sentinelone-threat-timeline
Enumerate timeline events for a specific threat in the SentinelOne service.
sentinelone-threat-timeline [profile=PROFILE] id=ID
- profile=PROFILE
- Connect profile code of SentinelOne
- id=ID
- Required. Target threat ID
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| _time | Date | Event time | e.g. 2026-05-05 16:07:37+0900 |
| profile | String | Connect profile | e.g. sentinelone |
| event_id | String | Event ID | e.g. 1234567890123456789 |
| activity_type | Integer | Activity type | Numeric SentinelOne activity code |
| primary_description | String | Primary description | e.g. The management user Demo User (admin@example.com... |
| secondary_description | String | Secondary description | e.g. \Device\HarddiskVolume3\WINDOWS\System32\drivers\PROCEXP1... |
| os_family | String | OS family | |
| hash | String | Hash (SHA1) | |
| agent_updated_version | String | Agent updated version | |
| user_id | String | User ID | Actor management user ID |
| threat_id | String | Threat ID | e.g. 1234567890123456789 |
| agent_id | String | Agent ID | e.g. 1234567890123456789 |
| account_id | String | Account ID | e.g. 1234567890123456789 |
| site_id | String | Site ID | e.g. 1234567890123456789 |
| group_id | String | Group ID | e.g. 1234567890123456789 |
| created | Date | Creation time | e.g. 2026-05-05 16:07:37+0900 |
| updated | Date | Updated time | e.g. 2026-05-05 16:07:37+0900 |