Skip to content

Sentinel EDR

Sentinel EDR

About

SentinelOne’s ActiveEDR is powered by patented Storyline technology that reduces threat dwell time by making EDR detection, investigation, and response operations far easier and far reaching with massive data retention horizons to 365+ days. The net result is easy and fast attack mitigation, long term EDR visibility, and recovery with minimal friction and minimal interruption.

Product Details

Vendor URL: Sentinel EDR

Product Type: EDR

Product Tier: Tier I

Integration Method: Syslog

Integration URL: Sentinel EDR - Cyderes Documentation

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: Syslog

Expected Normalization Rate: Near 100%

Data Label: SENTINEL_EDR

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
activityType metadata.product_event_type
cat additional.fields
deviceAddress observer.ip
deviceHostFqdn observer.hostname
eventDesc metadata.description
eventDesc security_result.summary
fileHash target.file.sha256
fileHash target.file.md5
fileHash target.file.sha1
fileName target.process.file.full_path
ip principal.nat_ip
noteText security_result.summary
originatorName target.hostname
originatorVersion principal.asset.software.version
sourceDnsDomain principal.administrative_domain
sourceHostName principal.hostname
sourceIpAddress principal.ip
sourceMacAddresses principal.mac
sourceOsType principal.platform
sourceUserId principal.user.userid
sourceUserName principal.user.user_display_name
suser principal.user.user_display_name
threatClassification security_result.threat_id
threatDetectingEngine security_result.category_details
threatMitigationStatus security_result.threat_status
threatConfidenceLevel security_result.confidence_details
threatMitigatedPreemptively security_result.action_details
threatMitigationStatusLabel security_result.severity_details
threatMitigationStatusID security_result.priority_details
userEmail target.user.userid

Product Event Types

Event UDM Event Classification Security Category alerting enabled
17 = Computer subscribed and joined the group STATUS_UNCATEGORIZED
19 = Threat detected PROCESS_LAUNCH
2001 = Threat killed PROCESS_TERMINATION
2004 = Threat quarantined successfully PROCESS_UNCATEGORIZED
3100 = New agent package available GENERIC_EVENT
33 = New Console Logout Activity USER_LOGOUT
4002 = New suspicious threat detected STATUS_UNCATEGORIZED
4008 = Threat status changed STATUS_UNCATEGORIZED
43 = Agent was updated STATUS_UPDATE
47 = Machine decom GENERIC_EVENT
5021 = Management user updated site USER_RESOURCE_UPDATE_CONTENT
5126 = USB Drive disconnected GENERIC_EVENT
71 = Management user initiated full disk scan SCAN_HOST
90 = Agent initiated full disk scan SCAN_HOST
92 = Completed full disk scan SCAN_HOST
all undefined events GENERIC_EVENT
New Active Threat SOFTWARE_MALICIOUS TRUE
New Blocked Threat SOFTWARE_MALICIOUS TRUE
New Suspicious Threat SOFTWARE_MALICIOUS TRUE

Log Sample

<14>2021-07-30 11:16:51,872   sentinel -  CEF:2|SentinelOne|Mgmt|suser=username|fileName=SourceTree.exe|oldValue=Undefined|newValue=False positive|rt=2021-07-30 11:16:44.395144|deviceAddress=10.22.1.71|deviceHostFqdn=fqdn|deviceHostName=fqdn|notificationScope=SITE|siteId=siteid|siteName=Default site|accountId=accountid|accountName=Company|vendor=SentinelOne|eventID=2030|eventDesc=Analyst verdict changed|eventSeverity=1|originatorName=originator|originatorVersion=4.5.2.136|sourceAgentLastActivityTimestamp=2021-07-30 11:16:12.962792|sourceAgentRegisterTimestamp=2021-05-11 22:33:22.166754|sourceNetworkState=connected|sourceOsRevision=17134|sourceOsType=windows|sourceAgentUuid=uuid|sourceFqdn=fqdn|sourceThreatCount=0|sourceMgmtPrecievedAddress=10.10.10.1|sourceDnsDomain=DOMAIN|sourceHostName=hostname|sourceUserName=first.last|sourceUserId=sid|sourceAgentId=agent|sourceGroupId=group|sourceGroupName=Default Group|sourceIpAddresses=['10.3.205.127', 'fe80::19dc:cd68:a2fc:4b23']|sourceMacAddresses=['00:50:56:b6:a5:e2']|threatClassification=Generic.Heuristic|threatClassificationSource=Cloud|threatDetectingEngine=windows.executables|threatClassifier=LOGIC|threatMitigationStatus=marked_as_benign|threatConfidenceLevel=suspicious|threatMitigatedPreemptively=False|threatMitigationStatusLabel=suspicious_resolved|threatMitigationStatusID=5|threatCommandLineArguments=|threatID=threatid|threatStoryline=threatstory|threatDetectionTime=2021-07-30 07:59:31.846392|threatIndicatorsList=[88, 293]|threatProcessUser=DOMAIN\first.last|fileHashSha256=None|fileHashMd5=None|cat=THREATMANAGEMENT|activityID=actid|activityType=2030

Sample Parsing

metadata.event_timestamp = "2021-07-30T11:16:51Z"
metadata.event_type = "GENERIC_EVENT"
metadata.product_name = "Sentinel One"
metadata.product_event_type = "2030"
metadata.description = "Analyst verdict changed"
metadata.ingested_timestamp = "2021-07-30T11:18:25.287966Z"
additional.Category = "THREATMANAGEMENT"
principal.hostname = "hostname"
principal.user.userid = "sid"
principal.user.user_display_name = "first.last"
principal.platform = "WINDOWS"
principal.ip = "10.3.205.127"
principal.mac = "00:50:56:b6:a5:e2"
principal.administrative_domain = "DOMAIN"
principal.asset.software.version = "4.5.2.136"
target.process.file.full_path = " SourceTree.exe"
observer.hostname = "fqdn"
observer.ip = "10.22.171.71"
security_result.category_details = "windows.executables"
security_result.summary = "Analyst verdict changed"
security_result.threat_id = "Generic.Heuristic"
security_result.threat_status = "FALSE_POSITIVE"

Parser Alerting

Alerting criteria is listed in the Product Event Types table above.