Description
The SentinelOne Cloud Funnel integration collects logs for the thirteen events, but it is currently combined in one data stream named event.
Events Currently Combined
Command Script
Cross Process
DNS
File
Indicator
Login
Module
Network Action
Process
Registry
Scheduled Task
Threat Intelligence Indicator
URL
It would be beneficial to have the option—via toggles or other means—to allow customers with sufficiently large datasets to split out the different event types to improve their experience when creating detections and subsequent IR-related searches.
For example, an optional toggle for each event type.
When the toggle is not enabled, it will continue to be combined in the event data stream.
When the toggle is enabled, that event type will go to its own data stream.
Problem
For customers with a large SentinelOne deployment, the centralised grouping makes it challenging to set retention for different event types separately or perform actions on a specific event type —customers currently need to create custom artefacts to achieve this.
To further support large deployments, it would also be beneficial to have an option to conditionally set to namespace based on a target field. For example, a field that indicates the endpoint type.
Description The SentinelOne Cloud Funnel integration collects logs for the thirteen events, but it is currently combined in one data stream named
event
. Events Currently CombinedIt would be beneficial to have the option—via toggles or other means—to allow customers with sufficiently large datasets to split out the different event types to improve their experience when creating detections and subsequent IR-related searches.
For example, an optional toggle for each event type. When the toggle is not enabled, it will continue to be combined in the
event
data stream. When the toggle is enabled, that event type will go to its own data stream.Problem For customers with a large SentinelOne deployment, the centralised grouping makes it challenging to set retention for different event types separately or perform actions on a specific event type —customers currently need to create custom artefacts to achieve this.
To further support large deployments, it would also be beneficial to have an option to conditionally set to namespace based on a target field. For example, a field that indicates the endpoint type.