Skip to content

[sentinel_one] Add Support for Application Risk Data Stream #14910

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[sentinel_one] Add Support for Application Risk Data Stream #14910

wants to merge 3 commits into from
+3,044 −5

Conversation

mohitjha-elastic
Copy link
Collaborator

Proposed commit message

sentinel_one: Add support for application risk data stream.

Added support for ingesting data through the SentinelOne application risk data stream.
This includes necessary configuration updates and input adjustments to enable collection and parsing of
application risk–related events, ensuring accurate ingestion and processing of risk insights
from supported sources.

Tested on the live samples collected through the SentinelOne API.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/sentinel_one directory.
  • Run the following command to run tests.

elastic-package test -v

Related Issue

  • Related to enhancement issue 25330

@mohitjha-elastic mohitjha-elastic self-assigned this Aug 12, 2025
@mohitjha-elastic mohitjha-elastic requested a review from a team as a code owner August 12, 2025 11:41
@mohitjha-elastic mohitjha-elastic added enhancement New feature or request Integration:sentinel_one SentinelOne Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Aug 12, 2025
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@andrewkroh andrewkroh added dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. labels Aug 12, 2025
@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @mohitjha-elastic

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
84.1% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

kcreddy
kcreddy reviewed Aug 19, 2025
View reviewed changes
packages/sentinel_one/_dev/build/docs/README.md
{{fields "threat"}}

### application risk
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Move to the top after application (sort)

packages/sentinel_one/data_stream/application_risk/elasticsearch/ilm/default_policy.json
@@ -0,0 +1,20 @@
{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For this ILM policy to work, you would need delete_index privilege on source indices for kibana_system role.

https://github.com/elastic/elasticsearch/blob/main/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java#L438-L439

..._one/data_stream/application_risk/_dev/test/pipeline/test-application-risk.log-expected.json
"tags": [
"preserve_duplicate_custom_fields"
],
"vulnerability": {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you check if any fields from https://docs.elastic.dev/security-solution/cloud-security/cdr/3p-dev-guide#vulnerability-findings-1 can also be added to this data stream?

packages/sentinel_one/data_stream/application_risk/elasticsearch/ingest_pipeline/default.yml
- set:
field: event.kind
tag: set_event_kind
value: event
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use state

packages/sentinel_one/elasticsearch/transform/latest_risk/transform.yml
Comment on lines +1 to +17
# Use of "*" to use all namespaces defined.
source:
index:
- "logs-sentinel_one.application_risk-*"
dest:
index: "logs-sentinel_one_latest.dest_application_risk-1"
aliases:
- alias: "logs-sentinel_one_latest.application_risk"
move_on_creation: true
latest:
unique_key:
- event.dataset
- event.id
sort: "@timestamp"
description: >-
Latest application risk from SentinelOne. As application risk get updated, this transform stores only the latest state of each application risk inside the destination index. Thus the transform's destination index contains only the latest state of the application risk.
frequency: 30s
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nick-alayil, @maxcold
We are adding new vulnerability data to our SentinelOne integration and this is the transform use case for storing latest state of vulnerabilities (SentinelOne calls them application risks). I think it makes sense to defer transform addition so that we can add it as part of Extended protections (3rd party CDR integrations) list. This way we can avoid redundancy of having 2 transforms on same data. WDYT?

cc: @mohitjha-elastic

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we can cover one transform for both use cases with no downsides, then definetly it makes sense to me!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maxcold maxcold maxcold left review comments

@kcreddy kcreddy kcreddy left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@mohitjha-elastic mohitjha-elastic

Labels
dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:sentinel_one SentinelOne Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@mohitjha-elastic @elasticmachine @maxcold @kcreddy @andrewkroh