Skip to content

[sentinel_one] Added Parsing Support for Rule fields in the Activity Dataset #16885

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mohitjha-elastic merged 2 commits into from
Jan 8, 2026
Merged

[sentinel_one] Added Parsing Support for Rule fields in the Activity Dataset #16885

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
aca9058
Add rule fields for activity dataset.
mohitjha-elastic Jan 6, 2026
dfd62b4
Update changelog entry
mohitjha-elastic Jan 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/sentinel_one/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "2.1.0"
changes:
- description: Added parsing support for ECS `rule.*` fields and related custom fields in the activity data stream.
type: enhancement
link: https://github.com/elastic/integrations/pull/16885
- version: "2.0.1"
changes:
- description: Split domain-qualified `user.name` values into `user.domain`.
Expand Down
1 change: 1 addition & 0 deletions packages/sentinel_one/data_stream/activity/_dev/test/pipeline/test-pipeline-activity.log
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,4 @@
{"accountId":"1234567890123456789","accountName":"Default","activityType":1234,"agentId":null,"agentUpdatedVersion":null,"comments":null,"createdAt":"2022-04-05T16:11:05.469398Z","data":{"accountName":"Default","fullScopeDetails":"Account Default","fullScopeDetailsPath":"test/default","groupName":null,"recoveryEmail":"[email protected]","role":"Admin","scopeLevel":"Account","scopeName":"Default","siteName":null,"userScope":"account","username":"test User"},"description":null,"groupId":null,"groupName":null,"hash":null,"id":"1234567890123456789","osFamily":null,"primaryDescription": null,"secondaryDescription":null,"siteId":null,"siteName":null,"threatId":null,"updatedAt":"2022-04-05T16:11:05.189394Z","userId":"1234567890123456789"}
{"accountId":"1234567890123456789","accountName":"Default","activityType":1234,"agentId":null,"agentUpdatedVersion":null,"comments":null,"createdAt":"2022-04-05T16:11:05.469398Z","data":{"accountName":"Default","fullScopeDetails":"Account Default","fullScopeDetailsPath":"test/default","groupName":null,"recoveryEmail":"[email protected]","role":"Admin","scopeLevel":"Account","scopeName":"Default","siteName":null,"userScope":"account","username":"test User"},"description":null,"groupId":null,"groupName":null,"hash":null,"id":"1234567890123456789","osFamily":null,"primaryDescription": null,"secondaryDescription":null,"siteId":null,"siteName":null,"threatId":"","updatedAt":"2022-04-05T16:11:05.189394Z","userId":"1234567890123456789"}
{"accountId":"1234567890123456789","accountName":"Default","activityType":1234,"agentId":"1234567890123456789","agentUpdatedVersion":null,"comments":null,"createdAt":"2022-04-06T08:45:54.532670Z","data":{"accountName":"Default","computerName":"user-computer-name","confidenceLevel":"malicious","escapedMaliciousProcessArguments":null,"fileContentHash":"aaf4c61ddcc5e8a2dabede0f3b482cxxxxxxxxxx","fileDisplayName":"default.exe","filePath":"\\test\\default.exe","fullScopeDetails":"Group Default Group in Site Default site of Account Default","fullScopeDetailsPath":"test/default / Default site / Default Group","groupName":"Default Group","siteName":"Default site","threatClassification":"Trojan","threatClassificationSource":"Cloud","username":null},"description":null,"groupId":"1234567890123456789","groupName":"Default Group","hash":null,"id":"1234567890123456789","osFamily":null,"primaryDescription":"Threat with confidence level malicious detected: default.exe","secondaryDescription":"6a264eda96e766b41bc14a3c9e99xxxxxxxxxx","siteId":"1234567890123456789","siteName":"Default site","threatId":"1234567890123456789","updatedAt":"2022-04-06T08:45:54.527789Z","userId":null}
{"accountId": "1392053568574369789", "accountName": "Elastic", "activityType": 3608, "activityUuid": "3b2668b2-0000-419c-9bb8-9e7aa7dde4b9", "agentId": "2088404432341170000", "createdAt": "2024-12-30T11:17:15.555932Z", "data": {"accountId": "1392053568574360000", "accountName": "Elastic", "actoralternateid": "", "agentipv4": "1.128.0.0", "alertid": "2116686009748290000", "commandCorrelationid": "67945a45-0000-433a-98c8-aaa162716033", "commandTimestamp": 1735557435486, "datasourcename": "SentinelOne", "detectedat": "2024-12-30T11:17:15Z", "dstport": 0, "dveventid": "00AGBMGQGPM98ACRJBTZMNEPQP_335", "dveventtype": "BEHAVIORALINDICATORS", "eventcategory": "indicators", "eventdetails": "", "eventexternalid": "", "eventtime": 1735557360726, "externalServiceId": null, "externalip": "1.128.0.0", "externalthreatvalue": "", "fullScopeDetails": "Group Default Group in Site Default site of Account Elastic", "fullScopeDetailsPath": "Global / Elastic / Default site / Default Group", "groupName": "Default Group", "indicatorcategory": "General", "indicatordescription": "Process started from shortcut file MITRE: Execution {<a href=\"https://attack.mitre.org/techniques/T1204/\" target=\"_blank\">T1204</a>}", "indicatorname": "ProcessStartedFromLnk", "ipAddress": null, "k8sclustername": "", "k8scontainerid": "", "k8scontainerimage": "", "k8scontainerlabels": "", "k8scontainername": "", "k8scontrollerkind": "", "k8scontrollerlabels": "", "k8scontrollername": "", "k8snamespace": "", "k8snamespacelabels": "", "k8snode": "", "k8spod": "", "k8spodlabels": "", "loginaccountdomain": "", "loginaccountsid": "", "loginisadministratorequivalent": "", "loginissuccessful": "", "loginsusername": "", "logintype": "", "modulepath": "", "modulesha1": "", "neteventdirection": "", "origagentmachinetype": "desktop", "origagentname": "user-win10", "origagentosfamily": "windows", "origagentosname": "Windows 10 Pro", "origagentosrevision": "19045", "origagentsiteid": "1392053568582750000", "origagentuuid": "ba1514e9b4944561bbf27b61375b0000", "origagentversion": "24.1.5.277", "physical": "00:00:00:d0:97:b6", "realUser": null, "registrykeypath": "", "registryoldvalue": "", "registryoldvaluetype": "", "registrypath": "", "registryvalue": "", "ruledescription": "test", "ruleid": "1412136126226508571", "rulename": "test5", "rulescopeid": 1392053568582758390, "rulescopelevel": "E_SITE", "scopeId": 1392053568582758390, "scopeLevel": "Group", "scopeName": "Default Group", "severity": "E_CRITICAL", "siteId": "1392053568582758390", "siteName": "Default site", "sourcename": "STAR", "sourceparentprocesscommandline": "C:\\Windows\\Explorer.EXE", "sourceparentprocessintegritylevel": "high", "sourceparentprocesskey": "B4A7F8AA88091D56", "sourceparentprocessmd5": "c8a6701a5273340926be89b201f6b9cb", "sourceparentprocessname": "explorer.exe", "sourceparentprocesspath": "C:\\Windows\\explorer.exe", "sourceparentprocesspid": 5772, "sourceparentprocesssha1": "da83b5a38845e908d772391188123ecfb630a342", "sourceparentprocesssha256": "330d7a3f57071ec88bd18db13cbc4736e9b59056658fec4ac13997d5148a86df", "sourceparentprocesssigneridentity": "MICROSOFT WINDOWS", "sourceparentprocessstarttime": 1735557233813, "sourceparentprocessstoryline": "B5A7F8AA88091D56", "sourceparentprocesssubsystem": "win32", "sourceparentprocessusername": "raquel-win10\\win10-user", "sourceprocesscommandline": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", "sourceprocessfilepath": "C:\\Windows\\System32\\WINDOWSPOWERSHELL\\V1.0\\powershell.exe", "sourceprocessfilesigneridentity": "MICROSOFT WINDOWS", "sourceprocessintegritylevel": "high", "sourceprocesskey": "01ADF8AA88091D56", "sourceprocessmd5": "2e5a8590cf6848968fc23de3fa1e25f1", "sourceprocessname": "powershell.exe", "sourceprocesspid": 2128, "sourceprocesssha1": "801262e122db6a2e758962896f260b55bbd0136a", "sourceprocesssha256": "9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3", "sourceprocessstarttime": 1735557360671, "sourceprocessstoryline": "02ADF8AA88091D56", "sourceprocesssubsystem": "win32", "sourceprocessusername": "raquel-win10\\win10-user", "srcip": "", "srcmachineip": "", "srcport": 0, "systemUser": 0, "tgtfilecreatedat": 0, "tgtfilehashsha1": "", "tgtfilehashsha256": "", "tgtfileid": "", "tgtfileissigned": "", "tgtfilemodifiedat": 0, "tgtfileoldpath": "", "tgtfilepath": "", "tgtproccmdline": "", "tgtprocessstarttime": 0, "tgtprocimagepath": "", "tgtprocintegritylevel": "unknown", "tgtprocname": "", "tgtprocpid": 0, "tgtprocsignedstatus": "", "tgtprocstorylineid": "", "tgtprocuid": "", "tiindicatorcomparisonmethod": "", "tiindicatorsource": "", "tiindicatortype": "", "tiindicatorvalue": "", "userId": 1392606454463278101, "userName": "Vinit Chauhan"}, "description": null, "groupId": "1392053568591146999", "groupName": "Default Group", "hash": null, "id": "2116686010862214929", "osFamily": null, "primaryDescription": "Alert created for powershell.exe from Custom Rule: test5 in Group Default Group in Site Default site of Account Elastic, detected on raquel-win10.", "secondaryDescription": "801262e122db6a2e758962896f260b55bbd0136a", "siteId": "1392053568582758390", "siteName": "Default site", "threatId": "2116686023738728218", "updatedAt": "2024-12-30T11:17:15.554519Z", "userId": "1392606454463278101"}
Loading