sentinelone-alerts
Enuemrate alerts in the SentinelOne service.
sentinelone-alerts [profile=PROFILE] [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss] [order=ORDER]
- profile=PROFILE
- Connect profile code of SentinelOne
- duration=NUM{mon|w|d|h|m|s}
- Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example,
10smeans data from 10 seconds earlier. - from=yyyyMMddHHmmss
- Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- to=yyyyMMddHHmmss
- End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- order=ORDER
- asc or desc.
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| _time | String | Event time | |
| profile | String | Connect profile | SentinelOne connect profile code |
| severity | String | Severity | e.g. Low, Medium, High |
| account_id | String | Account ID | e.g. 1555111777777111111 |
| alert_id | String | Alert ID | |
| agent_id | String | Agent ID | e.g. 2111111111111111111 |
| event_type | String | Event type | e.g. TCPV4, BEHAVIORALINDICATORS, OPENPROCESS, PROCESSCREATION, FILECREATION, REGVALUECREATE, SCRIPTS |
| hostname | String | Hostname | e.g. DESKTOP-AAAAAAA |
| os_name | String | OS name | e.g. Windows 11 Pro |
| machine_type | String | Machine type | e.g. laptop, desktop, server |
| direction | String | Direction | e.g. INCOMING |
| src_ip | IP address | Source IP address | |
| src_port | Integer | Source port | |
| dst_ip | IP address | Destination IP address | |
| dst_port | Integer | Destination port | e.g. 22 |
| signature | String | Signature | e.g. Powershell Download Cradles |
| verdict | String | Verdict | e.g. Suspicious, False positive |
| incident_status | String | Incident status | e.g. Resolved, Unresolved |
| is_decommissioned | Bool | Is decommissioned | |
| is_infected | Bool | Is infected | true or false |
| is_active | Bool | Is active | true or false |
| rule_id | String | Rule ID | |
| rule_verdict | String | Rule verdict | e.g. Suspicious, UNDEFINED |
| rule_description | String | Rule description | |
| rule_query | String | Rule query | |
| parent_cmd_line | String | Parent command line | e.g. "C:\WINDOWS\system32\cmd.exe" |
| cmd_line | String | Command line | e.g. powershell |
| target_cmd_line | String | Target command line | |
| indicator_category | String | Indicator category | e.g. InfoStealer |
| indicator_name | String | Indicator name | e.g. CredsReadFromLsass |
| indicator_description | String | Indicator description | e.g. Identified read action of sensitive information from LSASS |
| ppid | Long | PPID | Parent process ID |
| parent_image | String | Parent process image | e.g. cmd.exe |
| parent_integrity_level | String | Parent process integrity level | e.g. system, medium, high |
| parent_image_signer | String | Parent process image signer | e.g. MICROSOFT WINDOWS |
| parent_image_path | String | Parent process image path | e.g. C:\WINDOWS\System32\cmd.exe |
| parent_start_time | Date | Parent process start time | |
| parent_user | String | Parent process user | e.g. root |
| parent_effective_user | String | Parnet process effective user | e.g. root |
| pid | Long | PID | Process ID |
| image | String | Process image name | e.g. net.exe |
| integrity_level | String | Process integrity level | e.g. system, medium, high |
| image_signer | String | Process image signer | e.g. MICROSOFT WINDOWS |
| image_path | String | Process image path | e.g. C:\Windows\System32\net.exe |
| user | String | Process user | e.g. root |
| effective_user | String | Process effective user | e.g. root |
| target_pid | Long | Target PID | Target process ID |
| target_image | String | Target process image name | e.g. bitsadmin.exe |
| target_image_signed | Bool | Is target process image signed | true or false |
| target_integrity_level | String | Target process integrity level | e.g. system, medium, high |
| target_image_path | String | Target process image path | e.g. C:\Windows\System32\bitsadmin.exe |
| target_process_start_time | Date | Target process start time | |
| parent_process_uuid | String | Parent process UUID | e.g. B67891B2AC1447F4 |
| parent_storyline | String | Parent process storyline | e.g. B78901B2AC1447F4 |
| parent_subsystem | String | Parent process subsystem | e.g. sys_win32 |
| parent_image_md5 | String | Parent process image MD5 | e.g. 30ccf8526d14753859937739548dc7a8 |
| parent_image_sha1 | String | Parent process image SHA1 | e.g. 0bf35689202b1faacdc4651fb04a01bc8b91a4ed |
| parent_image_sha256 | String | Parent process image SHA256 | e.g. 4c93e558cc5e401aed8e3659c62506f2ba6070e200833c00529ef5825e0b085d |
| process_uuid | String | Process UUID | e.g. 247A82B2AC1346F4 |
| storyline | String | Process storyline | e.g. 247A82B3AC1457F4 |
| subsystem | String | Process subsystem | e.g. sys_win32 |
| user_info | String | Process user info | e.g. NT AUTHORITY\SYSTEM |
| target_process_uuid | String | Target process UUID | e.g. 02C792B1AC2347F4 |
| target_process_storyline | String | Target process storyline | e.g. A3C792B3BC1447F4 |
| file_id | String | File ID | e.g. 8ED2B2FE156F321E |
| file_path | String | File path | e.g. C:\ProgramData\Lenovo\Udc\diagnostics\latest\da96dff290661b75a7a0b16f7e.. |
| file_old_path | String | File old path | |
| file_ctime | Date | File creation time | |
| file_mtime | Date | File modification time | |
| file_md5 | String | File MD5 | |
| file_sha1 | String | File SHA1 | |
| file_sha256 | String | File SHA256 | |
| reg_key_path | String | Registry key path | e.g. MACHINE\SYSTEM\ControlSet001\Services\LanmanWorkstation.. |
| reg_value | String | Registry value | e.g. 0 |
| reg_old_value_type | String | Registry old value type | |
| reg_old_value | String | Registry old value | |
| agent_uuid | String | Agent UUID | e.g. 5eeee111111111111111111111111111 |
| agent_ver | String | Agent version | e.g. 24.1.4.257, 23.2.3.358 |
| os_family | String | OS family | e.g. linux, osx, windows |
| os_rev | String | OS revision | e.g. 22000, 22631, Ubuntu 22.04.3 LTS 6.5.0-1013-gcp |
| image_md5 | String | Image MD5 | e.g. 8ec922c7a58a8701ab481b7be9644536 |
| image_sha1 | String | Image SHA1 | e.g. 3f64c98f22da277a07cab248c44c56eedb796a81 |
| image_sha256 | String | Image SHA256 | e.g. 949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b |
| parent_user_info | String | Parent process user info | e.g. NT AUTHORITY\SYSTEM |
| module_path | String | Module path | |
| module_sha1 | String | Module SHA1 | |
| rule_query_type | String | Rule query type | |
| rule_query_lang | String | Rule query language | |
| alert_source | String | Alert source | e.g. STAR |
| site_id | String | Site ID | e.g. 1555111777666559999 |
| dv_event_id | String | DV event ID | e.g. 01HVVCCCC33FFWWSS66QQJJXXZ_000 |
| reported | Date | Report time | |
| created | Date | Creation time | |
| updated | Date | Updated time | |
| parent_unique_id | String | parent_unique_id | parent_unique_id |
| file_signed | Bool | file_signed | file_signed |