SentinelOne Data Collection List

Management Console Data Collection#

The SentinelOne Agent collects these datasets:

• Hardware data:
  • Machine type
  • Architecture
  • Memory
  • CPU information
  • Core count
  • Mac address
• Solutions configuration information: Customer instance settings (including users emails, phone numbers)
• User and device data:
  • Agent ID
  • Endpoint Name
  • Workgroup/domain
  • User name
  • Disk encryption state
  • Installed applications - installation time, size, publisher and version.
  • OS type
  • OS version
  • SentinelOne Agent version
  • SMTP username
  • User login/out time
  • External devices control rules
  • Firewall control rules, and event notifications (such as details of blocked application events)
  • Notification of interface connection (USB/Bluetooth) and hardware information
• Integrations to the Console and global configuration of connected endpoints
• Process activity:
  • Time of machine activity
  • Running processes (name, ID, CPU usage, memory)
  • Full file path
  • In cases of suspected threats, the SentinelOne Agent collects for each process:
    • File metadata
    • Hash
    • File type
    • Certificate (for verified or not)
    • Command-line arguments
    • Network access metadata only: IP Address; protocol
    • Registry: created keys; deleted keys; modified key names
  • Network Data:
    • Internal network IP address
    • Public IP address (if running cloud-based management)
    • Inbound/Outbound connections, metadata only (source, target, port, and application)
  • Fetched Files:
    • Any file fetched by user (encrypted at rest, deleted after 72 hours)

Cloud Data#

SentinelOne collects the data of the cloud service provider for each Linux and K8s Agent that is recognized as a server (Sentinels > Endpoints > Machine Type = Server ).

Note: This data will be collected for Windows Agents in the future.

Map of Cloud Metadata in SentinelOne and in Cloud Service Vendors

SentinelOne Data Cloud#

• Management Console Settings:

  • Users usernames, emails, and phone numbers
  • SentinelOne customer corporate name
  • Solutions agent information, including endpoint name and user ID
  • Policies names and policies creator name
  • External devices and firewall controls rules
  • Integrations to the Management

• Threat information: File path, Agent IDs, time stamp, threat description, resolution

  yes/no, detection source

• Agent information:

  • Number of endpoints and respective operating systems
  • Endpoint grouping information (named as per users selection)
  • Endpoint crash dumps
  • Agent logs

• Endpoint information:

  • Global configuration of connected endpoints
  • Installed applications - installation time, size, publisher and version

• When Agent configuration is set to collect WER reports in %ProgramData%\Sentinel\WERReports , the WER reports are automatically uploaded to the SentinelOne Cloud as part of Agent telemetries.

Research Data Collection#

Research Data includes certain telemetric data sent from customers’ management consoles to the SentinelOne cloud. From the SentinelOne cloud, our research team extracts Research Data and uses such Research Data to improve our understanding of known malicious behaviors, predict additional likely malicious behaviors, and otherwise improve our artificial intelligence-based detection of unknown malware. Research Data is stored on AWS servers in the U.S., and consists of the following data components:

• Endpoint and Agent build information

  • Agent_boot - (Uptime of the Agent service, indicating when endpoints are rebooted, restarted, or the time in which Agents are down due to bugs or other

    issues).

  • Git_hash - Internal identifier of the build.

  • Datamodel_version - Internal identifier of the build.

  • Schema_version - Internal identifier of the data model scheme in use.

  • Classifiers_version - Internal identifier of the build.

  • Agent_id - Internal identifier of the SentinelOne Agent in use, for

    communication with its Management.

  • Agent_version - SentinelOne software version.

  • Operating_system - Which OS is installed on the device.

  • Has_timestamp - Internal time stamp.

  • Endpoint_Name - Endpoint name given by the customer.

  • File_Name - Name of files inspected for suspected malware presence as given

    by the customer.

• DataUid - Internal identification of the data
• Process Data
  • Hash - Hash of the root process
  • RootName - Process name

Deep Visibility Data#

This data is collected by Agents and correlated by Deep Visibility for you to access details, search, and monitor.

See Deep Visibility Query Fields[deep-visibility-query-fields.html] for more details.

General

• Object Type
• Event type
• Endpoint Name
• Endpoint operating system
• Agent UU D
• Agent Version Story ine D Account Name Site Name
• Site D Domain User
• Event Time
• Endpoint Machine Type

Network actions

TCP events are for 1Pv4 traffic.

• Network Event Direction
• Source IP
• Source Port Destination IP
• Destination Port
• Full details of Source process and source parent
• Active content fields
• Connection Status

Processes

• Parent Process ID
• Parent Process UID
• Parent Process Image Path
• Parent Process Image SHA1
• Parent Process Image SHA256
• Parent Process Image MD5
• Process Name
• Process User
• Process Display name
• Parent Process name
• Process ID
• Process UID
• SHA1
• SHA256
• MD5
• CMD Line
• CMD hash
• Subsystem type
• Session ID
• Integrity level
• Is 32/64 bit
• Is Stdin Redirected
• Is Root (of the Storyline)
• Image path
• Parent Process Start Time
• Process Start Time
• Signed
• Publisher
• Verified
• Why not verified
• Active Content Type
• Active Content File ID
• Active Content Path
• Active Content Hash
• Active Content Signed Status
• RPID
• TID
• Command Script
• Command Script is complete
• Command Script SHA256
• Command Script Original Size
• Command Script Application Name
• Target Process Relation to Source (parent) - in case of cross process event
• Target Process Access rights from source - in case of cross process event
• Cross Process Type

DNS actions

• DNS Request
• DNS Response
• Full details of Source process and source parent
• Active content fields

URL actions

• Action
• Full URL
• Full details of Source process and source parent
• Active content fields

Files

• File Full path
• Old File path (in case of rename)
• File UID
• File size
• File Extension
• File location
• MD5
• SHA1
• SHA256
• Convicted by
• File is signed
• File is executable
• Creation date
• Modification Date
• Old SHA1
• Old SHA256
• Old MD5
• Full details of Source process and source parent
• Active content fields

Registry actions

• RegistryKeyName
• RegistryKeyPath
• Full details of Source process and source parent
• Active content fields

Scheduled Tasks

• Task name Task Path
• Full details of Source process and source parent
• Active content fields

Logins

• User name
• Login type
• Full details of Source process and source parent
• Active content fields

Indicators

• Indicator Name
• Indicator category
• Indicator Description
• Indicator Metadata
• Full details of Source process and source parent
• Active content fields

Modules

• Full details of Source process and source parent
• Module Path
• Module SHA1
• Module MD5
• Active content fields

K8S/Containers

• K8s Cluster Name
• K8s Node Name
• K8s Namespace
• K8s Namespace Labels
• K8s Controller Type
• K8s Controller Name
• K8s Controller Labels
• K8s Pod Name
• K8s Pod Labels
• Container Name
• Container ID
• Container Labels
• Container Image

Deep Visibility Browser Extension#

Deep Visibility collects URL events from an extension that is installed on Safari, Chrome, Firefox, and Edge Chromium, and from Internet Explorer without an extension.