sentinelone-activities
Enuemrate activities in the SentinelOne service.
sentinelone-activities [profile=PROFILE] [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss] [order=ORDER]
- profile=PROFILE
- Connect profile code of SentinelOne
- duration=NUM{mon|w|d|h|m|s}
- Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example,
10smeans data from 10 seconds earlier. - from=yyyyMMddHHmmss
- Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- to=yyyyMMddHHmmss
- End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- order=ORDER
- asc or desc.
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| _time | Date | Time | Created time. |
| profile | String | Connect profile | SentinelOne connect profile code |
| site_name | String | Site name | e.g. Default site |
| group_name | String | Group name | e.g. Linux Server, MacOS, Windows PC |
| agent_id | String | Agent ID | e.g. 1234567890123456789 |
| hostname | String | Hostname | e.g. logpresso's MacBook Pro |
| host_ip | IP address | Host IP | IP address of the host where the activity occurred. |
| activity_type | Integer | Activity type | e.g. 3631, 4020 |
| event_category | String | Event category | e.g. process, registry, indicators, command_script |
| threat_classification | String | Threat classification | e.g. Malware, Ransomware, PUA, Infostealer, Cryptominer |
| primary_description | String | Primary description | e.g. Live Updates for Static AI, StaticSigMac251-9.3, were sent to endpoint |
| secondary_description | String | Secondary description | e.g. IP address: x.x.x.x |
| account_name | String | Account name | e.g. Logpresso |
| created | Date | Created | Time the record was created. |
| updated | Date | Updated | Time the record was updated. |
| params | Map | Parameters | Elements with account_name, site_name, scope_level, group_name, hostname, asset_type, source_type, etc. |
| id | String | Activity ID | Sequence number of activities. |
| activity_uuid | String | Activity UUID | 36 characters in GUID format. |
| account_id | String | Account ID | e.g. 1234567890123456789 |
| site_id | String | Site ID | e.g. 1234567890123456789 |
| group_id | String | Group ID | e.g. 1234567890123456789 |
| user_id | String | User ID | e.g. 1234567890123456789 |
| threat_id | String | Threat ID | e.g. 1234567890123456789 |