Change log for SENTINELONE_ACTIVITY

Date	Changes
2025-10-10	- event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `createdAt` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - event.idm.read_only_udm.security_result.last_updated_time: Newly mapped `updatedAt` raw log field with `event.idm.read_only_udm.security_result.last_updated_time` UDM field. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `activityUuid`, `activityID` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - event.idm.read_only_udm.metadata.description: Newly mapped `primaryDescription`, event_name raw log field with `event.idm.read_only_udm.metadata.description` UDM field. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `rt` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - event.idm.read_only_udm.metadata.product_event_type: Newly mapped `activityType` raw log field with `event.idm.read_only_udm.metadata.product_event_type` UDM field. - event.idm.read_only_udm.metadata.product_name: Newly mapped `device_product` raw log field with `event.idm.read_only_udm.metadata.product_name` UDM field. - event.idm.read_only_udm.principal.ip: Newly mapped `data.ipAddress` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly mapped `data.ipAddress` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.principal.process.command_line: Newly mapped `data.sourceprocesscommandline` raw log field with `event.idm.read_only_udm.principal.process.command_line` UDM field. - event.idm.read_only_udm.principal.process.file.names: Newly mapped `data.sourceprocessname` raw log field with `event.idm.read_only_udm.principal.process.file.names` UDM field. - event.idm.read_only_udm.target.asset.asset_id: Newly mapped `agentId` raw log field with `event.idm.read_only_udm.target.asset.asset_id` UDM field. - event.idm.read_only_udm.target.hostname: Newly mapped `data.computerName` raw log field with `event.idm.read_only_udm.target.hostname` UDM field. - event.idm.read_only_udm.target.asset.hostname: Newly mapped `data.computerName` raw log field with `event.idm.read_only_udm.target.asset.hostname` UDM field. - event.idm.read_only_udm.target.namespace: Newly mapped `accountName` raw log field with `event.idm.read_only_udm.target.namespace` UDM field. - event.idm.read_only_udm.target.location.name: Newly mapped `siteName, `data.siteName` raw log field with `event.idm.read_only_udm.target.location.name` UDM field. - event.idm.read_only_udm.target.user.userid: Newly mapped `accountId` raw log field with `event.idm.read_only_udm.target.user.userid` UDM field. - event.idm.read_only_udm.target.user.user_display_name: Newly mapped `data.accountName` raw log field with `event.idm.read_only_udm.target.user.user_display_name` UDM field. - event.idm.read_only_udm.target.group.product_object_id: Newly mapped `data.newGroupId` raw log field with `event.idm.read_only_udm.target.group.product_object_id` UDM field. - event.idm.read_only_udm.target.group.group_display_name: Newly mapped `data.newGroupName` raw log field with `event.idm.read_only_udm.target.group.group_display_name` UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `id`, `notificationScope`, `data.scopeLevel`, `data.fullScopeDetailsPath`, `siteId` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `data.sourceType` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.rule_id: Newly mapped `data.alertid` raw log field with `event.idm.read_only_udm.security_result.rule_id` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `data.ruledescription`, `data.oldGroupName`, `data.oldGroupId`, `data.newGroupId`, `data.newGroupName` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.description: Newly mapped `data.fullScopeDetails` raw log field with `event.idm.read_only_udm.security_result.description` UDM field. - event.idm.read_only_udm.metadata.event_type: If has_principal and has_target are "true", updated to NETWORK_CONNECTION. - event.idm.read_only_udm.metadata.event_type: If has_principal is "true", updated to STATUS_UPDATE. - event.idm.read_only_udm.metadata.event_type: If has_user is "true", updated to USER_LOGIN. - event.idm.read_only_udm.metadata.event_type: If none of the above conditions are met, updated to GENERIC_EVENT.

Date

Changes

2025-10-10

- event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `createdAt` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field.
- event.idm.read_only_udm.security_result.last_updated_time: Newly mapped `updatedAt` raw log field with `event.idm.read_only_udm.security_result.last_updated_time` UDM field.
- event.idm.read_only_udm.metadata.product_log_id: Newly mapped `activityUuid`, `activityID` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field.
- event.idm.read_only_udm.metadata.description: Newly mapped `primaryDescription`, event_name raw log field with `event.idm.read_only_udm.metadata.description` UDM field.
- event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `rt` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field.
- event.idm.read_only_udm.metadata.product_event_type: Newly mapped `activityType` raw log field with `event.idm.read_only_udm.metadata.product_event_type` UDM field.
- event.idm.read_only_udm.metadata.product_name: Newly mapped `device_product` raw log field with `event.idm.read_only_udm.metadata.product_name` UDM field.
- event.idm.read_only_udm.principal.ip: Newly mapped `data.ipAddress` raw log field with `event.idm.read_only_udm.principal.ip` UDM field.
- event.idm.read_only_udm.principal.asset.ip: Newly mapped `data.ipAddress` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field.
- event.idm.read_only_udm.principal.process.command_line: Newly mapped `data.sourceprocesscommandline` raw log field with `event.idm.read_only_udm.principal.process.command_line` UDM field.
- event.idm.read_only_udm.principal.process.file.names: Newly mapped `data.sourceprocessname` raw log field with `event.idm.read_only_udm.principal.process.file.names` UDM field.
- event.idm.read_only_udm.target.asset.asset_id: Newly mapped `agentId` raw log field with `event.idm.read_only_udm.target.asset.asset_id` UDM field.
- event.idm.read_only_udm.target.hostname: Newly mapped `data.computerName` raw log field with `event.idm.read_only_udm.target.hostname` UDM field.
- event.idm.read_only_udm.target.asset.hostname: Newly mapped `data.computerName` raw log field with `event.idm.read_only_udm.target.asset.hostname` UDM field.
- event.idm.read_only_udm.target.namespace: Newly mapped `accountName` raw log field with `event.idm.read_only_udm.target.namespace` UDM field.
- event.idm.read_only_udm.target.location.name: Newly mapped `siteName, `data.siteName` raw log field with `event.idm.read_only_udm.target.location.name` UDM field.
- event.idm.read_only_udm.target.user.userid: Newly mapped `accountId` raw log field with `event.idm.read_only_udm.target.user.userid` UDM field.
- event.idm.read_only_udm.target.user.user_display_name: Newly mapped `data.accountName` raw log field with `event.idm.read_only_udm.target.user.user_display_name` UDM field.
- event.idm.read_only_udm.target.group.product_object_id: Newly mapped `data.newGroupId` raw log field with `event.idm.read_only_udm.target.group.product_object_id` UDM field.
- event.idm.read_only_udm.target.group.group_display_name: Newly mapped `data.newGroupName` raw log field with `event.idm.read_only_udm.target.group.group_display_name` UDM field.
- event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `id`, `notificationScope`, `data.scopeLevel`, `data.fullScopeDetailsPath`, `siteId` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `data.sourceType` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.security_result.rule_id: Newly mapped `data.alertid` raw log field with `event.idm.read_only_udm.security_result.rule_id` UDM field.
- event.idm.read_only_udm.security_result.detection_fields: Newly mapped `data.ruledescription`, `data.oldGroupName`, `data.oldGroupId`, `data.newGroupId`, `data.newGroupName` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field.
- event.idm.read_only_udm.security_result.description: Newly mapped `data.fullScopeDetails` raw log field with `event.idm.read_only_udm.security_result.description` UDM field.
- event.idm.read_only_udm.metadata.event_type: If has_principal and has_target are "true", updated to NETWORK_CONNECTION.
- event.idm.read_only_udm.metadata.event_type: If has_principal is "true", updated to STATUS_UPDATE.
- event.idm.read_only_udm.metadata.event_type: If has_user is "true", updated to USER_LOGIN.
- event.idm.read_only_udm.metadata.event_type: If none of the above conditions are met, updated to GENERIC_EVENT.