SentinelOne

SentinelOne is an endpoint security platform that uses AI to detect, prevent, and respond to malware, ransomware, and other advanced threats. RunReveal can pull two different kinds of SentinelOne data—and they are set up differently.

When you go to Sources, you will see two SentinelOne tiles, not one. Sentinel One is API polling for console activity; SentinelOne Endpoint Logs is object storage for Deep Visibility telemetry. They land in different tables, so pick the tile that matches what you are trying to ingest.

RunReveal source	Source type ID	Ingest method	Tables	Use case
Sentinel One	`sentinelone`	API polling (`/activities`)	`sentinelone_activity_logs`, `sentinelone_threat_logs`	Console activity, admin actions, threat summaries from the management API
SentinelOne Endpoint Logs	`sentinelone-endpoint`	Object storage (S3, GCS, MinIO, etc.)	`sentinelone_endpoint_logs`	Deep Visibility / EDR telemetry (process, network, DNS, file events) exported to a bucket

Sentinel One (API polling)

This source polls the SentinelOne management API for activity and threat data. It does not bring in Deep Visibility endpoint telemetry—that is the object-storage source below.

Ingest method

RunReveal polls the /activities API approximately every 60 seconds and backfills up to 365 days of history on first connect.

Setup

Step 1: Log in to SentinelOne Management Console

Open your web browser and navigate to your SentinelOne Management Console URL.
Enter your credentials and click Sign In.

Step 2: Access the API Token Generation Page

Click your user profile icon in the top-right corner.
Select My User.
In the left sidebar, click API Tokens.

Step 3: Generate a New API Token

On the API Tokens page, click Generate.
Enter a descriptive name (for example, RunReveal Integration).
Select at least Read scope for the key.
Set an expiration date.
Click Generate and copy the token.

Step 4: Create the source in RunReveal

Go to Sources and choose the Sentinel One tile (the API polling one—not SentinelOne Endpoint Logs).
Enter your SentinelOne management console URL and API token.

Logs should appear within about a minute. Backfill may take longer before history is fully current.

SentinelOne Endpoint Logs (object storage)

Ingests Deep Visibility-style endpoint events (newline-delimited JSON) from a bucket you control. SentinelOne exports these logs to S3 (or another supported object store); RunReveal does not pull them from the management API.

Typical events include process creation, network connections, DNS lookups, and related EDR fields (event.type, src.process.*, i.scheme, etc.).

Ingest methods

Configure ingestion using one of the following guides:

AWS S3 Bucket
AWS S3 Bucket with Custom SQS
Google Cloud Storage
MinIO and other S3-compatible storage follow the same SNS notification pattern as AWS S3

If using an AWS S3 bucket, send object create notifications to the following SNS topic ARN:

arn:aws:sns:<REGION>:253602268883:runreveal_sentinelone_endpoint

Replace <REGION> with the AWS region where your S3 bucket is located (for example, us-east-1, us-west-2, eu-west-1).

SNS topic & Custom SQS. Use the ARN above on your bucket event notification—the topic name must be runreveal_sentinelone_endpoint (hyphens in the source type id sentinelone-endpoint become underscores). For Custom SQS, set the queue URL and region in RunReveal; see AWS S3 Bucket with Custom SQS.

Note: BYOC, On-Prem, and BYODB customers must use their AWS account ID in the ARN instead of 253602268883.

Setup overview

SentinelOne: Configure log export (for example, Singularity Data Lake or your existing pipeline) so Deep Visibility / endpoint logs land in your S3 bucket as newline-delimited JSON objects.
AWS: Grant RunReveal read access to that bucket and add an S3 event notification for All object create events targeting the SNS topic ARN above. See AWS S3 Bucket for bucket policy, IAM role, and notification steps.
RunReveal: Go to Sources, select SentinelOne Endpoint Logs, choose AWS S3 Bucket (or Custom SQS if you fan out notifications to your own queue), and provide bucket access credentials.

For Deep Visibility data, use SentinelOne Endpoint Logs only. If you connect Sentinel One (polling) instead, you will not see anything in sentinelone_endpoint_logs.

Schema

RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic. Which tables you see depends on which source you connected:

Table	Source
`sentinelone_activity_logs`	Sentinel One (polling)
`sentinelone_threat_logs`	Sentinel One (polling)
`sentinelone_endpoint_logs`	SentinelOne Endpoint Logs (object storage)

Table: sentinelone_activity_logs (53 columns)

Column	Type
`workspaceID`	String
`sourceID`	String
`sourceType`	LowCardinality(String)
`sourceTTL`	UInt32
`receivedAt`	DateTime
`id`	String
`eventTime`	DateTime
`eventName`	String
`eventID`	String
`srcIP`	String
`srcASCountryCode`	String
`srcASNumber`	UInt32
`srcASOrganization`	String
`srcCity`	String
`srcConnectionType`	String
`srcISP`	String
`srcLatitude`	Float64
`srcLongitude`	Float64
`srcUserType`	String
`dstIP`	String
`dstASCountryCode`	String
`dstASNumber`	UInt32
`dstASOrganization`	String
`dstCity`	String
`dstConnectionType`	String
`dstISP`	String
`dstLatitude`	Float64

Column	Type
`dstLongitude`	Float64
`dstUserType`	String
`actor`	Map(String, String)
`tags`	Map(String, String)
`resources`	Array(String)
`serviceName`	String
`enrichments`	Array(Tuple(data Map(String, String), name String, provider String, type String, value String))
`readOnly`	Bool
`rawLog`	String
`parsed_account_id`	String
`parsed_account_name`	String
`parsed_activity_type`	String
`parsed_activity_uuid`	String
`parsed_agent_id`	String
`parsed_created_at`	String
`asset_type`	String
`asset_versions_list`	String
`computer_name`	String
`ip_address`	String
`scope_level`	String
`full_scope_details`	String
`full_scope_details_path`	String
`primary_description`	String
`secondary_description`	String
`parsed_id`	String
`parsed_updated_at`	String

Table: sentinelone_threat_logs (64 columns)

Column	Type
`workspaceID`	String
`sourceID`	String
`sourceType`	LowCardinality(String)
`sourceTTL`	UInt32
`receivedAt`	DateTime
`id`	String
`eventTime`	DateTime
`eventName`	String
`eventID`	String
`srcIP`	String
`srcASCountryCode`	String
`srcASNumber`	UInt32
`srcASOrganization`	String
`srcCity`	String
`srcConnectionType`	String
`srcISP`	String
`srcLatitude`	Float64
`srcLongitude`	Float64
`srcUserType`	String
`dstIP`	String
`dstASCountryCode`	String
`dstASNumber`	UInt32
`dstASOrganization`	String
`dstCity`	String
`dstConnectionType`	String
`dstISP`	String
`dstLatitude`	Float64
`dstLongitude`	Float64
`dstUserType`	String
`actor`	Map(String, String)
`tags`	Map(String, String)
`resources`	Array(String)

Column	Type
`serviceName`	String
`enrichments`	Array(Tuple(data Map(String, String), name String, provider String, type String, value String))
`readOnly`	Bool
`rawLog`	String
`detection_account_id`	String
`detection_account_name`	String
`agent_ipv4`	String
`agent_os_name`	String
`agent_os_revision`	String
`agent_uuid`	String
`agent_version`	String
`external_ip`	String
`computer_name`	String
`is_infected`	String
`is_active`	String
`machine_type`	String
`network_status`	String
`os_type`	String
`threat_classification`	String
`classification_source`	String
`confidence_level`	String
`threat_created_at`	String
`file_path`	String
`file_size`	String
`incident_status`	String
`initiated_by`	String
`process_user`	String
`publisher_name`	String
`sha1`	String
`threat_id`	String
`threat_name`	String
`threat_updated_at`	String

Table: sentinelone_endpoint_logs (149 columns)

Column	Type
`workspaceID`	String
`sourceID`	String
`sourceType`	LowCardinality(String)
`sourceTTL`	UInt32
`receivedAt`	DateTime
`id`	String
`eventName`	String
`srcIP`	String
`srcASCountryCode`	String
`srcASNumber`	UInt32
`srcASOrganization`	String
`srcCity`	String
`srcConnectionType`	String
`srcISP`	String
`srcLatitude`	Float64
`srcLongitude`	Float64
`srcUserType`	String
`dstIP`	String
`dstASCountryCode`	String
`dstASNumber`	UInt32
`dstASOrganization`	String
`dstCity`	String
`dstConnectionType`	String
`dstISP`	String
`dstLatitude`	Float64
`dstLongitude`	Float64
`dstUserType`	String
`actor`	Map(String, String)
`tags`	Map(String, String)
`resources`	Array(String)
`serviceName`	String
`enrichments`	Array(Tuple(data Map(String, String), name String, provider String, type String, value String))
`readOnly`	Bool
`rawLog`	String
`timestamp`	String
`dataSourceName`	String
`dataSourceVendor`	String
`dataSourceCategory`	String
`endpointName`	String
`endpointOS`	String
`endpointType`	String
`siteName`	String
`siteID`	String
`accountName`	String
`accountID`	String
`agentUUID`	String
`agentVersion`	String
`mgmtURL`	String
`mgmtID`	String
`mgmtOSRevision`	String
`osName`	String
`traceID`	String
`packetID`	String
`groupID`	String
`processUniqueKey`	String
`iVersion`	String
`iScheme`	String
`metaEventName`	String
`eventType`	String
`eventID`	String
`eventCategory`	String
`eventTime`	UInt64
`srcProcessName`	String
`srcProcessDisplayName`	String
`srcProcessUser`	String
`srcProcessUserSid`	String
`srcProcessUID`	String
`srcProcessPID`	UInt64
`srcProcessStartTime`	UInt64
`srcProcessSessionID`	UInt64
`srcProcessCmdline`	String
`srcProcessPublisher`	String
`srcProcessSignedStatus`	String
`srcProcessVerifiedStatus`	String
`srcProcessIntegrityLevel`	String

Column	Type
`srcProcessSubsystem`	String
`srcProcessIsNative64Bit`	Bool
`srcProcessIsStorylineRoot`	Bool
`srcProcessIsRedirectCmdProcessor`	Bool
`srcProcessImagePath`	String
`srcProcessImageUID`	String
`srcProcessImageSize`	UInt64
`srcProcessImageType`	String
`srcProcessImageBinaryIsExecutable`	Bool
`srcProcessImageMD5`	String
`srcProcessImageSHA1`	String
`srcProcessImageSHA256`	String
`srcProcessParentName`	String
`srcProcessParentDisplayName`	String
`srcProcessParentUser`	String
`srcProcessParentUID`	String
`srcProcessParentPID`	UInt64
`srcProcessParentStartTime`	UInt64
`srcProcessParentSessionID`	UInt64
`srcProcessParentCmdline`	String
`srcProcessParentPublisher`	String
`srcProcessParentSignedStatus`	String
`srcProcessParentIntegrityLevel`	String
`srcProcessParentSubsystem`	String
`srcProcessParentIsNative64Bit`	Bool
`srcProcessParentIsStorylineRoot`	Bool
`srcProcessParentIsRedirectCmdProcessor`	Bool
`srcProcessParentStorylineID`	String
`srcProcessParentImagePath`	String
`srcProcessParentImageUID`	String
`srcProcessParentImageSize`	UInt64
`srcProcessParentImageType`	String
`srcProcessParentImageMD5`	String
`srcProcessParentImageSHA1`	String
`srcProcessParentImageSHA256`	String
`srcProcessParentImageSignatureIsValid`	Bool
`tgtProcessName`	String
`tgtProcessDisplayName`	String
`tgtProcessUser`	String
`tgtProcessUserSid`	String
`tgtProcessUID`	String
`tgtProcessPID`	UInt64
`tgtProcessStartTime`	UInt64
`tgtProcessSessionID`	UInt64
`tgtProcessSignedStatus`	String
`tgtProcessVerifiedStatus`	String
`tgtProcessIntegrityLevel`	String
`tgtProcessSubsystem`	String
`tgtProcessIsNative64Bit`	Bool
`tgtProcessIsStorylineRoot`	Bool
`tgtProcessIsRedirectCmdProcessor`	Bool
`tgtProcessStorylineID`	String
`tgtProcessImagePath`	String
`tgtProcessImageUID`	String
`tgtProcessImageSize`	UInt64
`tgtProcessImageType`	String
`tgtProcessImageBinaryIsExecutable`	Bool
`tgtProcessImageMD5`	String
`tgtProcessImageSHA1`	String
`tgtProcessImageSHA256`	String
`tgtProcessPublisher`	String
`srcIPAddress`	String
`dstIPAddress`	String
`srcPortNumber`	UInt64
`dstPortNumber`	UInt64
`eventNetworkDirection`	String
`eventNetworkProtocolName`	String
`eventNetworkConnectionStatus`	String
`eventDNSRequest`	String
`eventDNSResponse`	String
`eventDNSResponseCode`	UInt64
`eventDNSProtocol`	String
`eventDNSProvider`	String
`srcProcessStorylineID`	String

On this page