NETWORK_DNS |
| RegKeyCreate, RegValueCreate | REGISTRY_CREATION |
| RegKeyDelete, RegValueDelete | REGISTRY_DELETION |
| RegValueModified, RegKeySecurityChanged | REGISTRY_MODIFICATION |
| SchedTaskDelete | SCHEDULED_TASK_DELETION |
| SchedTaskRegister | SCHEDULED_TASK_CREATION |
| SchedTaskStart, SchedTaskTrigger | SCHEDULED_TASK_ENABLE |
| SchedTaskUpdate | SCHEDULED_TASK_MODIFICATION |
| Login | USER_UNCATEGORIZED |
| all undefined events | GENERIC_EVENT |
Log Sample¶
{"event":{"timestamp":{"millisecondsSinceEpoch":1651612946414},"Event":null},"meta":{"seq_id":12,"uuid":"uuid","trace_id":"trace","agent_version":"S1-WIN/10.10.10.10","os_family":"windows","os_name":"Windows 10 Pro","os_revision":"19044","computer_name":"COMPUTER_NAME-WIN10","machine_type":"laptop"}}
Sample Parsing¶
metadata.event_timestamp = "1651612946"
metadata.event_type = GENERIC_EVENT
metadata.vendor_name = "SentinelOne"
metadata.product_name = "Deep Visibility"
metadata.product_event_type = "null"
principal.hostname = "COMPUTER_NAME-WIN10"
principal.asset_id = "SENTINELONE:uuid"
principal.platform = WINDOWS
principal.platform_version = "10 Pro"
principal.platform_patch_level = "19044"
Parser Alerting¶
This product currently does not have any Parser-based Alerting.
Rules¶
Coming Soon