pC_sentinelonesingularitypjsonendpointloginsuccesslogins.md
May 13, 2026 · View on GitHub
Parser Content
{
Name = sentinelone-singularityp-json-endpoint-login-success-logins
ExtractionType = json
ParserVersion = "v1.0.0"
Conditions = [ """"dataSource.name":"SentinelOne"""", """"event.category":"logins"""", """"event.type":"Login"""" ]
Fields = ${SentinelOneParsersTemplates.json-sentinelone-edr-events.Fields} [
"""exa_json_path=$.['endpoint.type'],exa_field_name=device_type""",
"""exa_json_path=$.['src.process.parent.image.path'],exa_regex=({parent_process_path}({parent_process_dir}[^@]+?)[\\\/]*({parent_process_name}[^"\\\/]+))$""",
"""exa_json_path=$.['src.process.image.path'],exa_regex=({process_path}({process_dir}(:?[\w:]+)?[^"]*\\)({process_name}[^"]+))$""",
"""exa_json_path=$.['src.process.pid'],exa_field_name=process_id""",
"""exa_json_path=$.['src.process.cmdline'],exa_field_name=process_command_line""",
"""exa_json_path=$.['src.endpoint.ip.address'],exa_regex=({src_ip}((([0-9a-fA-F.]{0,4}):{1,2}){1,7}([0-9a-fA-F]){0,4})|(((25[0-5]|(2[0-4]|1\d|[0-9]|)\d)\.?\b){4}))(:({src_port}\d+))?""",
"""exa_json_path=$.['event.id'],exa_field_name=event_id""",
"""exa_regex=event.name":"({operation_type}[^"]+)""",
"""exa_json_path=$.['event.login.userName'],exa_regex=^({user}[\w\.\-\!\#\^\~]{1,40}\$?)$""",
"""exa_regex=userName":"(({email_address}([A-Za-z0-9]+[!#$%&'+\/=?^_`~.-])*[A-Za-z0-9]+@[^\]\s"\\,\|]+\.[^\]\s"\\,\|]+?)|({user}[\w\.\-\!\#\^\~]{1,40}\$?))""""
"""event.login.failureReason":"({failure_reason}[^"]+)"""
"""exa_json_path=$.['event.login.failureReason'],exa_field_name=failure_reason"""
"""exa_json_path=$.['event.login.loginIsSuccessful'],exa_field_name=result"""
"""event.login.loginIsSuccessful":"({result}[^"]+)"""
]
json-sentinelone-edr-events = {
Vendor = SentinelOne
Product = "Singularity Platform"
TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
ExtractionType = json
Fields = [
""""timestamp":"({time}\d\d\d\d\-\d\d\-\d\dT\d\d:\d\d:\d\d\.\d\d\dZ)"""",
""""event\.type":"({event_name}[^"]+)""",
""""endpoint\.name":"({dest_host}({host}[^"]+))""",
""""task\.path":"({file_path}({file_dir}[^"]+[\\\/]+)?({file_name}[^\\"]+?(\.({file_ext}[^\\."]+?))?))"""",
"""process\.name":"({process_name}[^"]+)""",
""""endpoint.os":"({os}[^"]+)""",
""""event\.category":"({additional_info}[^"]+)"""",
""""endpoint\.type":"({host_type}[^"]+)"""
""""src\.process\.pid":({process_id}\d+)""",
""""src\.process\.cmdline":"({process_command_line}.+?)",""",
""""account\.id":"({account_id}[^"]+)""",
""""src.process.user":"((({domain}[^\\"]+))\\+)?(({user}Système|LOCAL SERVICE|NETWORK SERVICE|[\w\.\-\!\#\^\~]{1,40}\$?))"""",
""""tgt.process.user":"((({dest_domain}[^\\"]+))\\+)?((({dest_user}Système|LOCAL SERVICE|NETWORK SERVICE|[^\\"$\s]+?)|({dest_user_full_name}[^"\s$]+\s[^"\s$]+)))"""",
"""exa_json_path=$..timestamp,exa_field_name=time""",
"""exa_json_path=$..['event.type'],exa_field_name=event_name""",
"""exa_json_path=$..['endpoint.name'],exa_field_name=host""",
"""exa_json_path=$..['endpoint.name'],exa_field_name=dest_host""",
"""exa_regex="task\.path":"({file_path}({file_dir}[^"]+[\\\/]+)?({file_name}[^\\"]+?(\.({file_ext}[^\\."]+?))?))"""",
"""exa_json_path=$..['src.process.name'],exa_field_name=process_name""",
"""exa_json_path=$..['endpoint.os'],exa_field_name=os""",
"""exa_json_path=$..['event.category'],exa_field_name=additional_info""",
"""exa_json_path=$..['endpoint.type'],exa_field_name=host_type""",
"""exa_json_path=$..['src.process.pid'],exa_field_name=process_id""",
"""exa_json_path=$..['src.process.cmdline'],exa_field_name=process_command_line""",
"""exa_json_path=$..['account.id'],exa_field_name=account_id""",
"""exa_json_path=$..['src.process.user'],exa_regex=^((({domain}[^\\"$]+))\\+)?(({user}Système|LOCAL SERVICE|NETWORK SERVICE|[\w\.\-\!\#\^\~]{1,40}\$?))($|")""",
"""exa_json_path=$..['tgt.process.user'],exa_regex=((({dest_domain}[^\\"$]+))\\+)?((({dest_user}Système|LOCAL SERVICE|NETWORK SERVICE|[^\\"$\s]+?)|({dest_user_full_name}[^"\s$]+\s[^"\s$]+)))($|")"""
""""os.name":"({os}macOS)""""
"""exa_regex="os.name":"({os}macOS)""""
}