elastic · andrewkroh · May 26, 2022 · Apr 29, 2022 · Apr 29, 2022 · May 5, 2022
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -122,6 +122,7 @@
 /packages/redis @elastic/integrations
 /packages/santa @elastic/security-external-integrations
 /packages/security_detection_engine @elastic/protections
+/packages/sentinel_one @elastic/security-external-integrations
 /packages/snort @elastic/security-external-integrations
 /packages/snyk @elastic/security-external-integrations
 /packages/sonicwall @elastic/security-external-integrations

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: git@8.2
@@ -0,0 +1,62 @@
+# SentinelOne
+
+The [SentinelOne](https://www.sentinelone.com/) integration collects and parses data from SentinelOne REST APIs.
+
+## Compatibility
+
+This module has been tested against `SentinelOne Management Console API version 2.1`.
+
+## To collect data from SentinelOne APIs, user must have API Token. To create API token follow below steps:
+
+  1. Log in to the **SentinelOne Management Console** as an **Admin**.
+  ![SentinelOne dashboards](../img/sentinel-one-dashboard.png)
+  2. Navigate to **Logged User Account** from top right panel in navigation bar.
+  3. Click **My User**.
+  4. In the API token section, click **Generate**.  
+  ![SentinelOne generate API token ](../img/sentinel-one-api-token-generate.png)
+
+## Note
+
+The API token generated by user is time-limited. To rotate a new token login with the dedicated admin account.
+
+## Logs
+
+### activity
+
+This is the `activity` dataset.
+
+{{event "activity"}}
+
+{{fields "activity"}}
+
+### agent
+
+This is the `agent` dataset.
+
+{{event "agent"}}
+
+{{fields "agent"}}
+
+### alert
+
+This is the `alert` dataset.
+
+{{event "alert"}}
+
+{{fields "alert"}}
+
+### group
+
+This is the `group` dataset.
+
+{{event "group"}}
+
+{{fields "group"}}
+
+### threat
+
+This is the `threat` dataset.
+
+{{event "threat"}}
+
+{{fields "threat"}}
@@ -0,0 +1,15 @@
+version: '2.3'
+services:
+  sentinel_one:
+    image: docker.elastic.co/observability/stream:v0.7.0
+    hostname: sentinel_one
+    ports:
+      - 8080
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: "8080"
+    command:
+      - http-server
+      - --addr=:8080
+      - --config=/files/config.yml
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.1.0"
+  changes:
+    - description: Initial Release
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3232
@@ -0,0 +1,3 @@
+fields:
+  tags:
+    - preserve_original_event