SentinelOne Schema

S1Account

Represents a SentinelOne account, which is the top-level organizational unit for managing SentinelOne resources.

Ontology Mapping: This node has the extra label Tenant to enable cross-platform queries for tenant accounts across different systems (e.g., OktaOrganization, AWSAccount).

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The unique identifier for the SentinelOne account.

name

The name of the SentinelOne account

account_type

The type of account (e.g., Trial, Paid)

active_agents

Number of active agents in the account

created_at

ISO 8601 timestamp of when the account was created

expiration

ISO 8601 timestamp of when the account expires

number_of_sites

Number of sites configured in the account

state

Current state of the account (e.g., Active, Deleted, Expired)

Relationships

  • A S1Account contains S1Agents.

    (S1Account)-[RESOURCE]->(S1Agent)

  • A S1Account contains S1Applications.

    (S1Account)-[RESOURCE]->(S1Application)

  • A S1Account contains S1ApplicationVersions.

    (S1Account)-[RESOURCE]->(S1ApplicationVersion)

  • A S1Account has security risks through S1AppFindings.

    (S1Account)-[RESOURCE]->(S1AppFinding)

S1Agent

Represents a SentinelOne agent installed on an endpoint device.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The unique identifier for the SentinelOne agent

uuid

The UUID of the agent

computer_name

The name of the computer where the agent is installed

serial_number

The serial number of the endpoint device

firewall_enabled

Boolean indicating if the firewall is enabled

os_name

The name of the operating system

os_revision

The operating system revision/version

domain

The domain the computer belongs to

last_active

ISO 8601 timestamp of when the agent was last active

last_successful_scan

ISO 8601 timestamp of the last successful scan

scan_status

Status of the last scan

Relationships

  • A S1Agent belongs to a S1Account.

    (S1Agent)<-[RESOURCE]-(S1Account)

  • A S1Agent has installed S1ApplicationVersions.

    (S1Agent)-[HAS_INSTALLED]->(S1ApplicationVersion)

  • A S1Agent is affected by S1AppFindings.

    (S1Agent)<-[AFFECTS]-(S1AppFinding)

S1Application

Represents an application managed by SentinelOne.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The unique identifier for the application (normalized vendor:name)

name

The name of the application

vendor

The vendor of the application

Relationships

  • A S1Application belongs to a S1Account.

    (S1Application)<-[RESOURCE]-(S1Account)

  • A S1Application has S1ApplicationVersions.

    (S1Application)-[VERSION]->(S1ApplicationVersion)

S1ApplicationVersion

Represents a specific version of an application.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The unique identifier for the application version (normalized vendor:name:version)

version

The version string

application_name

The name of the application

application_vendor

The vendor of the application

Relationships

  • A S1ApplicationVersion belongs to a S1Account.

    (S1ApplicationVersion)<-[RESOURCE]-(S1Account)

  • A S1ApplicationVersion is installed on S1Agents.

    (S1Agent)-[HAS_INSTALLED]->(S1ApplicationVersion)

    The HAS_INSTALLED relationship includes additional properties:

    Property

    Description

    installeddatetime

    ISO 8601 timestamp of when the application was installed

    installationpath

    The file system path where the application is installed

  • A S1ApplicationVersion belongs to a S1Application.

    (S1Application)-[VERSION]->(S1ApplicationVersion)

  • A S1ApplicationVersion is affected by S1AppFindings.

    (S1AppFinding)-[AFFECTS]->(S1ApplicationVersion)

S1AppFinding

Represents a specific instance of a vulnerability detection (finding) on a specific endpoint. Unlike generic CVE definitions, each S1AppFinding node represents a unique finding on a specific agent.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The unique identifier for the specific finding instance (API ID)

cve_id

The CVE identifier (e.g., CVE-2023-12345)

risk_score

Risk score

report_confidence

Confidence level of the report

days_detected

Number of days since detection

detection_date

ISO 8601 timestamp of detection (e.g. 2018-02-27T04:49:26.257525Z)

last_scan_date

ISO 8601 timestamp of last scan (e.g. 2018-02-27T04:49:26.257525Z)

last_scan_result

Result of the last scan

status

Status of the finding (e.g., Active)

mitigation_status

Status of mitigation

mitigation_status_reason

Reason for mitigation status

mitigation_status_changed_by

User who changed mitigation status

mitigation_status_change_time

Time of mitigation status change

marked_by

User who marked the finding

marked_date

Date when finding was marked

mark_type_description

Description of mark type

reason

Reason for the finding

remediation_level

Remediation level of the finding

Relationships

  • A S1AppFinding belongs to a S1Account (scoped cleanup).

    (S1Account)-[RESOURCE]->(S1AppFinding)

  • A S1AppFinding affects a specific S1Agent (the endpoint where it was found).

    (S1AppFinding)-[AFFECTS]->(S1Agent)

  • A S1AppFinding affects a specific S1ApplicationVersion (the vulnerable software).

    (S1AppFinding)-[AFFECTS]->(S1ApplicationVersion)

  • A S1AppFinding is linked to a generic CVE definition.

    (S1AppFinding)-[LINKED_TO]->(CVE)