sentinel_one: Enhance ECS mappings and unify fields across all data streams.

Refined and expanded ECS field mappings to ensure consistency across all data streams. 
Aligned field names and structures with the latest ECS standards to improve interoperability, 
data quality, and search normalization in Elastic SIEM.

Author: mohitjha-elastic

packages/sentinel_one/changelog.yml

@@ -1,4 +1,14 @@
 # newer versions go on top
+- version: "2.0.0"
+  changes:
+    - description: |
+        Unified the site, account, and threat-classification field structures under the `sentinel_one.*` namespace
+        across all data streams, and removed older fields.
+      type: breaking-change
+      link: https://github.com/elastic/integrations/pull/15931
+    - description: Enhanced the ECS mappings across all data streams.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15931
 - version: "1.43.2"
   changes:
     - description: Do not log expected empty template results as DEGRADED health in agent or group data streams.

packages/sentinel_one/data_stream/activity/_dev/test/pipeline/test-pipeline-activity.log-expected.json

@@ -140,10 +140,18 @@ processors:
       field: json.groupId
       target_field: user.group.id
       ignore_missing: true
+  - set:
+      field: group.id
+      copy_from: user.group.id
+      ignore_empty_value: true
   - rename:
       field: json.groupName
       target_field: user.group.name
       ignore_missing: true
+  - set:
+      field: group.name
+      copy_from: user.group.name
+      ignore_empty_value: true
   - rename:
       field: json.accountId
       target_field: sentinel_one.activity.account.id
@@ -154,7 +162,7 @@ processors:
       ignore_missing: true
   - rename:
       field: json.accountName
-      target_field: sentinel_one.activity.account.name
+      target_field: sentinel_one.account.name
       ignore_missing: true
   - rename:
       field: json.agentId
@@ -193,13 +201,17 @@ processors:
       field: json.id
       target_field: sentinel_one.activity.id
       ignore_missing: true
+  - set:
+      field: event.id
+      copy_from: sentinel_one.activity.id
+      ignore_empty_value: true
   - rename:
       field: json.siteId
-      target_field: sentinel_one.activity.site.id
+      target_field: sentinel_one.site.id
       ignore_missing: true
   - rename:
       field: json.siteName
-      target_field: sentinel_one.activity.site.name
+      target_field: sentinel_one.site.name
       ignore_missing: true
   - rename:
       field: json.threatId
@@ -479,11 +491,11 @@ processors:
       ignore_missing: true
   - rename:
       field: json.data.threatClassification
-      target_field: sentinel_one.activity.data.threat.classification.name
+      target_field: sentinel_one.threat_classification.name
       ignore_missing: true
   - rename:
       field: json.data.threatClassificationSource
-      target_field: sentinel_one.activity.data.threat.classification.source
+      target_field: sentinel_one.threat_classification.source
       ignore_missing: true
   - rename:
       field: json.data.globalStatus

packages/sentinel_one/data_stream/activity/elasticsearch/ingest_pipeline/default.yml

@@ -7,9 +7,6 @@
         - name: id
           type: keyword
           description: Related account ID (if applicable).
-        - name: name
-          type: keyword
-          description: Related account name (if applicable).
     - name: agent
       type: group
       fields:
@@ -169,9 +166,6 @@
                 - name: name
                   type: keyword
                   description: Threat classification name.
-                - name: source
-                  type: keyword
-                  description: Threat classification source.
         - name: user
           type: group
           fields:
@@ -198,15 +192,6 @@
     - name: id
       type: keyword
       description: Activity ID.
-    - name: site
-      type: group
-      fields:
-        - name: id
-          type: keyword
-          description: Related site ID (if applicable).
-        - name: name
-          type: keyword
-          description: Related site name (if applicable).
     - name: threat
       type: group
       fields:

packages/sentinel_one/data_stream/activity/fields/fields.yml

@@ -0,0 +1,22 @@
+- name: sentinel_one
+  type: group
+  fields:
+    - name: account
+      type: group
+      fields:
+        - name: name
+          type: keyword
+    - name: site
+      type: group
+      fields:
+        - name: id
+          type: keyword
+        - name: name
+          type: keyword
+    - name: threat_classification
+      type: group
+      fields:
+        - name: name
+          type: keyword
+        - name: source
+          type: keyword

packages/sentinel_one/data_stream/activity/fields/unified-fields.yml

@@ -1,33 +1,34 @@
 {
     "@timestamp": "2022-04-19T05:14:08.925Z",
     "agent": {
-        "ephemeral_id": "10175f71-9c3d-43ea-9326-e2c1fbfed4fa",
-        "id": "9b7ecf1c-5873-4d71-b82a-5ef8d4ac574e",
-        "name": "elastic-agent-48880",
+        "ephemeral_id": "e6b8b354-ed66-48eb-8516-c576417e273c",
+        "id": "7097c76d-ffaf-4c65-9da9-8da760e67c8a",
+        "name": "elastic-agent-98755",
         "type": "filebeat",
-        "version": "8.18.7"
+        "version": "8.19.7"
     },
     "data_stream": {
         "dataset": "sentinel_one.activity",
-        "namespace": "26410",
+        "namespace": "86823",
         "type": "logs"
     },
     "ecs": {
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "9b7ecf1c-5873-4d71-b82a-5ef8d4ac574e",
-        "snapshot": false,
-        "version": "8.18.7"
+        "id": "7097c76d-ffaf-4c65-9da9-8da760e67c8a",
+        "snapshot": true,
+        "version": "8.19.7"
     },
     "event": {
         "agent_id_status": "verified",
         "category": [
             "configuration"
         ],
-        "created": "2025-09-22T11:35:05.641Z",
+        "created": "2025-11-19T10:35:41.122Z",
         "dataset": "sentinel_one.activity",
-        "ingested": "2025-09-22T11:35:08Z",
+        "id": "1234567890123456789",
+        "ingested": "2025-11-19T10:35:44Z",
         "kind": "event",
         "original": "{\"accountId\":\"3214567890123456789\",\"accountName\":\"Default12\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":\"True\",\"createdAt\":\"2022-04-19T05:14:08.925421Z\",\"data\":{\"accountName\":\"Default\",\"byUser\":\"API\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/default\",\"groupName\":null,\"newValue\":true,\"role\":\"Level\",\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"userScope\":\"account\",\"username\":\"API\"},\"description\":\"API\",\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"The management user API enabled Two factor authentication on the user API.\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-18T05:14:08.922553Z\",\"userId\":\"1234567890123456789\"}",
         "type": [
@@ -44,10 +45,12 @@
         ]
     },
     "sentinel_one": {
+        "account": {
+            "name": "Default12"
+        },
         "activity": {
             "account": {
-                "id": "3214567890123456789",
-                "name": "Default12"
+                "id": "3214567890123456789"
             },
             "comments": "True",
             "data": {

packages/sentinel_one/data_stream/activity/sample_event.json

@@ -9,6 +9,7 @@
                 "category": [
                     "host"
                 ],
+                "id": "13491234512345",
                 "kind": "event",
                 "original": "{\"accountId\":\"12345123451234512345\",\"accountName\":\"Account Name\",\"activeDirectory\":{\"computerDistinguishedName\":null,\"computerMemberOf\":[],\"lastUserDistinguishedName\":null,\"lastUserMemberOf\":[]},\"activeThreats\":7,\"agentVersion\":\"12.x.x.x\",\"allowRemoteShell\":true,\"appsVulnerabilityStatus\":\"not_applicable\",\"cloudProviders\":{},\"computerName\":\"user-test\",\"consoleMigrationStatus\":\"N/A\",\"coreCount\":2,\"missingPermissions\":[\"user-action-needed-bluetooth-per\",\"user_action_needed_fda\"],\"cpuCount\":2,\"cpuId\":\"CPU Name\",\"createdAt\":\"2022-03-18T09:12:00.519500Z\",\"detectionState\":null,\"domain\":\"WORKGROUP\",\"encryptedApplications\":false,\"externalId\":\"\",\"externalIp\":\"81.2.69.143\",\"firewallEnabled\":true,\"firstFullModeTime\":null,\"groupId\":\"1234567890123456789\",\"groupIp\":\"81.2.69.144\",\"groupName\":\"Default Group\",\"id\":\"13491234512345\",\"inRemoteShellSession\":false,\"infected\":true,\"installerType\":\".msi\",\"isActive\":true,\"isDecommissioned\":false,\"isPendingUninstall\":false,\"isUninstalled\":false,\"isUpToDate\":true,\"lastActiveDate\":\"2022-03-17T09:51:28.506000Z\",\"lastIpToMgmt\":\"81.2.69.145\",\"lastLoggedInUserName\":\"\",\"licenseKey\":\"\",\"locationEnabled\":true,\"locationType\":\"not_applicable\",\"locations\":null,\"machineType\":\"server\",\"mitigationMode\":\"detect\",\"mitigationModeSuspicious\":\"detect\",\"modelName\":\"Compute Engine\",\"networkInterfaces\":[{\"gatewayIp\":\"81.2.69.145\",\"gatewayMacAddress\":\"00-00-5E-00-53-00\",\"id\":\"1234567890123456789\",\"inet\":[\"81.2.69.144\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"00-00-5E-00-53-00\"}],\"networkQuarantineEnabled\":false,\"networkStatus\":\"connected\",\"operationalState\":\"na\",\"operationalStateExpiration\":null,\"osArch\":\"64 bit\",\"osName\":\"Linux Server\",\"osRevision\":\"1234\",\"osStartTime\":\"2022-04-06T08:27:14Z\",\"osType\":\"linux\",\"osUsername\":null,\"rangerStatus\":\"Enabled\",\"rangerVersion\":\"21.x.x.x\",\"registeredAt\":\"2022-04-06T08:26:45.515278Z\",\"remoteProfilingState\":\"disabled\",\"remoteProfilingStateExpiration\":null,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"tags\":{\"sentinelone\":[{\"assignedBy\":\"test-user\",\"assignedAt\":\"2018-02-27T04:49:26.257525Z\",\"key\":\"key123\",\"assignedById\":\"123456789012345678\",\"id\":\"123456789012345678\",\"value\":\"value123\"}]},\"threatRebootRequired\":false,\"totalMemory\":1234,\"updatedAt\":\"2022-04-07T08:31:47.481227Z\",\"userActionsNeeded\":[\"reboot_needed\"],\"uuid\":\"XXX35XXX8Xfb4aX0X1X8X12X343X8X30\"}",
                 "type": [
@@ -20,6 +21,7 @@
                 "name": "Default Group"
             },
             "host": {
+                "architecture": "64 bit",
                 "domain": "WORKGROUP",
                 "geo": {
                     "city_name": "London",
@@ -63,10 +65,12 @@
                 ]
             },
             "sentinel_one": {
+                "account": {
+                    "name": "Account Name"
+                },
                 "agent": {
                     "account": {
-                        "id": "12345123451234512345",
-                        "name": "Account Name"
+                        "id": "12345123451234512345"
                     },
                     "active_threats_count": 7,
                     "agent": {
@@ -146,10 +150,6 @@
                         "started_at": "2022-04-06T08:26:52.838Z",
                         "status": "finished"
                     },
-                    "site": {
-                        "id": "1234567890123456789",
-                        "name": "Default site"
-                    },
                     "tags": [
                         {
                             "assigned_at": "2018-02-27T04:49:26.257Z",
@@ -166,6 +166,10 @@
                         "reboot_needed"
                     ],
                     "uuid": "XXX35XXX8Xfb4aX0X1X8X12X343X8X30"
+                },
+                "site": {
+                    "id": "1234567890123456789",
+                    "name": "Default site"
                 }
             },
             "tags": [

packages/sentinel_one/data_stream/agent/_dev/test/pipeline/test-pipeline-agent.log-expected.json

@@ -48,7 +48,7 @@ processors:
       ignore_missing: true
   - rename:
       field: json.accountName
-      target_field: sentinel_one.agent.account.name
+      target_field: sentinel_one.account.name
       ignore_missing: true
   - rename:
       field: json.activeDirectory.computerDistinguishedName
@@ -272,6 +272,10 @@ processors:
       field: json.id
       target_field: sentinel_one.agent.agent.id
       ignore_missing: true
+  - set:
+      field: event.id
+      copy_from: sentinel_one.agent.agent.id
+      ignore_empty_value: true
   - set:
       field: host.id
       copy_from: sentinel_one.agent.agent.id
@@ -611,6 +615,10 @@ processors:
       field: json.osArch
       target_field: sentinel_one.agent.os.arch
       ignore_missing: true
+  - set:
+      field: host.architecture
+      copy_from: sentinel_one.agent.os.arch
+      ignore_empty_value: true
   - rename:
       field: json.osName
       target_field: host.os.name
@@ -734,11 +742,11 @@ processors:
       ignore_missing: true
   - rename:
       field: json.siteId
-      target_field: sentinel_one.agent.site.id
+      target_field: sentinel_one.site.id
       ignore_missing: true
   - rename:
       field: json.siteName
-      target_field: sentinel_one.agent.site.name
+      target_field: sentinel_one.site.name
       ignore_missing: true
   - rename:
       field: json.storageName

packages/sentinel_one/data_stream/agent/elasticsearch/ingest_pipeline/default.yml

@@ -7,9 +7,6 @@
         - name: id
           type: keyword
           description: A reference to the containing account.
-        - name: name
-          type: keyword
-          description: Name of the containing account.
     - name: active_directory
       type: group
       fields:
@@ -269,15 +266,6 @@
         - name: status
           type: keyword
           description: Last scan status.
-    - name: site
-      type: group
-      fields:
-        - name: id
-          type: keyword
-          description: A reference to the containing site.
-        - name: name
-          type: keyword
-          description: Name of the containing site.
     - name: storage
       type: group
       fields:

packages/sentinel_one/data_stream/agent/fields/fields.yml

@@ -0,0 +1,15 @@
+- name: sentinel_one
+  type: group
+  fields:
+    - name: account
+      type: group
+      fields:
+        - name: name
+          type: keyword
+    - name: site
+      type: group
+      fields:
+        - name: id
+          type: keyword
+        - name: name
+          type: keyword