Device Security
SentinelOne Attribute Reference
Table of Contents
Expand All
|
Collapse All
Device Security Docs
SentinelOne Attribute Reference
This reference lists the attributes that Device Security collects from SentinelOne,
their names as stored in Device Security, and the Device Security device,
interface, and vulnerability fields they map to.
When Device Security integrates with SentinelOne Singularity, it
imports endpoint protection data to enrich the device inventory. The attributes in this
reference cover device records, network interface data, and vulnerability findings from
the SentinelOne Singularity platform.
The third-party attribute name in Device Security refers to the attribute name
as it appears in the Assets Inventory table and in Query Engine. This follows the format
of third-party-name.attribute-name.
When viewing the attribute name in the Assets Inventory table column selector or on a
Device Details page, where the third-party name can be found as a header for the
attributes section, then the third-party name is removed from the attribute name.
For example, micrsoft_defender_xdr.macAddress would appear in the
Query Builder and in the Assets Inventory table, but under Device DetailsAttributesIntegration Specific AttributesMicrosoft Defender, the attribute would appear as macAddress.
Device Attributes
Device Security collects device attributes from the SentinelOne v2.1 device
details API. The following table lists each SentinelOne attribute, its name as
stored in Device Security, and the Device Security device field it maps to
(if applicable).
|
SentinelOne Attribute
|
Device Security Attribute Name
|
Device Security Common Attribute*
|
Description
|
|---|---|---|---|
|
accountId
|
sentinelone.accountId
|
—
|
Identifier of the SentinelOne account that manages this
device
|
|
accountName
|
sentinelone.accountName
|
—
|
Name of the SentinelOne account that manages this device
|
|
activeDirectory.computerDistinguishedName
|
sentinelone.activeDirectory.computerDistinguishedName
|
—
|
Active Directory distinguished name of the computer account
for this device
|
|
activeDirectory.computerMemberOf
|
sentinelone.activeDirectory.computerMemberOf
|
—
|
Active Directory groups that the computer account belongs
to
|
|
activeDirectory.lastUserDistinguishedName
|
sentinelone.activeDirectory.lastUserDistinguishedName
|
—
|
Active Directory distinguished name of the last user logged
on to this device
|
|
activeDirectory.lastUserMemberOf
|
sentinelone.activeDirectory.lastUserMemberOf
|
—
|
Active Directory groups that the last logged-on user belongs
to
|
|
activeDirectory.userPrincipalName
|
sentinelone.activeDirectory.userPrincipalName
|
—
|
User principal name from Active Directory for the last
logged-on user
|
|
activeProtection
|
sentinelone.activeProtection
|
—
|
Indicates whether active protection is enabled on the device
|
|
activeThreats
|
sentinelone.activeThreats
|
—
|
Number of active threats detected on the device by
SentinelOne
|
|
agentVersion
|
sentinelone.agentVersion
|
—
|
Version of the SentinelOne agent installed on the device
|
|
allowRemoteShell
|
sentinelone.allowRemoteShell
|
—
|
Indicates whether remote shell access is allowed on the
device
|
|
appsVulnerabilityStatus
|
sentinelone.appsVulnerabilityStatus
|
—
|
Vulnerability status of applications installed on the device
|
|
cloudProviders
|
sentinelone.cloudProviders
|
—
|
Cloud providers associated with the device
|
|
computerName
|
sentinelone.computerName
|
Hostname
|
Computer name of the device
|
|
consoleMigrationStatus
|
sentinelone.consoleMigrationStatus
|
—
|
Migration status of the device between SentinelOne console
instances
|
|
containerizedWorkloadCounts
|
sentinelone.containerizedWorkloadCounts
|
—
|
Count of containerized workloads on the device
|
|
coreCount
|
sentinelone.coreCount
|
—
|
Number of CPU cores on the device
|
|
cpuCount
|
sentinelone.cpuCount
|
—
|
Number of CPUs on the device
|
|
cpuId
|
sentinelone.cpuId
|
—
|
CPU identifier of the device
|
|
createdAt
|
sentinelone.createdAt
|
—
|
Timestamp when the device record was created in
SentinelOne
|
|
domain
|
sentinelone.domain
|
—
|
Domain the device belongs to
|
|
encryptedApplications
|
sentinelone.encryptedApplications
|
—
|
Indicates whether application encryption is enabled on the
device
|
|
externalId
|
sentinelone.externalId
|
—
|
External identifier associated with the device in
SentinelOne
|
|
externalIp
|
sentinelone.externalIp
|
public_ip_address
|
External IP address of the device
|
|
firewallEnabled
|
sentinelone.firewallEnabled
|
—
|
Indicates whether the firewall is enabled on the device in
SentinelOne
|
|
fullDiskScanLastUpdatedAt
|
sentinelone.fullDiskScanLastUpdatedAt
|
—
|
Timestamp of the last full disk scan performed by
SentinelOne on this device
|
|
groupId
|
sentinelone.groupId
|
—
|
Identifier of the SentinelOne group the device belongs
to
|
|
groupIp
|
sentinelone.groupIp
|
—
|
IP subnet associated with the SentinelOne group of this
device
|
|
groupName
|
sentinelone.groupName
|
—
|
Name of the SentinelOne group the device belongs to
|
|
id
|
sentinelone.id
|
—
|
Unique identifier of the device record
|
|
infected
|
sentinelone.infected
|
—
|
Indicates whether the device is currently infected
|
|
installed_applications
|
—
|
third_party_learned_installed_software
|
List of applications installed on the device
|
|
installerType
|
sentinelone.installerType
|
—
|
Type of installer used to deploy the SentinelOne agent
on this device
|
|
isActive
|
sentinelone.isActive
|
—
|
Indicates whether the device is currently active in
SentinelOne
|
|
isDecommissioned
|
sentinelone.isDecommissioned
|
—
|
Indicates whether the device has been decommissioned in
SentinelOne
|
|
isPendingUninstall
|
sentinelone.isPendingUninstall
|
—
|
Indicates whether the SentinelOne agent is pending
uninstallation on this device
|
|
isUninstalled
|
sentinelone.isUninstalled
|
—
|
Indicates whether the SentinelOne agent has been
uninstalled from this device
|
|
isUpToDate
|
sentinelone.isUpToDate
|
—
|
Indicates whether the SentinelOne agent is up to date on
this device
|
|
lastActiveDate
|
sentinelone.lastActiveDate
|
—
|
Date when the device was last active
|
|
lastIpToMgmt
|
sentinelone.lastIpToMgmt
|
—
|
Last IP address used by the device to communicate with the
SentinelOne management console
|
|
lastLoggedInUserName
|
sentinelone.lastLoggedInUserName
|
—
|
Username of the last user logged on to the device
|
|
licenseKey
|
sentinelone.licenseKey
|
—
|
License key of the SentinelOne agent on this device
|
|
locationEnabled
|
sentinelone.locationEnabled
|
—
|
Indicates whether location tracking is enabled for the
device
|
|
locations[0].id
|
sentinelone.locations.id
|
—
|
Identifier of the primary location assigned to the device
|
|
locations[0].name
|
sentinelone.locations.name
|
Location
|
Name of the primary location assigned to the device in
SentinelOne
|
|
locations[0].scope
|
sentinelone.locations.scope
|
—
|
Scope of the primary location assigned to the device in
SentinelOne
|
|
locationType
|
sentinelone.locationType
|
—
|
Type of location assigned to the device
|
|
machineSid
|
sentinelone.machineSid
|
—
|
Security Identifier (SID) of the machine
|
|
machineType
|
sentinelone.machineType
|
—
|
Type of machine, such as desktop or server
|
|
mitigationMode
|
sentinelone.mitigationMode
|
—
|
Mitigation mode configured for the device,
such as protect or detect
|
|
mitigationModeSuspicious
|
sentinelone.mitigationModeSuspicious
|
—
|
Mitigation mode for suspicious activity on the device in
SentinelOne
|
|
modelName
|
sentinelone.modelName
|
Model
|
Hardware model name of the device
|
|
networkInterfaces[0].physical
|
—
|
MAC; id
|
MAC address of the primary network interface. Used as the primary device identifier.
|
|
networkInterfaces[0].inet[0]
|
—
|
ipv4_address
|
IPv4 address of the primary network interface
|
|
networkQuarantineEnabled
|
sentinelone.networkQuarantineEnabled
|
—
|
Indicates whether network quarantine is enabled for the
device
|
|
networkStatus
|
sentinelone.networkStatus
|
operational_status
|
Network connectivity status of the device
|
|
operationalState
|
sentinelone.operationalState
|
—
|
Operational state of the device, such as
na or powered_off
|
|
osArch
|
sentinelone.osArch
|
—
|
CPU architecture of the operating system
|
|
osName
|
sentinelone.osName
|
OS Name
|
Operating system name of the device
|
|
osRevision
|
sentinelone.osRevision
|
OS Build Number
|
OS revision or build number of the device
|
|
osStartTime
|
sentinelone.osStartTime
|
—
|
Timestamp of the last OS startup on the device
|
|
osType
|
sentinelone.osType
|
os_type
|
Operating system type of the device, such as windows or linux
|
|
rangerStatus
|
sentinelone.rangerStatus
|
—
|
Status of the SentinelOne ranger network discovery feature
on this device
|
|
rangerVersion
|
sentinelone.rangerVersion
|
—
|
Version of the SentinelOne ranger component installed on
this device
|
|
registeredAt
|
sentinelone.registeredAt
|
—
|
Timestamp when the device was registered with SentinelOne
|
|
remoteProfilingState
|
sentinelone.remoteProfilingState
|
—
|
Remote profiling state of the device
|
|
scanAbortedAt
|
sentinelone.scanAbortedAt
|
—
|
Timestamp when the last scan was aborted on the device in
SentinelOne
|
|
scanFinishedAt
|
sentinelone.scanFinishedAt
|
—
|
Timestamp when the last scan finished on the device in
SentinelOne
|
|
scanStartedAt
|
sentinelone.scanStartedAt
|
—
|
Timestamp when the last scan started on the device in
SentinelOne
|
|
scanStatus
|
sentinelone.scanStatus
|
—
|
Status of the most recent scan on the device in
SentinelOne
|
|
serialNumber
|
sentinelone.serialNumber
|
Serial Number
|
Serial number of the device
|
|
showAlertIcon
|
sentinelone.showAlertIcon
|
—
|
Indicates whether an alert icon is displayed for the device
in the SentinelOne console
|
|
siteId
|
sentinelone.siteId
|
—
|
Identifier of the SentinelOne site that manages this
device
|
|
siteName
|
sentinelone.siteName
|
Site
|
Name of the SentinelOne site that manages this device
|
|
storageName
|
sentinelone.storageName
|
—
|
Name of the storage device on the endpoint
|
|
storageType
|
sentinelone.storageType
|
—
|
Type of storage device on the endpoint
|
|
tags.sentinelone
|
sentinelone.tags.sentinelone
|
—
|
Tags assigned to the device by SentinelOne
|
|
totalMemory
|
sentinelone.totalMemory
|
—
|
Total physical memory of the device in MB
|
|
updatedAt
|
sentinelone.updatedAt
|
—
|
Timestamp when the device record was last updated in
SentinelOne
|
|
userActionsNeeded
|
sentinelone.userActionsNeeded
|
—
|
List of user actions required for the device in
SentinelOne
|
|
uuid
|
sentinelone.uuid
|
—
|
Universally unique identifier of the device in
SentinelOne
|
Interface Attributes
Device Security collects interface attributes from the SentinelOne v2.1 device
details interfaces API. The following table lists each SentinelOne attribute, its
name as stored in Device Security, and the Device Security interface field
it maps to (if applicable).
|
SentinelOne Attribute
|
Device Security Attribute Name
|
Device Security Common Attribute*
|
Description
|
|---|---|---|---|
|
networkInterfaces
|
sentinelone.networkInterfaces
|
third_party_learned_network_interfaces
|
List of network interfaces on the device
|
|
networkInterfaces[0].inet[0]
|
sentinelone.networkInterfaces.inet
|
ipv4_address
|
IPv4 address of the primary network interface
|
|
networkInterfaces[0].physical
|
sentinelone.networkInterfaces.physical
|
MAC; id
|
MAC address of the primary network interface. Used as the primary interface identifier.
|
Vulnerability Attributes
Device Security collects vulnerability attributes from the SentinelOne v2.1
vulnerability details API. The following table lists each SentinelOne attribute,
its name as stored in Device Security, and the Device Security vulnerability
field it maps to (if applicable).
|
SentinelOne Attribute
|
Device Security Attribute Name
|
Device Security Common Attribute*
|
Description
|
|---|---|---|---|
|
application
|
sentinelone.application
|
—
|
Application associated with the vulnerability
|
|
applicationName
|
sentinelone.applicationName
|
—
|
Name of the application affected by the vulnerability
|
|
applicationVendor
|
sentinelone.applicationVendor
|
—
|
Vendor of the application affected by the vulnerability
|
|
applicationVersion
|
sentinelone.applicationVersion
|
—
|
Version of the application affected by the vulnerability
|
|
baseScore
|
sentinelone.baseScore
|
cvss_base_score
|
CVSS base score of the vulnerability
|
|
cveId
|
sentinelone.cveId
|
cve
|
CVE identifier for the vulnerability
|
|
cvssVersion
|
sentinelone.cvssVersion
|
—
|
CVSS version used to score the vulnerability in
SentinelOne
|
|
daysDetected
|
sentinelone.daysDetected
|
—
|
Number of days since the vulnerability was first detected in
SentinelOne
|
|
detectionDate
|
sentinelone.detectionDate
|
detected_time
|
Date when SentinelOne first detected this vulnerability on
the device
|
|
endpointId
|
sentinelone.endpointId
|
—
|
Identifier of the endpoint where the vulnerability was
detected
|
|
endpointName
|
sentinelone.endpointName
|
—
|
Name of the endpoint where the vulnerability was detected
|
|
endpointType
|
sentinelone.endpointType
|
—
|
Type of endpoint where the vulnerability was detected in
SentinelOne
|
|
id
|
sentinelone.id
|
vulnerability_id
|
Unique identifier of the vulnerability record in
SentinelOne
|
|
lastScanDate
|
sentinelone.lastScanDate
|
—
|
Date of the last scan that checked for this vulnerability
|
|
lastScanResult
|
sentinelone.lastScanResult
|
—
|
Result of the last vulnerability scan performed by
SentinelOne
|
|
mac_address
|
sentinelone.mac_address
|
id
|
MAC address of the device where the vulnerability was
detected
|
|
publishedDate
|
sentinelone.publishedDate
|
—
|
Date when the vulnerability was publicly published, as
recorded
|
|
severity
|
sentinelone.severity
|
severity; risk_level
|
Severity level of the vulnerability
|
|
status
|
sentinelone.status
|
—
|
Current status of the vulnerability
|
* Only some attributes map to a Device Security Common Attribute.