{
  "name": "sentinel_one",
  "title": "SentinelOne",
  "version": "2.8.2",
  "release": "ga",
  "description": "Collect logs from SentinelOne with Elastic Agent.",
  "type": "integration",
  "download": "/epr/sentinel_one/sentinel_one-2.8.2.zip",
  "path": "/package/sentinel_one/2.8.2",
  "icons": [
    {
      "src": "/img/sentinel-one-logo.svg",
      "path": "/package/sentinel_one/2.8.2/img/sentinel-one-logo.svg",
      "title": "SentinelOne Logo",
      "size": "32x32",
      "type": "image/svg+xml"
    }
  ],
  "conditions": {
    "kibana": {
      "version": "^8.19.13 || ~9.2.7 || ^9.3.2"
    }
  },
  "owner": {
    "type": "elastic",
    "github": "elastic/security-service-integrations"
  },
  "categories": [
    "security",
    "edr_xdr"
  ],
  "signature_path": "/epr/sentinel_one/sentinel_one-2.8.2.zip.sig",
  "format_version": "3.4.0",
  "readme": "/package/sentinel_one/2.8.2/docs/README.md",
  "license": "basic",
  "screenshots": [
    {
      "src": "/img/sentinel-one-activities-dashboard.png",
      "path": "/package/sentinel_one/2.8.2/img/sentinel-one-activities-dashboard.png",
      "title": "SentinelOne Activity Dashboard",
      "size": "600x600",
      "type": "image/png"
    },
    {
      "src": "/img/sentinel-one-agents-dashboard.png",
      "path": "/package/sentinel_one/2.8.2/img/sentinel-one-agents-dashboard.png",
      "title": "SentinelOne Agent Dashboard",
      "size": "600x600",
      "type": "image/png"
    },
    {
      "src": "/img/sentinel-one-alerts-dashboard.png",
      "path": "/package/sentinel_one/2.8.2/img/sentinel-one-alerts-dashboard.png",
      "title": "SentinelOne Alerts Dashboard",
      "size": "600x600",
      "type": "image/png"
    },
    {
      "src": "/img/sentinel-one-application-dashboard.png",
      "path": "/package/sentinel_one/2.8.2/img/sentinel-one-application-dashboard.png",
      "title": "SentinelOne Application Dashboard",
      "size": "600x600",
      "type": "image/png"
    },
    {
      "src": "/img/sentinel-one-application-risk-dashboard.png",
      "path": "/package/sentinel_one/2.8.2/img/sentinel-one-application-risk-dashboard.png",
      "title": "SentinelOne Application Risk Dashboard",
      "size": "600x600",
      "type": "image/png"
    },
    {
      "src": "/img/sentinel-one-group-dashboard.png",
      "path": "/package/sentinel_one/2.8.2/img/sentinel-one-group-dashboard.png",
      "title": "SentinelOne Group Dashboard",
      "size": "600x600",
      "type": "image/png"
    },
    {
      "src": "/img/sentinel-one-threats-dashboard.png",
      "path": "/package/sentinel_one/2.8.2/img/sentinel-one-threats-dashboard.png",
      "title": "SentinelOne Threat Dashboard",
      "size": "600x600",
      "type": "image/png"
    },
    {
      "src": "/img/sentinel-one-threat-event-dashboard.png",
      "path": "/package/sentinel_one/2.8.2/img/sentinel-one-threat-event-dashboard.png",
      "title": "SentinelOne Threat Event Dashboard",
      "size": "600x600",
      "type": "image/png"
    },
    {
      "src": "/img/sentinel-one-unified-alerts-dashboard.png",
      "path": "/package/sentinel_one/2.8.2/img/sentinel-one-unified-alerts-dashboard.png",
      "title": "SentinelOne Unified Alerts Dashboard",
      "size": "600x600",
      "type": "image/png"
    }
  ],
  "assets": [
    "/package/sentinel_one/2.8.2/LICENSE.txt",
    "/package/sentinel_one/2.8.2/changelog.yml",
    "/package/sentinel_one/2.8.2/manifest.yml",
    "/package/sentinel_one/2.8.2/validation.yml",
    "/package/sentinel_one/2.8.2/docs/README.md",
    "/package/sentinel_one/2.8.2/img/sentinel-one-activities-dashboard.png",
    "/package/sentinel_one/2.8.2/img/sentinel-one-agents-dashboard.png",
    "/package/sentinel_one/2.8.2/img/sentinel-one-alerts-dashboard.png",
    "/package/sentinel_one/2.8.2/img/sentinel-one-api-token-generate.png",
    "/package/sentinel_one/2.8.2/img/sentinel-one-application-dashboard.png",
    "/package/sentinel_one/2.8.2/img/sentinel-one-application-risk-dashboard.png",
    "/package/sentinel_one/2.8.2/img/sentinel-one-dashboard.png",
    "/package/sentinel_one/2.8.2/img/sentinel-one-group-dashboard.png",
    "/package/sentinel_one/2.8.2/img/sentinel-one-logo.svg",
    "/package/sentinel_one/2.8.2/img/sentinel-one-mfa-code.png",
    "/package/sentinel_one/2.8.2/img/sentinel-one-threat-event-dashboard.png",
    "/package/sentinel_one/2.8.2/img/sentinel-one-threats-dashboard.png",
    "/package/sentinel_one/2.8.2/img/sentinel-one-unified-alerts-dashboard.png",
    "/package/sentinel_one/2.8.2/kibana/tags.yml",
    "/package/sentinel_one/2.8.2/data_stream/activity/manifest.yml",
    "/package/sentinel_one/2.8.2/data_stream/activity/sample_event.json",
    "/package/sentinel_one/2.8.2/data_stream/agent/manifest.yml",
    "/package/sentinel_one/2.8.2/data_stream/agent/sample_event.json",
    "/package/sentinel_one/2.8.2/data_stream/alert/manifest.yml",
    "/package/sentinel_one/2.8.2/data_stream/alert/sample_event.json",
    "/package/sentinel_one/2.8.2/data_stream/application/lifecycle.yml",
    "/package/sentinel_one/2.8.2/data_stream/application/manifest.yml",
    "/package/sentinel_one/2.8.2/data_stream/application/sample_event.json",
    "/package/sentinel_one/2.8.2/data_stream/application_risk/lifecycle.yml",
    "/package/sentinel_one/2.8.2/data_stream/application_risk/manifest.yml",
    "/package/sentinel_one/2.8.2/data_stream/application_risk/sample_event.json",
    "/package/sentinel_one/2.8.2/data_stream/group/manifest.yml",
    "/package/sentinel_one/2.8.2/data_stream/group/sample_event.json",
    "/package/sentinel_one/2.8.2/data_stream/threat/manifest.yml",
    "/package/sentinel_one/2.8.2/data_stream/threat/sample_event.json",
    "/package/sentinel_one/2.8.2/data_stream/threat_event/lifecycle.yml",
    "/package/sentinel_one/2.8.2/data_stream/threat_event/manifest.yml",
    "/package/sentinel_one/2.8.2/data_stream/threat_event/sample_event.json",
    "/package/sentinel_one/2.8.2/data_stream/unified_alert/lifecycle.yml",
    "/package/sentinel_one/2.8.2/data_stream/unified_alert/manifest.yml",
    "/package/sentinel_one/2.8.2/data_stream/unified_alert/sample_event.json",
    "/package/sentinel_one/2.8.2/kibana/dashboard/sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538.json",
    "/package/sentinel_one/2.8.2/kibana/dashboard/sentinel_one-413bf268-78f7-4bea-b668-55b5adacbf08.json",
    "/package/sentinel_one/2.8.2/kibana/dashboard/sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538.json",
    "/package/sentinel_one/2.8.2/kibana/dashboard/sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538.json",
    "/package/sentinel_one/2.8.2/kibana/dashboard/sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538.json",
    "/package/sentinel_one/2.8.2/kibana/dashboard/sentinel_one-9d3f16ad-d421-4475-b0e2-c9b3f795e0d5.json",
    "/package/sentinel_one/2.8.2/kibana/dashboard/sentinel_one-acd472d9-a6b7-4a53-a58d-06c315764c8d.json",
    "/package/sentinel_one/2.8.2/kibana/dashboard/sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538.json",
    "/package/sentinel_one/2.8.2/kibana/dashboard/sentinel_one-d17089b1-173e-4c17-8830-779346ace39d.json",
    "/package/sentinel_one/2.8.2/kibana/search/sentinel_one-35fe472a-8994-4b8d-a6bc-df41aa12ca46.json",
    "/package/sentinel_one/2.8.2/data_stream/activity/fields/agent.yml",
    "/package/sentinel_one/2.8.2/data_stream/activity/fields/base-fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/activity/fields/fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/activity/fields/unified-fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/agent/fields/agent.yml",
    "/package/sentinel_one/2.8.2/data_stream/agent/fields/base-fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/agent/fields/fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/agent/fields/unified-fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/alert/fields/agent.yml",
    "/package/sentinel_one/2.8.2/data_stream/alert/fields/base-fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/alert/fields/fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/alert/fields/unified-fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/application/fields/base-fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/application/fields/beats.yml",
    "/package/sentinel_one/2.8.2/data_stream/application/fields/fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/application/fields/unified-fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/application_risk/fields/base-fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/application_risk/fields/beats.yml",
    "/package/sentinel_one/2.8.2/data_stream/application_risk/fields/ecs.yml",
    "/package/sentinel_one/2.8.2/data_stream/application_risk/fields/fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/application_risk/fields/is-transform-source-true.yml",
    "/package/sentinel_one/2.8.2/data_stream/application_risk/fields/resource.yml",
    "/package/sentinel_one/2.8.2/data_stream/application_risk/fields/vulnerability.yml",
    "/package/sentinel_one/2.8.2/data_stream/group/fields/agent.yml",
    "/package/sentinel_one/2.8.2/data_stream/group/fields/base-fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/group/fields/fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/group/fields/unified-fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/threat/fields/agent.yml",
    "/package/sentinel_one/2.8.2/data_stream/threat/fields/base-fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/threat/fields/fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/threat/fields/unified-fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/threat_event/fields/base-fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/threat_event/fields/beats.yml",
    "/package/sentinel_one/2.8.2/data_stream/threat_event/fields/fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/threat_event/fields/unified-fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/unified_alert/fields/base-fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/unified_alert/fields/beats.yml",
    "/package/sentinel_one/2.8.2/data_stream/unified_alert/fields/fields.yml",
    "/package/sentinel_one/2.8.2/data_stream/unified_alert/fields/is-transform-source-true.yml",
    "/package/sentinel_one/2.8.2/data_stream/unified_alert/fields/unified-fields.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_application/manifest.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_application/transform.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_threat_event/manifest.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_threat_event/transform.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_unified_alert/manifest.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_unified_alert/transform.yml",
    "/package/sentinel_one/2.8.2/data_stream/activity/agent/stream/httpjson.yml.hbs",
    "/package/sentinel_one/2.8.2/data_stream/activity/elasticsearch/ingest_pipeline/default.yml",
    "/package/sentinel_one/2.8.2/data_stream/agent/agent/stream/httpjson.yml.hbs",
    "/package/sentinel_one/2.8.2/data_stream/agent/elasticsearch/ingest_pipeline/default.yml",
    "/package/sentinel_one/2.8.2/data_stream/alert/agent/stream/httpjson.yml.hbs",
    "/package/sentinel_one/2.8.2/data_stream/alert/elasticsearch/ingest_pipeline/default.yml",
    "/package/sentinel_one/2.8.2/data_stream/application/agent/stream/cel.yml.hbs",
    "/package/sentinel_one/2.8.2/data_stream/application/elasticsearch/ilm/default_policy.json",
    "/package/sentinel_one/2.8.2/data_stream/application/elasticsearch/ingest_pipeline/default.yml",
    "/package/sentinel_one/2.8.2/data_stream/application_risk/agent/stream/cel.yml.hbs",
    "/package/sentinel_one/2.8.2/data_stream/application_risk/elasticsearch/ilm/default_policy.json",
    "/package/sentinel_one/2.8.2/data_stream/application_risk/elasticsearch/ingest_pipeline/default.yml",
    "/package/sentinel_one/2.8.2/data_stream/group/agent/stream/httpjson.yml.hbs",
    "/package/sentinel_one/2.8.2/data_stream/group/elasticsearch/ingest_pipeline/default.yml",
    "/package/sentinel_one/2.8.2/data_stream/threat/agent/stream/httpjson.yml.hbs",
    "/package/sentinel_one/2.8.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml",
    "/package/sentinel_one/2.8.2/data_stream/threat_event/agent/stream/cel.yml.hbs",
    "/package/sentinel_one/2.8.2/data_stream/threat_event/elasticsearch/ilm/default_policy.json",
    "/package/sentinel_one/2.8.2/data_stream/threat_event/elasticsearch/ingest_pipeline/default.yml",
    "/package/sentinel_one/2.8.2/data_stream/unified_alert/agent/stream/cel.yml.hbs",
    "/package/sentinel_one/2.8.2/data_stream/unified_alert/elasticsearch/ilm/default_policy.json",
    "/package/sentinel_one/2.8.2/data_stream/unified_alert/elasticsearch/ingest_pipeline/default.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_application/fields/base-fields.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_application/fields/beats.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_application/fields/fields.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_application/fields/is-transform-source-false.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_application/fields/unified-fields.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_threat_event/fields/base-fields.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_threat_event/fields/beats.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_threat_event/fields/ecs.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_threat_event/fields/fields.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_threat_event/fields/is-transform-source-false.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_threat_event/fields/unified-fields.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_unified_alert/fields/base-fields.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_unified_alert/fields/beats.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_unified_alert/fields/ecs.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_unified_alert/fields/fields.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_unified_alert/fields/is-transform-source-false.yml",
    "/package/sentinel_one/2.8.2/elasticsearch/transform/latest_unified_alert/fields/unified-fields.yml"
  ],
  "policy_templates": [
    {
      "name": "sentinel_one",
      "title": "SentinelOne",
      "description": "Collect logs from SentinelOne.",
      "inputs": [
        {
          "type": "cel",
          "vars": [
            {
              "name": "url",
              "type": "url",
              "title": "URL",
              "description": "Base URL of the SentinelOne Singularity Operations Center. It will be in the format `https://<your-tenant>.sentinelone.net`.",
              "multi": false,
              "required": true,
              "show_user": true
            },
            {
              "name": "api_token",
              "type": "password",
              "title": "API Token",
              "description": "API Token of the SentinelOne with API Access Level type.",
              "multi": false,
              "required": true,
              "show_user": false
            },
            {
              "name": "proxy_url",
              "type": "text",
              "title": "Proxy URL",
              "description": "URL to proxy connections in the form of http\\[s\\]://<user>:<password>@<server name/ip>:<port>. Please ensure your username and password are in URL encoded format.",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "ssl",
              "type": "yaml",
              "title": "SSL Configuration",
              "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": "#certificate_authorities:\n#  - |\n#    -----BEGIN CERTIFICATE-----\n#    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n#    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n#    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n#    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n#    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n#    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n#    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n#    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n#    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n#    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n#    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n#    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n#    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n#    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n#    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n#    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n#    sxSmbIUfc2SGJGCJD4I=\n#    -----END CERTIFICATE-----\n"
            }
          ],
          "title": "Collect SentinelOne application, application risk, threat_event, and unified alert events via API",
          "description": "Collecting SentinelOne application, application risk, threat_event, and unified alert events via API."
        },
        {
          "type": "httpjson",
          "vars": [
            {
              "name": "url",
              "type": "url",
              "title": "URL",
              "description": "Base URL of the SentinelOne Singularity Operations Center. It will be in the format `https://<your-tenant>.sentinelone.net`.",
              "multi": false,
              "required": true,
              "show_user": true
            },
            {
              "name": "enable_request_tracer",
              "type": "bool",
              "title": "Enable request tracing",
              "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename).",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": false
            },
            {
              "name": "api_token",
              "type": "password",
              "title": "API Token",
              "description": "API Token of the SentinelOne with API Access Level type.",
              "multi": false,
              "required": true,
              "show_user": false
            },
            {
              "name": "proxy_url",
              "type": "text",
              "title": "Proxy URL",
              "description": "URL to proxy connections in the form of http\\[s\\]://<user>:<password>@<server name/ip>:<port>. Please ensure your username and password are in URL encoded format.",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "site_ids",
              "type": "text",
              "title": "Site IDs",
              "description": "Comma separated list of Site IDs to filter by. Example - 225494730938493804,225494730938493915.",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "ssl",
              "type": "yaml",
              "title": "SSL Configuration",
              "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": "#certificate_authorities:\n#  - |\n#    -----BEGIN CERTIFICATE-----\n#    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n#    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n#    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n#    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n#    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n#    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n#    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n#    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n#    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n#    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n#    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n#    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n#    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n#    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n#    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n#    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n#    sxSmbIUfc2SGJGCJD4I=\n#    -----END CERTIFICATE-----\n"
            }
          ],
          "title": "Collect SentinelOne activity, agent, alert, group, and threat logs using API",
          "description": "Collecting SentinelOne activity, agent, alert, group, and threat logs using API."
        }
      ],
      "multiple": true,
      "deployment_modes": {
        "default": {
          "enabled": true
        },
        "agentless": {
          "enabled": true
        }
      }
    }
  ],
  "data_streams": [
    {
      "type": "logs",
      "dataset": "sentinel_one.activity",
      "title": "Collect activity logs from SentinelOne",
      "release": "ga",
      "ingest_pipeline": "default",
      "streams": [
        {
          "input": "httpjson",
          "vars": [
            {
              "name": "initial_interval",
              "type": "text",
              "title": "Initial Interval",
              "description": "How far back to pull the activities from SentinelOne. NOTE: Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "24h"
            },
            {
              "name": "interval",
              "type": "text",
              "title": "Interval",
              "description": "Duration between requests to the SentinelOne API. NOTE: Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "30s"
            },
            {
              "name": "tags",
              "type": "text",
              "title": "Tags",
              "multi": true,
              "required": true,
              "show_user": false,
              "default": [
                "forwarded",
                "sentinel_one-activity"
              ]
            },
            {
              "name": "preserve_original_event",
              "type": "bool",
              "title": "Preserve original event",
              "description": "Preserves a raw copy of the original event, added to the field `event.original`.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": false
            },
            {
              "name": "processors",
              "type": "yaml",
              "title": "Processors",
              "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.",
              "multi": false,
              "required": false,
              "show_user": false
            }
          ],
          "template_path": "httpjson.yml.hbs",
          "title": "Activity",
          "description": "Collect activity logs from SentinelOne.",
          "enabled": true,
          "ingestion_method": "API"
        }
      ],
      "package": "sentinel_one",
      "path": "activity"
    },
    {
      "type": "logs",
      "dataset": "sentinel_one.agent",
      "title": "Collect agent logs from SentinelOne",
      "release": "ga",
      "ingest_pipeline": "default",
      "streams": [
        {
          "input": "httpjson",
          "vars": [
            {
              "name": "initial_interval",
              "type": "text",
              "title": "Initial Interval",
              "description": "How far back to pull the agents from SentinelOne. NOTE: Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "24h"
            },
            {
              "name": "interval",
              "type": "text",
              "title": "Interval",
              "description": "Duration between requests to the SentinelOne API. NOTE: Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "30s"
            },
            {
              "name": "tags",
              "type": "text",
              "title": "Tags",
              "multi": true,
              "required": true,
              "show_user": false,
              "default": [
                "forwarded",
                "sentinel_one-agent"
              ]
            },
            {
              "name": "preserve_original_event",
              "type": "bool",
              "title": "Preserve original event",
              "description": "Preserves a raw copy of the original event, added to the field `event.original`.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": false
            },
            {
              "name": "processors",
              "type": "yaml",
              "title": "Processors",
              "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.",
              "multi": false,
              "required": false,
              "show_user": false
            }
          ],
          "template_path": "httpjson.yml.hbs",
          "title": "Agent",
          "description": "Collect agent logs from SentinelOne.",
          "enabled": true,
          "ingestion_method": "API"
        }
      ],
      "package": "sentinel_one",
      "path": "agent"
    },
    {
      "type": "logs",
      "dataset": "sentinel_one.alert",
      "title": "Collect alert logs from SentinelOne",
      "release": "ga",
      "ingest_pipeline": "default",
      "streams": [
        {
          "input": "httpjson",
          "vars": [
            {
              "name": "initial_interval",
              "type": "text",
              "title": "Initial Interval",
              "description": "How far back to pull the alerts from SentinelOne. NOTE: Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "24h"
            },
            {
              "name": "interval",
              "type": "text",
              "title": "Interval",
              "description": "Duration between requests to the SentinelOne API. NOTE: Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "30s"
            },
            {
              "name": "tags",
              "type": "text",
              "title": "Tags",
              "multi": true,
              "required": true,
              "show_user": false,
              "default": [
                "forwarded",
                "sentinel_one-alert"
              ]
            },
            {
              "name": "preserve_original_event",
              "type": "bool",
              "title": "Preserve original event",
              "description": "Preserves a raw copy of the original event, added to the field `event.original`.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": false
            },
            {
              "name": "processors",
              "type": "yaml",
              "title": "Processors",
              "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.",
              "multi": false,
              "required": false,
              "show_user": false
            }
          ],
          "template_path": "httpjson.yml.hbs",
          "title": "Alert",
          "description": "Collect alert logs from SentinelOne.",
          "enabled": true,
          "ingestion_method": "API"
        }
      ],
      "package": "sentinel_one",
      "path": "alert"
    },
    {
      "type": "logs",
      "dataset": "sentinel_one.application",
      "ilm_policy": "logs-sentinel_one.application-default_policy",
      "title": "Collect application logs from SentinelOne",
      "release": "ga",
      "ingest_pipeline": "default",
      "streams": [
        {
          "input": "cel",
          "vars": [
            {
              "name": "interval",
              "type": "text",
              "title": "Interval",
              "description": "Duration between requests to the SentinelOne API. Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "24h"
            },
            {
              "name": "batch_size",
              "type": "integer",
              "title": "Batch Size",
              "description": "Batch size for the response of the SentinelOne API. The maximum supported page size value is 1000.",
              "multi": false,
              "required": true,
              "show_user": false,
              "default": 1000
            },
            {
              "name": "max_executions",
              "type": "integer",
              "title": "Maximum Executions",
              "description": "Maximum number of CEL program re-evaluations per collection interval. The application stream makes two API calls per worklist entry (inventory + endpoints), so large estates may need a higher budget than the input default of 1000. Set to 0 for unlimited.",
              "multi": false,
              "required": true,
              "show_user": false,
              "default": 1000
            },
            {
              "name": "site_ids",
              "type": "text",
              "title": "Site IDs",
              "description": "Comma separated list of Site IDs to filter by. Example - \"225494730938493804,225494730938493915\".",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "http_client_timeout",
              "type": "text",
              "title": "HTTP Client Timeout",
              "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.",
              "multi": false,
              "required": true,
              "show_user": false,
              "default": "30s"
            },
            {
              "name": "enable_request_tracer",
              "type": "bool",
              "title": "Enable request tracing",
              "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": false
            },
            {
              "name": "tags",
              "type": "text",
              "title": "Tags",
              "multi": true,
              "required": true,
              "show_user": false,
              "default": [
                "forwarded",
                "sentinel_one-application"
              ]
            },
            {
              "name": "preserve_original_event",
              "type": "bool",
              "title": "Preserve original event",
              "description": "Preserves a raw copy of the original event, added to the field `event.original`.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": false
            },
            {
              "name": "preserve_duplicate_custom_fields",
              "type": "bool",
              "title": "Preserve duplicate custom fields",
              "description": "Preserve sentinel_one.application fields that were copied to Elastic Common Schema (ECS) fields.",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "processors",
              "type": "yaml",
              "title": "Processors",
              "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.",
              "multi": false,
              "required": false,
              "show_user": false
            }
          ],
          "template_path": "cel.yml.hbs",
          "title": "Application",
          "description": "Collect application logs from SentinelOne.",
          "enabled": true,
          "ingestion_method": "API"
        }
      ],
      "package": "sentinel_one",
      "path": "application"
    },
    {
      "type": "logs",
      "dataset": "sentinel_one.application_risk",
      "ilm_policy": "logs-sentinel_one.application_risk-default_policy",
      "title": "Collect application risk logs from SentinelOne",
      "release": "ga",
      "ingest_pipeline": "default",
      "streams": [
        {
          "input": "cel",
          "vars": [
            {
              "name": "interval",
              "type": "text",
              "title": "Interval",
              "description": "Duration between requests to the SentinelOne API. Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "24h"
            },
            {
              "name": "batch_size",
              "type": "integer",
              "title": "Batch Size",
              "description": "Batch size for the response of the SentinelOne API. The maximum supported page size value is 1000.",
              "multi": false,
              "required": true,
              "show_user": false,
              "default": 1000
            },
            {
              "name": "site_ids",
              "type": "text",
              "title": "Site IDs",
              "description": "Comma separated list of Site IDs to filter by. Example - \"225494730938493804,225494730938493915\".",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "http_client_timeout",
              "type": "text",
              "title": "HTTP Client Timeout",
              "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.",
              "multi": false,
              "required": true,
              "show_user": false,
              "default": "30s"
            },
            {
              "name": "enable_request_tracer",
              "type": "bool",
              "title": "Enable request tracing",
              "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": false
            },
            {
              "name": "tags",
              "type": "text",
              "title": "Tags",
              "multi": true,
              "required": true,
              "show_user": false,
              "default": [
                "forwarded",
                "sentinel_one-application_risk"
              ]
            },
            {
              "name": "preserve_original_event",
              "type": "bool",
              "title": "Preserve original event",
              "description": "Preserves a raw copy of the original event, added to the field `event.original`.",
              "multi": false,
              "required": false,
              "show_user": true,
              "default": false
            },
            {
              "name": "preserve_duplicate_custom_fields",
              "type": "bool",
              "title": "Preserve duplicate custom fields",
              "description": "Preserve sentinel_one.application_risk fields that were copied to Elastic Common Schema (ECS) fields.",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "processors",
              "type": "yaml",
              "title": "Processors",
              "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.",
              "multi": false,
              "required": false,
              "show_user": false
            }
          ],
          "template_path": "cel.yml.hbs",
          "title": "Application Risk",
          "description": "Collect application risk logs from SentinelOne.",
          "enabled": false,
          "ingestion_method": "API"
        }
      ],
      "package": "sentinel_one",
      "path": "application_risk"
    },
    {
      "type": "logs",
      "dataset": "sentinel_one.group",
      "title": "Collect group logs from SentinelOne",
      "release": "ga",
      "ingest_pipeline": "default",
      "streams": [
        {
          "input": "httpjson",
          "vars": [
            {
              "name": "initial_interval",
              "type": "text",
              "title": "Initial Interval",
              "description": "How far back to pull the groups from SentinelOne. NOTE: Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "24h"
            },
            {
              "name": "interval",
              "type": "text",
              "title": "Interval",
              "description": "Duration between requests to the SentinelOne API. NOTE: Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "30s"
            },
            {
              "name": "tags",
              "type": "text",
              "title": "Tags",
              "multi": true,
              "required": true,
              "show_user": false,
              "default": [
                "forwarded",
                "sentinel_one-group"
              ]
            },
            {
              "name": "preserve_original_event",
              "type": "bool",
              "title": "Preserve original event",
              "description": "Preserves a raw copy of the original event, added to the field `event.original`.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": false
            },
            {
              "name": "processors",
              "type": "yaml",
              "title": "Processors",
              "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.",
              "multi": false,
              "required": false,
              "show_user": false
            }
          ],
          "template_path": "httpjson.yml.hbs",
          "title": "Group",
          "description": "Collect group logs from SentinelOne.",
          "enabled": true,
          "ingestion_method": "API"
        }
      ],
      "package": "sentinel_one",
      "path": "group"
    },
    {
      "type": "logs",
      "dataset": "sentinel_one.threat",
      "title": "Collect threat logs from SentinelOne",
      "release": "ga",
      "ingest_pipeline": "default",
      "streams": [
        {
          "input": "httpjson",
          "vars": [
            {
              "name": "initial_interval",
              "type": "text",
              "title": "Initial Interval",
              "description": "How far back to pull the threats from SentinelOne. NOTE: Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "24h"
            },
            {
              "name": "interval",
              "type": "text",
              "title": "Interval",
              "description": "Duration between requests to the SentinelOne API. NOTE: Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "30s"
            },
            {
              "name": "tags",
              "type": "text",
              "title": "Tags",
              "multi": true,
              "required": true,
              "show_user": false,
              "default": [
                "forwarded",
                "sentinel_one-threat"
              ]
            },
            {
              "name": "preserve_original_event",
              "type": "bool",
              "title": "Preserve original event",
              "description": "Preserves a raw copy of the original event, added to the field `event.original`.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": false
            },
            {
              "name": "processors",
              "type": "yaml",
              "title": "Processors",
              "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.",
              "multi": false,
              "required": false,
              "show_user": false
            }
          ],
          "template_path": "httpjson.yml.hbs",
          "title": "Threat",
          "description": "Collect threat logs from SentinelOne.",
          "enabled": true,
          "ingestion_method": "API"
        }
      ],
      "package": "sentinel_one",
      "path": "threat"
    },
    {
      "type": "logs",
      "dataset": "sentinel_one.threat_event",
      "ilm_policy": "logs-sentinel_one.threat_event-default_policy",
      "title": "Collect threat event logs from SentinelOne",
      "release": "ga",
      "ingest_pipeline": "default",
      "streams": [
        {
          "input": "cel",
          "vars": [
            {
              "name": "interval",
              "type": "text",
              "title": "Interval",
              "description": "Duration between requests to the SentinelOne API. Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "24h"
            },
            {
              "name": "batch_size",
              "type": "integer",
              "title": "Batch Size",
              "description": "Batch size for the response of the SentinelOne API. The maximum supported page size value is 1000.",
              "multi": false,
              "required": true,
              "show_user": false,
              "default": 1000
            },
            {
              "name": "site_ids",
              "type": "text",
              "title": "Site IDs",
              "description": "Comma separated list of Site IDs to filter by. Example - \"225494730938493804,225494730938493915\".",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "http_client_timeout",
              "type": "text",
              "title": "HTTP Client Timeout",
              "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.",
              "multi": false,
              "required": true,
              "show_user": false,
              "default": "30s"
            },
            {
              "name": "enable_request_tracer",
              "type": "bool",
              "title": "Enable request tracing",
              "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": false
            },
            {
              "name": "tags",
              "type": "text",
              "title": "Tags",
              "multi": true,
              "required": true,
              "show_user": false,
              "default": [
                "forwarded",
                "sentinel_one-threat_event"
              ]
            },
            {
              "name": "preserve_original_event",
              "type": "bool",
              "title": "Preserve original event",
              "description": "Preserves a raw copy of the original event, added to the field `event.original`.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": false
            },
            {
              "name": "preserve_duplicate_custom_fields",
              "type": "bool",
              "title": "Preserve duplicate custom fields",
              "description": "Preserve sentinel_one.threat_event fields that were copied to Elastic Common Schema (ECS) fields.",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "processors",
              "type": "yaml",
              "title": "Processors",
              "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.",
              "multi": false,
              "required": false,
              "show_user": false
            }
          ],
          "template_path": "cel.yml.hbs",
          "title": "Threat Event",
          "description": "Collect threat event logs from SentinelOne.",
          "enabled": false,
          "ingestion_method": "API"
        }
      ],
      "package": "sentinel_one",
      "path": "threat_event"
    },
    {
      "type": "logs",
      "dataset": "sentinel_one.unified_alert",
      "ilm_policy": "logs-sentinel_one.unified_alert-default_policy",
      "title": "Collect unified alert logs from SentinelOne",
      "release": "ga",
      "ingest_pipeline": "default",
      "streams": [
        {
          "input": "cel",
          "vars": [
            {
              "name": "initial_interval",
              "type": "text",
              "title": "Initial Interval",
              "description": "How far back to pull the unified alerts from SentinelOne. NOTE: Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "24h"
            },
            {
              "name": "interval",
              "type": "text",
              "title": "Interval",
              "description": "Duration between requests to the SentinelOne API. NOTE: Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "1m"
            },
            {
              "name": "batch_size",
              "type": "integer",
              "title": "Batch Size",
              "description": "Batch size for the response of the Sentinel One API. The maximum supported page size value is 10000.",
              "multi": false,
              "required": true,
              "show_user": false,
              "default": 1000
            },
            {
              "name": "http_client_timeout",
              "type": "text",
              "title": "HTTP Client Timeout",
              "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.",
              "multi": false,
              "required": true,
              "show_user": false,
              "default": "60s"
            },
            {
              "name": "enable_request_tracer",
              "type": "bool",
              "title": "Enable request tracing",
              "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": false
            },
            {
              "name": "tags",
              "type": "text",
              "title": "Tags",
              "multi": true,
              "required": true,
              "show_user": false,
              "default": [
                "forwarded",
                "sentinel_one-unified_alert"
              ]
            },
            {
              "name": "preserve_original_event",
              "type": "bool",
              "title": "Preserve original event",
              "description": "Preserves a raw copy of the original event, added to the field `event.original`.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": false
            },
            {
              "name": "preserve_duplicate_custom_fields",
              "type": "bool",
              "title": "Preserve duplicate custom fields",
              "description": "Preserve sentinel_one.unified_alert fields that were copied to Elastic Common Schema (ECS) fields.",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "processors",
              "type": "yaml",
              "title": "Processors",
              "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.",
              "multi": false,
              "required": false,
              "show_user": false
            }
          ],
          "template_path": "cel.yml.hbs",
          "title": "Unified Alert",
          "description": "Collect unified alert logs from SentinelOne.",
          "enabled": false,
          "ingestion_method": "API"
        }
      ],
      "package": "sentinel_one",
      "path": "unified_alert"
    }
  ]
}
