diff --git a/packages/sentinel_one/changelog.yml b/packages/sentinel_one/changelog.yml
index b19508f94a0..e8264fa89ad 100644
--- a/packages/sentinel_one/changelog.yml
+++ b/packages/sentinel_one/changelog.yml
@@ -1,4 +1,9 @@
# newer versions go on top
+- version: "2.1.0"
+ changes:
+ - description: Added parsing support for ECS `rule.*` fields and related custom fields in the activity data stream.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/16885
- version: "2.0.1"
changes:
- description: Split domain-qualified `user.name` values into `user.domain`.
diff --git a/packages/sentinel_one/data_stream/activity/_dev/test/pipeline/test-pipeline-activity.log b/packages/sentinel_one/data_stream/activity/_dev/test/pipeline/test-pipeline-activity.log
index fee559f1f2d..6490c3e3b9a 100644
--- a/packages/sentinel_one/data_stream/activity/_dev/test/pipeline/test-pipeline-activity.log
+++ b/packages/sentinel_one/data_stream/activity/_dev/test/pipeline/test-pipeline-activity.log
@@ -25,3 +25,4 @@
{"accountId":"1234567890123456789","accountName":"Default","activityType":1234,"agentId":null,"agentUpdatedVersion":null,"comments":null,"createdAt":"2022-04-05T16:11:05.469398Z","data":{"accountName":"Default","fullScopeDetails":"Account Default","fullScopeDetailsPath":"test/default","groupName":null,"recoveryEmail":"user@example.com","role":"Admin","scopeLevel":"Account","scopeName":"Default","siteName":null,"userScope":"account","username":"test User"},"description":null,"groupId":null,"groupName":null,"hash":null,"id":"1234567890123456789","osFamily":null,"primaryDescription": null,"secondaryDescription":null,"siteId":null,"siteName":null,"threatId":null,"updatedAt":"2022-04-05T16:11:05.189394Z","userId":"1234567890123456789"}
{"accountId":"1234567890123456789","accountName":"Default","activityType":1234,"agentId":null,"agentUpdatedVersion":null,"comments":null,"createdAt":"2022-04-05T16:11:05.469398Z","data":{"accountName":"Default","fullScopeDetails":"Account Default","fullScopeDetailsPath":"test/default","groupName":null,"recoveryEmail":"user@example.com","role":"Admin","scopeLevel":"Account","scopeName":"Default","siteName":null,"userScope":"account","username":"test User"},"description":null,"groupId":null,"groupName":null,"hash":null,"id":"1234567890123456789","osFamily":null,"primaryDescription": null,"secondaryDescription":null,"siteId":null,"siteName":null,"threatId":"","updatedAt":"2022-04-05T16:11:05.189394Z","userId":"1234567890123456789"}
{"accountId":"1234567890123456789","accountName":"Default","activityType":1234,"agentId":"1234567890123456789","agentUpdatedVersion":null,"comments":null,"createdAt":"2022-04-06T08:45:54.532670Z","data":{"accountName":"Default","computerName":"user-computer-name","confidenceLevel":"malicious","escapedMaliciousProcessArguments":null,"fileContentHash":"aaf4c61ddcc5e8a2dabede0f3b482cxxxxxxxxxx","fileDisplayName":"default.exe","filePath":"\\test\\default.exe","fullScopeDetails":"Group Default Group in Site Default site of Account Default","fullScopeDetailsPath":"test/default / Default site / Default Group","groupName":"Default Group","siteName":"Default site","threatClassification":"Trojan","threatClassificationSource":"Cloud","username":null},"description":null,"groupId":"1234567890123456789","groupName":"Default Group","hash":null,"id":"1234567890123456789","osFamily":null,"primaryDescription":"Threat with confidence level malicious detected: default.exe","secondaryDescription":"6a264eda96e766b41bc14a3c9e99xxxxxxxxxx","siteId":"1234567890123456789","siteName":"Default site","threatId":"1234567890123456789","updatedAt":"2022-04-06T08:45:54.527789Z","userId":null}
+{"accountId": "1392053568574369789", "accountName": "Elastic", "activityType": 3608, "activityUuid": "3b2668b2-0000-419c-9bb8-9e7aa7dde4b9", "agentId": "2088404432341170000", "createdAt": "2024-12-30T11:17:15.555932Z", "data": {"accountId": "1392053568574360000", "accountName": "Elastic", "actoralternateid": "", "agentipv4": "1.128.0.0", "alertid": "2116686009748290000", "commandCorrelationid": "67945a45-0000-433a-98c8-aaa162716033", "commandTimestamp": 1735557435486, "datasourcename": "SentinelOne", "detectedat": "2024-12-30T11:17:15Z", "dstport": 0, "dveventid": "00AGBMGQGPM98ACRJBTZMNEPQP_335", "dveventtype": "BEHAVIORALINDICATORS", "eventcategory": "indicators", "eventdetails": "", "eventexternalid": "", "eventtime": 1735557360726, "externalServiceId": null, "externalip": "1.128.0.0", "externalthreatvalue": "", "fullScopeDetails": "Group Default Group in Site Default site of Account Elastic", "fullScopeDetailsPath": "Global / Elastic / Default site / Default Group", "groupName": "Default Group", "indicatorcategory": "General", "indicatordescription": "Process started from shortcut file MITRE: Execution {T1204}", "indicatorname": "ProcessStartedFromLnk", "ipAddress": null, "k8sclustername": "", "k8scontainerid": "", "k8scontainerimage": "", "k8scontainerlabels": "", "k8scontainername": "", "k8scontrollerkind": "", "k8scontrollerlabels": "", "k8scontrollername": "", "k8snamespace": "", "k8snamespacelabels": "", "k8snode": "", "k8spod": "", "k8spodlabels": "", "loginaccountdomain": "", "loginaccountsid": "", "loginisadministratorequivalent": "", "loginissuccessful": "", "loginsusername": "", "logintype": "", "modulepath": "", "modulesha1": "", "neteventdirection": "", "origagentmachinetype": "desktop", "origagentname": "user-win10", "origagentosfamily": "windows", "origagentosname": "Windows 10 Pro", "origagentosrevision": "19045", "origagentsiteid": "1392053568582750000", "origagentuuid": "ba1514e9b4944561bbf27b61375b0000", "origagentversion": "24.1.5.277", "physical": "00:00:00:d0:97:b6", "realUser": null, "registrykeypath": "", "registryoldvalue": "", "registryoldvaluetype": "", "registrypath": "", "registryvalue": "", "ruledescription": "test", "ruleid": "1412136126226508571", "rulename": "test5", "rulescopeid": 1392053568582758390, "rulescopelevel": "E_SITE", "scopeId": 1392053568582758390, "scopeLevel": "Group", "scopeName": "Default Group", "severity": "E_CRITICAL", "siteId": "1392053568582758390", "siteName": "Default site", "sourcename": "STAR", "sourceparentprocesscommandline": "C:\\Windows\\Explorer.EXE", "sourceparentprocessintegritylevel": "high", "sourceparentprocesskey": "B4A7F8AA88091D56", "sourceparentprocessmd5": "c8a6701a5273340926be89b201f6b9cb", "sourceparentprocessname": "explorer.exe", "sourceparentprocesspath": "C:\\Windows\\explorer.exe", "sourceparentprocesspid": 5772, "sourceparentprocesssha1": "da83b5a38845e908d772391188123ecfb630a342", "sourceparentprocesssha256": "330d7a3f57071ec88bd18db13cbc4736e9b59056658fec4ac13997d5148a86df", "sourceparentprocesssigneridentity": "MICROSOFT WINDOWS", "sourceparentprocessstarttime": 1735557233813, "sourceparentprocessstoryline": "B5A7F8AA88091D56", "sourceparentprocesssubsystem": "win32", "sourceparentprocessusername": "raquel-win10\\win10-user", "sourceprocesscommandline": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", "sourceprocessfilepath": "C:\\Windows\\System32\\WINDOWSPOWERSHELL\\V1.0\\powershell.exe", "sourceprocessfilesigneridentity": "MICROSOFT WINDOWS", "sourceprocessintegritylevel": "high", "sourceprocesskey": "01ADF8AA88091D56", "sourceprocessmd5": "2e5a8590cf6848968fc23de3fa1e25f1", "sourceprocessname": "powershell.exe", "sourceprocesspid": 2128, "sourceprocesssha1": "801262e122db6a2e758962896f260b55bbd0136a", "sourceprocesssha256": "9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3", "sourceprocessstarttime": 1735557360671, "sourceprocessstoryline": "02ADF8AA88091D56", "sourceprocesssubsystem": "win32", "sourceprocessusername": "raquel-win10\\win10-user", "srcip": "", "srcmachineip": "", "srcport": 0, "systemUser": 0, "tgtfilecreatedat": 0, "tgtfilehashsha1": "", "tgtfilehashsha256": "", "tgtfileid": "", "tgtfileissigned": "", "tgtfilemodifiedat": 0, "tgtfileoldpath": "", "tgtfilepath": "", "tgtproccmdline": "", "tgtprocessstarttime": 0, "tgtprocimagepath": "", "tgtprocintegritylevel": "unknown", "tgtprocname": "", "tgtprocpid": 0, "tgtprocsignedstatus": "", "tgtprocstorylineid": "", "tgtprocuid": "", "tiindicatorcomparisonmethod": "", "tiindicatorsource": "", "tiindicatortype": "", "tiindicatorvalue": "", "userId": 1392606454463278101, "userName": "Vinit Chauhan"}, "description": null, "groupId": "1392053568591146999", "groupName": "Default Group", "hash": null, "id": "2116686010862214929", "osFamily": null, "primaryDescription": "Alert created for powershell.exe from Custom Rule: test5 in Group Default Group in Site Default site of Account Elastic, detected on raquel-win10.", "secondaryDescription": "801262e122db6a2e758962896f260b55bbd0136a", "siteId": "1392053568582758390", "siteName": "Default site", "threatId": "2116686023738728218", "updatedAt": "2024-12-30T11:17:15.554519Z", "userId": "1392606454463278101"}
diff --git a/packages/sentinel_one/data_stream/activity/_dev/test/pipeline/test-pipeline-activity.log-expected.json b/packages/sentinel_one/data_stream/activity/_dev/test/pipeline/test-pipeline-activity.log-expected.json
index 4242bbd593f..cb5db577929 100644
--- a/packages/sentinel_one/data_stream/activity/_dev/test/pipeline/test-pipeline-activity.log-expected.json
+++ b/packages/sentinel_one/data_stream/activity/_dev/test/pipeline/test-pipeline-activity.log-expected.json
@@ -2157,6 +2157,157 @@
"name": "Default Group"
}
}
+ },
+ {
+ "@timestamp": "2024-12-30T11:17:15.555Z",
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "id": "2116686010862214929",
+ "kind": "event",
+ "original": "{\"accountId\": \"1392053568574369789\", \"accountName\": \"Elastic\", \"activityType\": 3608, \"activityUuid\": \"3b2668b2-0000-419c-9bb8-9e7aa7dde4b9\", \"agentId\": \"2088404432341170000\", \"createdAt\": \"2024-12-30T11:17:15.555932Z\", \"data\": {\"accountId\": \"1392053568574360000\", \"accountName\": \"Elastic\", \"actoralternateid\": \"\", \"agentipv4\": \"1.128.0.0\", \"alertid\": \"2116686009748290000\", \"commandCorrelationid\": \"67945a45-0000-433a-98c8-aaa162716033\", \"commandTimestamp\": 1735557435486, \"datasourcename\": \"SentinelOne\", \"detectedat\": \"2024-12-30T11:17:15Z\", \"dstport\": 0, \"dveventid\": \"00AGBMGQGPM98ACRJBTZMNEPQP_335\", \"dveventtype\": \"BEHAVIORALINDICATORS\", \"eventcategory\": \"indicators\", \"eventdetails\": \"\", \"eventexternalid\": \"\", \"eventtime\": 1735557360726, \"externalServiceId\": null, \"externalip\": \"1.128.0.0\", \"externalthreatvalue\": \"\", \"fullScopeDetails\": \"Group Default Group in Site Default site of Account Elastic\", \"fullScopeDetailsPath\": \"Global / Elastic / Default site / Default Group\", \"groupName\": \"Default Group\", \"indicatorcategory\": \"General\", \"indicatordescription\": \"Process started from shortcut file MITRE: Execution {T1204}\", \"indicatorname\": \"ProcessStartedFromLnk\", \"ipAddress\": null, \"k8sclustername\": \"\", \"k8scontainerid\": \"\", \"k8scontainerimage\": \"\", \"k8scontainerlabels\": \"\", \"k8scontainername\": \"\", \"k8scontrollerkind\": \"\", \"k8scontrollerlabels\": \"\", \"k8scontrollername\": \"\", \"k8snamespace\": \"\", \"k8snamespacelabels\": \"\", \"k8snode\": \"\", \"k8spod\": \"\", \"k8spodlabels\": \"\", \"loginaccountdomain\": \"\", \"loginaccountsid\": \"\", \"loginisadministratorequivalent\": \"\", \"loginissuccessful\": \"\", \"loginsusername\": \"\", \"logintype\": \"\", \"modulepath\": \"\", \"modulesha1\": \"\", \"neteventdirection\": \"\", \"origagentmachinetype\": \"desktop\", \"origagentname\": \"user-win10\", \"origagentosfamily\": \"windows\", \"origagentosname\": \"Windows 10 Pro\", \"origagentosrevision\": \"19045\", \"origagentsiteid\": \"1392053568582750000\", \"origagentuuid\": \"ba1514e9b4944561bbf27b61375b0000\", \"origagentversion\": \"24.1.5.277\", \"physical\": \"00:00:00:d0:97:b6\", \"realUser\": null, \"registrykeypath\": \"\", \"registryoldvalue\": \"\", \"registryoldvaluetype\": \"\", \"registrypath\": \"\", \"registryvalue\": \"\", \"ruledescription\": \"test\", \"ruleid\": \"1412136126226508571\", \"rulename\": \"test5\", \"rulescopeid\": 1392053568582758390, \"rulescopelevel\": \"E_SITE\", \"scopeId\": 1392053568582758390, \"scopeLevel\": \"Group\", \"scopeName\": \"Default Group\", \"severity\": \"E_CRITICAL\", \"siteId\": \"1392053568582758390\", \"siteName\": \"Default site\", \"sourcename\": \"STAR\", \"sourceparentprocesscommandline\": \"C:\\\\Windows\\\\Explorer.EXE\", \"sourceparentprocessintegritylevel\": \"high\", \"sourceparentprocesskey\": \"B4A7F8AA88091D56\", \"sourceparentprocessmd5\": \"c8a6701a5273340926be89b201f6b9cb\", \"sourceparentprocessname\": \"explorer.exe\", \"sourceparentprocesspath\": \"C:\\\\Windows\\\\explorer.exe\", \"sourceparentprocesspid\": 5772, \"sourceparentprocesssha1\": \"da83b5a38845e908d772391188123ecfb630a342\", \"sourceparentprocesssha256\": \"330d7a3f57071ec88bd18db13cbc4736e9b59056658fec4ac13997d5148a86df\", \"sourceparentprocesssigneridentity\": \"MICROSOFT WINDOWS\", \"sourceparentprocessstarttime\": 1735557233813, \"sourceparentprocessstoryline\": \"B5A7F8AA88091D56\", \"sourceparentprocesssubsystem\": \"win32\", \"sourceparentprocessusername\": \"raquel-win10\\\\win10-user\", \"sourceprocesscommandline\": \"\\\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"\", \"sourceprocessfilepath\": \"C:\\\\Windows\\\\System32\\\\WINDOWSPOWERSHELL\\\\V1.0\\\\powershell.exe\", \"sourceprocessfilesigneridentity\": \"MICROSOFT WINDOWS\", \"sourceprocessintegritylevel\": \"high\", \"sourceprocesskey\": \"01ADF8AA88091D56\", \"sourceprocessmd5\": \"2e5a8590cf6848968fc23de3fa1e25f1\", \"sourceprocessname\": \"powershell.exe\", \"sourceprocesspid\": 2128, \"sourceprocesssha1\": \"801262e122db6a2e758962896f260b55bbd0136a\", \"sourceprocesssha256\": \"9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3\", \"sourceprocessstarttime\": 1735557360671, \"sourceprocessstoryline\": \"02ADF8AA88091D56\", \"sourceprocesssubsystem\": \"win32\", \"sourceprocessusername\": \"raquel-win10\\\\win10-user\", \"srcip\": \"\", \"srcmachineip\": \"\", \"srcport\": 0, \"systemUser\": 0, \"tgtfilecreatedat\": 0, \"tgtfilehashsha1\": \"\", \"tgtfilehashsha256\": \"\", \"tgtfileid\": \"\", \"tgtfileissigned\": \"\", \"tgtfilemodifiedat\": 0, \"tgtfileoldpath\": \"\", \"tgtfilepath\": \"\", \"tgtproccmdline\": \"\", \"tgtprocessstarttime\": 0, \"tgtprocimagepath\": \"\", \"tgtprocintegritylevel\": \"unknown\", \"tgtprocname\": \"\", \"tgtprocpid\": 0, \"tgtprocsignedstatus\": \"\", \"tgtprocstorylineid\": \"\", \"tgtprocuid\": \"\", \"tiindicatorcomparisonmethod\": \"\", \"tiindicatorsource\": \"\", \"tiindicatortype\": \"\", \"tiindicatorvalue\": \"\", \"userId\": 1392606454463278101, \"userName\": \"Vinit Chauhan\"}, \"description\": null, \"groupId\": \"1392053568591146999\", \"groupName\": \"Default Group\", \"hash\": null, \"id\": \"2116686010862214929\", \"osFamily\": null, \"primaryDescription\": \"Alert created for powershell.exe from Custom Rule: test5 in Group Default Group in Site Default site of Account Elastic, detected on raquel-win10.\", \"secondaryDescription\": \"801262e122db6a2e758962896f260b55bbd0136a\", \"siteId\": \"1392053568582758390\", \"siteName\": \"Default site\", \"threatId\": \"2116686023738728218\", \"updatedAt\": \"2024-12-30T11:17:15.554519Z\", \"userId\": \"1392606454463278101\"}"
+ },
+ "group": {
+ "id": "1392053568591146999",
+ "name": "Default Group"
+ },
+ "host": {
+ "id": "2088404432341170000"
+ },
+ "message": "Alert created for powershell.exe from Custom Rule: test5 in Group Default Group in Site Default site of Account Elastic, detected on raquel-win10.",
+ "rule": {
+ "description": "test",
+ "id": "1412136126226508571",
+ "name": "test5"
+ },
+ "sentinel_one": {
+ "account": {
+ "name": "Elastic"
+ },
+ "activity": {
+ "account": {
+ "id": "1392053568574369789"
+ },
+ "agent": {
+ "id": "2088404432341170000"
+ },
+ "data": {
+ "account": {
+ "id": "1392053568574360000",
+ "name": "Elastic"
+ },
+ "flattened": {
+ "agentipv4": "1.128.0.0",
+ "alertid": "2116686009748290000",
+ "commandCorrelationid": "67945a45-0000-433a-98c8-aaa162716033",
+ "commandTimestamp": 1735557435486,
+ "datasourcename": "SentinelOne",
+ "detectedat": "2024-12-30T11:17:15Z",
+ "dstport": 0,
+ "dveventid": "00AGBMGQGPM98ACRJBTZMNEPQP_335",
+ "dveventtype": "BEHAVIORALINDICATORS",
+ "eventcategory": "indicators",
+ "eventtime": 1735557360726,
+ "externalip": "1.128.0.0",
+ "indicatorcategory": "General",
+ "indicatordescription": "Process started from shortcut file MITRE: Execution {T1204}",
+ "indicatorname": "ProcessStartedFromLnk",
+ "origagentmachinetype": "desktop",
+ "origagentname": "user-win10",
+ "origagentosfamily": "windows",
+ "origagentosname": "Windows 10 Pro",
+ "origagentosrevision": "19045",
+ "origagentsiteid": "1392053568582750000",
+ "origagentuuid": "ba1514e9b4944561bbf27b61375b0000",
+ "origagentversion": "24.1.5.277",
+ "physical": "00:00:00:d0:97:b6",
+ "rulescopeid": 1392053568582758390,
+ "rulescopelevel": "E_SITE",
+ "scopeId": 1392053568582758390,
+ "siteId": "1392053568582758390",
+ "sourcename": "STAR",
+ "sourceparentprocesscommandline": "C:\\Windows\\Explorer.EXE",
+ "sourceparentprocessintegritylevel": "high",
+ "sourceparentprocesskey": "B4A7F8AA88091D56",
+ "sourceparentprocessmd5": "c8a6701a5273340926be89b201f6b9cb",
+ "sourceparentprocessname": "explorer.exe",
+ "sourceparentprocesspath": "C:\\Windows\\explorer.exe",
+ "sourceparentprocesspid": 5772,
+ "sourceparentprocesssha1": "da83b5a38845e908d772391188123ecfb630a342",
+ "sourceparentprocesssha256": "330d7a3f57071ec88bd18db13cbc4736e9b59056658fec4ac13997d5148a86df",
+ "sourceparentprocesssigneridentity": "MICROSOFT WINDOWS",
+ "sourceparentprocessstarttime": 1735557233813,
+ "sourceparentprocessstoryline": "B5A7F8AA88091D56",
+ "sourceparentprocesssubsystem": "win32",
+ "sourceparentprocessusername": "raquel-win10\\win10-user",
+ "sourceprocesscommandline": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"",
+ "sourceprocessfilepath": "C:\\Windows\\System32\\WINDOWSPOWERSHELL\\V1.0\\powershell.exe",
+ "sourceprocessfilesigneridentity": "MICROSOFT WINDOWS",
+ "sourceprocessintegritylevel": "high",
+ "sourceprocesskey": "01ADF8AA88091D56",
+ "sourceprocessmd5": "2e5a8590cf6848968fc23de3fa1e25f1",
+ "sourceprocessname": "powershell.exe",
+ "sourceprocesspid": 2128,
+ "sourceprocesssha1": "801262e122db6a2e758962896f260b55bbd0136a",
+ "sourceprocesssha256": "9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3",
+ "sourceprocessstarttime": 1735557360671,
+ "sourceprocessstoryline": "02ADF8AA88091D56",
+ "sourceprocesssubsystem": "win32",
+ "sourceprocessusername": "raquel-win10\\win10-user",
+ "srcport": 0,
+ "systemUser": 0,
+ "tgtfilecreatedat": 0,
+ "tgtfilemodifiedat": 0,
+ "tgtprocessstarttime": 0,
+ "tgtprocintegritylevel": "unknown",
+ "tgtprocpid": 0,
+ "userId": 1392606454463278101,
+ "userName": "Vinit Chauhan"
+ },
+ "fullscope": {
+ "details": "Group Default Group in Site Default site of Account Elastic",
+ "details_path": "Global / Elastic / Default site / Default Group"
+ },
+ "group_name": "Default Group",
+ "scope": {
+ "level": "Group",
+ "name": "Default Group"
+ },
+ "site": {
+ "name": "Default site"
+ }
+ },
+ "description": {
+ "primary": "Alert created for powershell.exe from Custom Rule: test5 in Group Default Group in Site Default site of Account Elastic, detected on raquel-win10.",
+ "secondary": "801262e122db6a2e758962896f260b55bbd0136a"
+ },
+ "id": "2116686010862214929",
+ "rule_description": "test",
+ "rule_id": "1412136126226508571",
+ "rule_name": "test5",
+ "severity": "E_CRITICAL",
+ "threat": {
+ "id": "2116686023738728218"
+ },
+ "type": 3608,
+ "updated_at": "2024-12-30T11:17:15.554Z"
+ },
+ "site": {
+ "id": "1392053568582758390",
+ "name": "Default site"
+ }
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "user": {
+ "group": {
+ "id": "1392053568591146999",
+ "name": "Default Group"
+ },
+ "id": "1392606454463278101"
+ }
}
]
}
diff --git a/packages/sentinel_one/data_stream/activity/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/data_stream/activity/elasticsearch/ingest_pipeline/default.yml
index 6b0f591909c..5b16e37104c 100644
--- a/packages/sentinel_one/data_stream/activity/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/sentinel_one/data_stream/activity/elasticsearch/ingest_pipeline/default.yml
@@ -558,6 +558,41 @@ processors:
- json.data.system
- json.data.policyName
ignore_missing: true
+ - rename:
+ field: json.data.ruledescription
+ tag: rename_ruledescription_to_rule_description
+ target_field: sentinel_one.activity.rule_description
+ ignore_missing: true
+ - rename:
+ field: json.data.ruleid
+ tag: rename_ruleid_to_rule_id
+ target_field: sentinel_one.activity.rule_id
+ ignore_missing: true
+ - rename:
+ field: json.data.rulename
+ tag: rename_rulename_to_rule_name
+ target_field: sentinel_one.activity.rule_name
+ ignore_missing: true
+ - set:
+ field: rule.description
+ tag: set_rule_description_from_rule_description
+ copy_from: sentinel_one.activity.rule_description
+ ignore_empty_value: true
+ - set:
+ field: rule.id
+ tag: set_rule_id_from_rule_id
+ copy_from: sentinel_one.activity.rule_id
+ ignore_empty_value: true
+ - set:
+ field: rule.name
+ tag: set_rule_name_from_rule_name
+ copy_from: sentinel_one.activity.rule_name
+ ignore_empty_value: true
+ - rename:
+ field: json.data.severity
+ tag: rename_severity_to_activity_severity
+ target_field: sentinel_one.activity.severity
+ ignore_missing: true
- rename:
field: json.data
target_field: sentinel_one.activity.data.flattened
diff --git a/packages/sentinel_one/data_stream/activity/fields/fields.yml b/packages/sentinel_one/data_stream/activity/fields/fields.yml
index 1be1186277d..7549180c9ba 100644
--- a/packages/sentinel_one/data_stream/activity/fields/fields.yml
+++ b/packages/sentinel_one/data_stream/activity/fields/fields.yml
@@ -192,6 +192,14 @@
- name: id
type: keyword
description: Activity ID.
+ - name: rule_description
+ type: keyword
+ - name: rule_id
+ type: keyword
+ - name: rule_name
+ type: keyword
+ - name: severity
+ type: keyword
- name: threat
type: group
fields:
diff --git a/packages/sentinel_one/docs/README.md b/packages/sentinel_one/docs/README.md
index cae1cf2c1a9..09c5aa858bb 100644
--- a/packages/sentinel_one/docs/README.md
+++ b/packages/sentinel_one/docs/README.md
@@ -279,6 +279,10 @@ An example event for `activity` looks as following:
| sentinel_one.activity.description.secondary | Secondary description. | keyword |
| sentinel_one.activity.description_value | | keyword |
| sentinel_one.activity.id | Activity ID. | keyword |
+| sentinel_one.activity.rule_description | | keyword |
+| sentinel_one.activity.rule_id | | keyword |
+| sentinel_one.activity.rule_name | | keyword |
+| sentinel_one.activity.severity | | keyword |
| sentinel_one.activity.threat.id | Related threat ID (if applicable). | keyword |
| sentinel_one.activity.type | Activity type. | long |
| sentinel_one.activity.updated_at | Activity last updated time (UTC). | date |
diff --git a/packages/sentinel_one/manifest.yml b/packages/sentinel_one/manifest.yml
index 962fb89d053..4dd57547f41 100644
--- a/packages/sentinel_one/manifest.yml
+++ b/packages/sentinel_one/manifest.yml
@@ -1,7 +1,7 @@
format_version: "3.4.0"
name: sentinel_one
title: SentinelOne
-version: "2.0.1"
+version: "2.1.0"
description: Collect logs from SentinelOne with Elastic Agent.
type: integration
categories: