SourcesSource TypesSentinelOne

SentinelOne

SentinelOne is an endpoint security platform that uses AI to detect, prevent, and respond to malware, ransomware, and other advanced threats. SentinelOne logs capture endpoint activity such as threat detections, behavioral anomalies, quarantined files, and automated responses taken to mitigate threats. These logs provide valuable insights for monitoring endpoint security, investigating incidents, and ensuring rapid response to cyberattacks.

Ingest Method

This source is a polling source and will download new items from /activities enpoint from the SentinelOne API approximately every 60 seconds.

Setup

Currently the SentinelOne source only supports retrieving items from the /activities api endpoint.

Step 1: Log in to SentinelOne Management Console

  1. Open your web browser and navigate to your SentinelOne Management Console URL.
  2. Enter your credentials and click “Sign In”.

Step 2: Access the API Token Generation Page

  1. Once logged in, click on your user profile icon in the top-right corner of the screen.
  2. From the dropdown menu, select “My User”.
  3. In the left sidebar, click on “API Tokens”.

Step 3: Generate a New API Token

  1. On the API Tokens page, click the “Generate” button.
  2. You’ll be prompted to enter a name for your API token. Choose a descriptive name that indicates its purpose, for example, “Integration API Key”.
  3. Select the appropriate scope for this API key. The scope determines what actions the API key can perform. For most integrations, you’ll need at least “Read” permissions.
  4. Set an expiration date for the token. It’s a good security practice to set an expiration date rather than creating a token that never expires.
  5. Click “Generate” to create the new API token.

Step 4: RunReveal setup

Create the source in the RunReveal sources dashboard. You will need your organizations SentinelOne domain and the created API key.

RunReveal will backfill your source from the past 365 days of events that SentinelOne provides.

Once added logs should begin populating within a minute. It may take some time for the backfill operation to complete before logs are up to date.

Schema

The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.

Table: sentinelone_endpoint_logs (149 columns)

ColumnType
workspaceIDString
sourceIDString
sourceTypeLowCardinality(String)
sourceTTLUInt32
receivedAtDateTime
idString
eventNameString
srcIPString
srcASCountryCodeString
srcASNumberUInt32
srcASOrganizationString
srcCityString
srcConnectionTypeString
srcISPString
srcLatitudeFloat64
srcLongitudeFloat64
srcUserTypeString
dstIPString
dstASCountryCodeString
dstASNumberUInt32
dstASOrganizationString
dstCityString
dstConnectionTypeString
dstISPString
dstLatitudeFloat64
dstLongitudeFloat64
dstUserTypeString
actorMap(String, String)
tagsMap(String, String)
resourcesArray(String)
serviceNameString
enrichmentsArray(Tuple(data Map(String, String), name String, provider String, type String, value String))
readOnlyBool
rawLogString
timestampString
dataSourceNameString
dataSourceVendorString
dataSourceCategoryString
endpointNameString
endpointOSString
endpointTypeString
siteNameString
siteIDString
accountNameString
accountIDString
agentUUIDString
agentVersionString
mgmtURLString
mgmtIDString
mgmtOSRevisionString
osNameString
traceIDString
packetIDString
groupIDString
processUniqueKeyString
iVersionString
iSchemeString
metaEventNameString
eventTypeString
eventIDString
eventCategoryString
eventTimeUInt64
srcProcessNameString
srcProcessDisplayNameString
srcProcessUserString
srcProcessUserSidString
srcProcessUIDString
srcProcessPIDUInt64
srcProcessStartTimeUInt64
srcProcessSessionIDUInt64
srcProcessCmdlineString
srcProcessPublisherString
srcProcessSignedStatusString
srcProcessVerifiedStatusString
srcProcessIntegrityLevelString
ColumnType
srcProcessSubsystemString
srcProcessIsNative64BitBool
srcProcessIsStorylineRootBool
srcProcessIsRedirectCmdProcessorBool
srcProcessImagePathString
srcProcessImageUIDString
srcProcessImageSizeUInt64
srcProcessImageTypeString
srcProcessImageBinaryIsExecutableBool
srcProcessImageMD5String
srcProcessImageSHA1String
srcProcessImageSHA256String
srcProcessParentNameString
srcProcessParentDisplayNameString
srcProcessParentUserString
srcProcessParentUIDString
srcProcessParentPIDUInt64
srcProcessParentStartTimeUInt64
srcProcessParentSessionIDUInt64
srcProcessParentCmdlineString
srcProcessParentPublisherString
srcProcessParentSignedStatusString
srcProcessParentIntegrityLevelString
srcProcessParentSubsystemString
srcProcessParentIsNative64BitBool
srcProcessParentIsStorylineRootBool
srcProcessParentIsRedirectCmdProcessorBool
srcProcessParentStorylineIDString
srcProcessParentImagePathString
srcProcessParentImageUIDString
srcProcessParentImageSizeUInt64
srcProcessParentImageTypeString
srcProcessParentImageMD5String
srcProcessParentImageSHA1String
srcProcessParentImageSHA256String
srcProcessParentImageSignatureIsValidBool
tgtProcessNameString
tgtProcessDisplayNameString
tgtProcessUserString
tgtProcessUserSidString
tgtProcessUIDString
tgtProcessPIDUInt64
tgtProcessStartTimeUInt64
tgtProcessSessionIDUInt64
tgtProcessSignedStatusString
tgtProcessVerifiedStatusString
tgtProcessIntegrityLevelString
tgtProcessSubsystemString
tgtProcessIsNative64BitBool
tgtProcessIsStorylineRootBool
tgtProcessIsRedirectCmdProcessorBool
tgtProcessStorylineIDString
tgtProcessImagePathString
tgtProcessImageUIDString
tgtProcessImageSizeUInt64
tgtProcessImageTypeString
tgtProcessImageBinaryIsExecutableBool
tgtProcessImageMD5String
tgtProcessImageSHA1String
tgtProcessImageSHA256String
tgtProcessPublisherString
srcIPAddressString
dstIPAddressString
srcPortNumberUInt64
dstPortNumberUInt64
eventNetworkDirectionString
eventNetworkProtocolNameString
eventNetworkConnectionStatusString
eventDNSRequestString
eventDNSResponseString
eventDNSResponseCodeUInt64
eventDNSProtocolString
eventDNSProviderString
srcProcessStorylineIDString
AuditTrailSlack