[SentinelOne Cloud Funnel] Improve data stream management for events

[adrianchen-es]

Description The SentinelOne Cloud Funnel integration collects logs for the thirteen events, but it is currently combined in one data stream named event. Events Currently Combined

• Command Script
• Cross Process
• DNS
• File
• Indicator
• Login
• Module
• Network Action
• Process
• Registry
• Scheduled Task
• Threat Intelligence Indicator
• URL

It would be beneficial to have the option—via toggles or other means—to allow customers with sufficiently large datasets to split out the different event types to improve their experience when creating detections and subsequent IR-related searches.

For example, an optional toggle for each event type. When the toggle is not enabled, it will continue to be combined in the event data stream. When the toggle is enabled, that event type will go to its own data stream.

Problem For customers with a large SentinelOne deployment, the centralised grouping makes it challenging to set retention for different event types separately or perform actions on a specific event type —customers currently need to create custom artefacts to achieve this.

To further support large deployments, it would also be beneficial to have an option to conditionally set to namespace based on a target field. For example, a field that indicates the endpoint type.

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)