[SentinelOne] add `agent.id` to all agent related data collected from SentinelOne #9879

paul-tavares · 2024-05-15T12:54:30Z

Description

Two requests with regards to the SentinelOne Integration:

For every document streamed to ES by the integration, if the data is associated with a SentinelOne agent, include the agent's id in the ES document (sentinel_one.[source_type].agent.id)
Change the default intervals for the data pulling to 30s for all data streams

Background

Opened as a result of discussion here: #9313 (comment)

Changes requested are in support of Security Solution's Bi-Directional Response Actions feature which enables our SIEM users to send actions to SentinelOne Agents directly from Kibana.

The text was updated successfully, but these errors were encountered:

elasticmachine · 2024-05-15T12:54:32Z

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

paul-tavares added enhancement New feature or request Integration:SentinelOne Sentinel One Team:Security-Service Integrations Security Service Integrations Team labels May 15, 2024

paul-tavares mentioned this issue May 15, 2024

[RFC] SentinelOne pulling Scripts data #9313

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[SentinelOne] add `agent.id` to all agent related data collected from SentinelOne #9879

[SentinelOne] add `agent.id` to all agent related data collected from SentinelOne #9879

paul-tavares commented May 15, 2024

elasticmachine commented May 15, 2024

[SentinelOne] add agent.id to all agent related data collected from SentinelOne #9879

[SentinelOne] add agent.id to all agent related data collected from SentinelOne #9879

Comments

paul-tavares commented May 15, 2024

Description

Background

elasticmachine commented May 15, 2024

[SentinelOne] add `agent.id` to all agent related data collected from SentinelOne #9879

[SentinelOne] add `agent.id` to all agent related data collected from SentinelOne #9879