SentinelOne Schema¶
S1Account¶
Represents a SentinelOne account, which is the top-level organizational unit for managing SentinelOne resources.
Field |
Description |
|---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The unique identifier for the SentinelOne account |
name |
The name of the SentinelOne account |
account_type |
The type of account (e.g., Trial, Paid) |
active_agents |
Number of active agents in the account |
created_at |
ISO 8601 timestamp of when the account was created |
expiration |
ISO 8601 timestamp of when the account expires |
number_of_sites |
Number of sites configured in the account |
state |
Current state of the account (e.g., Active, Deleted, Expired) |
Relationships¶
A S1Account contains S1Agents.
(S1Account)-[RESOURCE]->(S1Agent)A S1Account contains S1Applications.
(S1Account)-[RESOURCE]->(S1Application)A S1Account contains S1ApplicationVersions.
(S1Account)-[RESOURCE]->(S1ApplicationVersion)
S1Agent¶
Represents a SentinelOne agent installed on an endpoint device.
Field |
Description |
|---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The unique identifier for the SentinelOne agent |
uuid |
The UUID of the agent |
computer_name |
The name of the computer where the agent is installed |
serial_number |
The serial number of the endpoint device |
firewall_enabled |
Boolean indicating if the firewall is enabled |
os_name |
The name of the operating system |
os_revision |
The operating system revision/version |
domain |
The domain the computer belongs to |
last_active |
ISO 8601 timestamp of when the agent was last active |
last_successful_scan |
ISO 8601 timestamp of the last successful scan |
scan_status |
Current scan status of the agent |
Relationships¶
A S1Agent belongs to a S1Account.
(S1Agent)-[RESOURCE]->(S1Account)A S1Agent has installed application versions.
(S1Agent)-[HAS_INSTALLED]->(S1ApplicationVersion)
S1Application¶
Represents an application discovered in the SentinelOne environment.
Field |
Description |
|---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The unique identifier for the application (normalized vendor:name) |
name |
The name of the application |
vendor |
The vendor/publisher of the application |
Relationships¶
A S1Application belongs to a S1Account.
(S1Application)-[RESOURCE]->(S1Account)A S1Application has versions.
(S1Application)-[VERSION]->(S1ApplicationVersion)
S1ApplicationVersion¶
Represents a specific version of an application installed on SentinelOne agents.
Field |
Description |
|---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The unique identifier for the application version (normalized vendor:name:version) |
application_name |
The name of the application |
application_vendor |
The vendor/publisher of the application |
version |
The version string of the application |
Relationships¶
A S1ApplicationVersion belongs to a S1Account.
(S1ApplicationVersion)<-[RESOURCE]-(S1Account)A S1ApplicationVersion is installed on S1Agents.
(S1Agent)-[HAS_INSTALLED]->(S1ApplicationVersion)The HAS_INSTALLED relationship includes additional properties:
Property
Description
installeddatetime
ISO 8601 timestamp of when the application was installed
installationpath
The file system path where the application is installed
A S1ApplicationVersion belongs to a S1Application.
(S1Application)-[VERSION]->(S1ApplicationVersion)